Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 07:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
acb1f7d26450cb2a2d2b2896edf0c2d5
-
SHA1
6d98a31934cbbd6a9973efe436ce5e87ea466450
-
SHA256
d47f10e5f37f83420cf5159ceae94d00b4695ea7853d20b27a37d1c239b1494d
-
SHA512
3d4540c859105c3b0b1a611346e182ddb5fb2db94f2f265390211a422394cd92b1942ba46e203c8c606e1131a27db348a1b0dfe5c9607239d9b1c623b0ed6a70
-
SSDEEP
196608:xP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018Q:xPboGX8a/jWWu3cI2D/cWcls1
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemscorsvw.exemsiexec.exeOSE.EXEmscorsvw.exeOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid Process 472 2564 alg.exe 2492 aspnet_state.exe 2604 mscorsvw.exe 3052 mscorsvw.exe 1732 mscorsvw.exe 3012 mscorsvw.exe 2624 dllhost.exe 2428 ehRecvr.exe 1728 ehsched.exe 1532 elevation_service.exe 1832 IEEtwCollector.exe 1660 GROOVE.EXE 3040 maintenanceservice.exe 2704 msdtc.exe 2680 mscorsvw.exe 2328 msiexec.exe 2332 OSE.EXE 2508 mscorsvw.exe 2724 OSPPSVC.EXE 964 perfhost.exe 3016 locator.exe 2060 snmptrap.exe 2480 vds.exe 2688 vssvc.exe 1968 wbengine.exe 2224 WmiApSrv.exe 576 wmpnetwk.exe 1680 SearchIndexer.exe 1420 mscorsvw.exe 1776 mscorsvw.exe 2628 mscorsvw.exe 1420 mscorsvw.exe 608 mscorsvw.exe 528 mscorsvw.exe 2440 mscorsvw.exe 2252 mscorsvw.exe 1816 mscorsvw.exe 2832 mscorsvw.exe 2740 mscorsvw.exe 1564 mscorsvw.exe 2400 mscorsvw.exe 2248 mscorsvw.exe 1816 mscorsvw.exe 1664 mscorsvw.exe 940 mscorsvw.exe 2652 mscorsvw.exe 2628 mscorsvw.exe 3064 mscorsvw.exe 1952 mscorsvw.exe 3068 mscorsvw.exe 1576 mscorsvw.exe 1892 mscorsvw.exe 1376 mscorsvw.exe 2696 mscorsvw.exe 2400 mscorsvw.exe 1056 mscorsvw.exe 780 mscorsvw.exe 2124 mscorsvw.exe 436 mscorsvw.exe 2580 mscorsvw.exe 2080 mscorsvw.exe 2256 mscorsvw.exe 1664 mscorsvw.exe -
Loads dropped DLL 55 IoCs
Processes:
msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid Process 472 472 472 472 472 472 472 472 2328 msiexec.exe 472 472 472 472 472 748 1056 mscorsvw.exe 1056 mscorsvw.exe 2124 mscorsvw.exe 2124 mscorsvw.exe 2580 mscorsvw.exe 2580 mscorsvw.exe 2256 mscorsvw.exe 2256 mscorsvw.exe 2124 mscorsvw.exe 2124 mscorsvw.exe 2296 mscorsvw.exe 2296 mscorsvw.exe 2312 mscorsvw.exe 2312 mscorsvw.exe 768 mscorsvw.exe 768 mscorsvw.exe 2904 mscorsvw.exe 2904 mscorsvw.exe 3064 mscorsvw.exe 3064 mscorsvw.exe 860 mscorsvw.exe 860 mscorsvw.exe 1756 mscorsvw.exe 1756 mscorsvw.exe 960 mscorsvw.exe 960 mscorsvw.exe 2208 mscorsvw.exe 2208 mscorsvw.exe 2404 mscorsvw.exe 2404 mscorsvw.exe 1936 mscorsvw.exe 1936 mscorsvw.exe 1444 mscorsvw.exe 1444 mscorsvw.exe 1564 mscorsvw.exe 1564 mscorsvw.exe 2216 mscorsvw.exe 2216 mscorsvw.exe 1420 mscorsvw.exe 1420 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 22 IoCs
Processes:
2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exeGROOVE.EXEalg.exemscorsvw.exeSearchProtocolHost.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\54efd187ae4ef42b.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exealg.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe -
Drops file in Windows directory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exemscorsvw.exemscorsvw.exemscorsvw.exe2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exedescription ioc Process File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8131.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP85A4.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F3566C96-F264-4197-99CA-9E645D75CB38}.crmlog dllhost.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8B01.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8E1C.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP82E6.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7935.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA9E6.tmp\ehiActivScp.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP739A.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP90BB.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchIndexer.exeSearchProtocolHost.exeehRecvr.exemscorsvw.exeehRec.exeSearchFilterHost.exedescription ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings." SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
ehRec.exe2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exepid Process 1508 ehRec.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exealg.exedescription pid Process Token: SeTakeOwnershipPrivilege 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: 33 1296 EhTray.exe Token: SeIncBasePriorityPrivilege 1296 EhTray.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeDebugPrivilege 1508 ehRec.exe Token: SeRestorePrivilege 2328 msiexec.exe Token: SeTakeOwnershipPrivilege 2328 msiexec.exe Token: SeSecurityPrivilege 2328 msiexec.exe Token: SeBackupPrivilege 2688 vssvc.exe Token: SeRestorePrivilege 2688 vssvc.exe Token: SeAuditPrivilege 2688 vssvc.exe Token: SeBackupPrivilege 1968 wbengine.exe Token: SeRestorePrivilege 1968 wbengine.exe Token: SeSecurityPrivilege 1968 wbengine.exe Token: 33 1296 EhTray.exe Token: SeIncBasePriorityPrivilege 1296 EhTray.exe Token: SeManageVolumePrivilege 1680 SearchIndexer.exe Token: 33 1680 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1680 SearchIndexer.exe Token: 33 576 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 576 wmpnetwk.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeDebugPrivilege 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1208 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeDebugPrivilege 2564 alg.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 1732 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid Process 1296 EhTray.exe 1296 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid Process 1296 EhTray.exe 1296 EhTray.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid Process 1388 SearchProtocolHost.exe 1388 SearchProtocolHost.exe 1388 SearchProtocolHost.exe 1388 SearchProtocolHost.exe 1388 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 2464 SearchProtocolHost.exe 1388 SearchProtocolHost.exe 2464 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exeSearchIndexer.exemscorsvw.exedescription pid Process procid_target PID 3012 wrote to memory of 2680 3012 mscorsvw.exe 45 PID 3012 wrote to memory of 2680 3012 mscorsvw.exe 45 PID 3012 wrote to memory of 2680 3012 mscorsvw.exe 45 PID 3012 wrote to memory of 2508 3012 mscorsvw.exe 48 PID 3012 wrote to memory of 2508 3012 mscorsvw.exe 48 PID 3012 wrote to memory of 2508 3012 mscorsvw.exe 48 PID 1680 wrote to memory of 1388 1680 SearchIndexer.exe 61 PID 1680 wrote to memory of 1388 1680 SearchIndexer.exe 61 PID 1680 wrote to memory of 1388 1680 SearchIndexer.exe 61 PID 1680 wrote to memory of 2592 1680 SearchIndexer.exe 62 PID 1680 wrote to memory of 2592 1680 SearchIndexer.exe 62 PID 1680 wrote to memory of 2592 1680 SearchIndexer.exe 62 PID 1732 wrote to memory of 1420 1732 mscorsvw.exe 66 PID 1732 wrote to memory of 1420 1732 mscorsvw.exe 66 PID 1732 wrote to memory of 1420 1732 mscorsvw.exe 66 PID 1732 wrote to memory of 1420 1732 mscorsvw.exe 66 PID 1732 wrote to memory of 1776 1732 mscorsvw.exe 64 PID 1732 wrote to memory of 1776 1732 mscorsvw.exe 64 PID 1732 wrote to memory of 1776 1732 mscorsvw.exe 64 PID 1732 wrote to memory of 1776 1732 mscorsvw.exe 64 PID 1732 wrote to memory of 2628 1732 mscorsvw.exe 82 PID 1732 wrote to memory of 2628 1732 mscorsvw.exe 82 PID 1732 wrote to memory of 2628 1732 mscorsvw.exe 82 PID 1732 wrote to memory of 2628 1732 mscorsvw.exe 82 PID 1732 wrote to memory of 1420 1732 mscorsvw.exe 66 PID 1732 wrote to memory of 1420 1732 mscorsvw.exe 66 PID 1732 wrote to memory of 1420 1732 mscorsvw.exe 66 PID 1732 wrote to memory of 1420 1732 mscorsvw.exe 66 PID 1732 wrote to memory of 608 1732 mscorsvw.exe 67 PID 1732 wrote to memory of 608 1732 mscorsvw.exe 67 PID 1732 wrote to memory of 608 1732 mscorsvw.exe 67 PID 1732 wrote to memory of 608 1732 mscorsvw.exe 67 PID 1732 wrote to memory of 528 1732 mscorsvw.exe 68 PID 1732 wrote to memory of 528 1732 mscorsvw.exe 68 PID 1732 wrote to memory of 528 1732 mscorsvw.exe 68 PID 1732 wrote to memory of 528 1732 mscorsvw.exe 68 PID 1732 wrote to memory of 2440 1732 mscorsvw.exe 69 PID 1732 wrote to memory of 2440 1732 mscorsvw.exe 69 PID 1732 wrote to memory of 2440 1732 mscorsvw.exe 69 PID 1732 wrote to memory of 2440 1732 mscorsvw.exe 69 PID 1732 wrote to memory of 2252 1732 mscorsvw.exe 71 PID 1732 wrote to memory of 2252 1732 mscorsvw.exe 71 PID 1732 wrote to memory of 2252 1732 mscorsvw.exe 71 PID 1732 wrote to memory of 2252 1732 mscorsvw.exe 71 PID 1680 wrote to memory of 2464 1680 SearchIndexer.exe 70 PID 1680 wrote to memory of 2464 1680 SearchIndexer.exe 70 PID 1680 wrote to memory of 2464 1680 SearchIndexer.exe 70 PID 1732 wrote to memory of 1816 1732 mscorsvw.exe 78 PID 1732 wrote to memory of 1816 1732 mscorsvw.exe 78 PID 1732 wrote to memory of 1816 1732 mscorsvw.exe 78 PID 1732 wrote to memory of 1816 1732 mscorsvw.exe 78 PID 1732 wrote to memory of 2832 1732 mscorsvw.exe 73 PID 1732 wrote to memory of 2832 1732 mscorsvw.exe 73 PID 1732 wrote to memory of 2832 1732 mscorsvw.exe 73 PID 1732 wrote to memory of 2832 1732 mscorsvw.exe 73 PID 1732 wrote to memory of 2740 1732 mscorsvw.exe 74 PID 1732 wrote to memory of 2740 1732 mscorsvw.exe 74 PID 1732 wrote to memory of 2740 1732 mscorsvw.exe 74 PID 1732 wrote to memory of 2740 1732 mscorsvw.exe 74 PID 1732 wrote to memory of 1564 1732 mscorsvw.exe 75 PID 1732 wrote to memory of 1564 1732 mscorsvw.exe 75 PID 1732 wrote to memory of 1564 1732 mscorsvw.exe 75 PID 1732 wrote to memory of 1564 1732 mscorsvw.exe 75 PID 1732 wrote to memory of 2400 1732 mscorsvw.exe 76 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2492
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2604
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3052
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d4 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 23c -NGENProcess 254 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2440
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2252
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 23c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 248 -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2740
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 280 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 268 -NGENProcess 284 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2400
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 288 -NGENProcess 290 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2248
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 29c -NGENProcess 28c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 26c -NGENProcess 2a4 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 260 -NGENProcess 278 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 28c -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b0 -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1576
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2680
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2508
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 1e4 -NGENProcess 204 -Pipe 208 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1892
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 250 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1376
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 1dc -Pipe 230 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2696
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 204 -Pipe 228 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2400
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 240 -Pipe 200 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1056
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 204 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:780
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 268 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 25c -Pipe 1b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:436
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 240 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2580
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2080
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 25c -Pipe 204 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2256
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1664
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 280 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 268 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"2⤵PID:528
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2296
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"2⤵PID:1980
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2312
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"2⤵PID:1484
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 280 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:768
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"2⤵PID:2804
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2904
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"2⤵PID:1300
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3064
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 288 -NGENProcess 2a4 -Pipe 22c -Comment "NGen Worker Process"2⤵PID:1316
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 254 -NGENProcess 2ac -Pipe 280 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:860
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2ac -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"2⤵PID:1188
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b8 -NGENProcess 2a4 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1756
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 254 -NGENProcess 2c0 -Pipe 2ac -Comment "NGen Worker Process"2⤵PID:2552
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2b0 -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
PID:960
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a4 -NGENProcess 2bc -Pipe 2b8 -Comment "NGen Worker Process"2⤵PID:2412
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c8 -NGENProcess 2c0 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2208
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c0 -NGENProcess 2b0 -Pipe 2c4 -Comment "NGen Worker Process"2⤵PID:2440
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2d0 -NGENProcess 2bc -Pipe 254 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2404
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2bc -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:2112
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2d8 -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1936
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2876
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b4 -NGENProcess 2b0 -Pipe 2c0 -Comment "NGen Worker Process"2⤵PID:2588
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e4 -NGENProcess 2d8 -Pipe 2a8 -Comment "NGen Worker Process"2⤵PID:2716
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 298 -Comment "NGen Worker Process"2⤵PID:1284
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2b0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵PID:2300
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1444
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2e0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1564
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"2⤵PID:676
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2216
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f4 -NGENProcess 2d8 -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:3056
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 304 -NGENProcess 2d0 -Pipe 2f0 -Comment "NGen Worker Process"2⤵PID:1356
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 304 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"2⤵PID:2440
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2b4 -NGENProcess 2d0 -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:2580
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 310 -NGENProcess 308 -Pipe 2ec -Comment "NGen Worker Process"2⤵PID:2384
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2c8 -NGENProcess 2d0 -Pipe 30c -Comment "NGen Worker Process"2⤵PID:2892
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 318 -NGENProcess 304 -Pipe 2d8 -Comment "NGen Worker Process"2⤵PID:2748
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 314 -Comment "NGen Worker Process"2⤵PID:2216
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2d0 -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:2264
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 2b4 -Comment "NGen Worker Process"2⤵PID:2648
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"2⤵PID:1444
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 31c -NGENProcess 2d0 -Pipe 330 -Comment "NGen Worker Process"2⤵PID:768
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2fc -NGENProcess 32c -Pipe 318 -Comment "NGen Worker Process"2⤵PID:960
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 32c -NGENProcess 324 -Pipe 338 -Comment "NGen Worker Process"2⤵PID:2708
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 2f4 -NGENProcess 334 -Pipe 320 -Comment "NGen Worker Process"2⤵PID:1284
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 2fc -NGENProcess 340 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:1220
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 304 -NGENProcess 334 -Pipe 308 -Comment "NGen Worker Process"2⤵PID:1744
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 344 -NGENProcess 2f4 -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:1904
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 340 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:1832
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 304 -NGENProcess 350 -Pipe 344 -Comment "NGen Worker Process"2⤵PID:2428
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 31c -NGENProcess 340 -Pipe 33c -Comment "NGen Worker Process"2⤵PID:2076
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 34c -NGENProcess 358 -Pipe 304 -Comment "NGen Worker Process"2⤵PID:2904
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 324 -NGENProcess 340 -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:2120
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 35c -NGENProcess 31c -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1420
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 31c -NGENProcess 34c -Pipe 358 -Comment "NGen Worker Process"2⤵PID:1404
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 31c -NGENProcess 35c -Pipe 340 -Comment "NGen Worker Process"2⤵PID:1616
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 348 -NGENProcess 34c -Pipe 354 -Comment "NGen Worker Process"2⤵PID:780
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 36c -NGENProcess 334 -Pipe 350 -Comment "NGen Worker Process"2⤵PID:2312
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 31c -NGENProcess 364 -Pipe 348 -Comment "NGen Worker Process"2⤵PID:2076
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 35c -NGENProcess 368 -Pipe 374 -Comment "NGen Worker Process"2⤵PID:1636
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 34c -NGENProcess 364 -Pipe 370 -Comment "NGen Worker Process"2⤵PID:2764
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 378 -NGENProcess 31c -Pipe 360 -Comment "NGen Worker Process"2⤵PID:976
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 31c -NGENProcess 324 -Pipe 380 -Comment "NGen Worker Process"2⤵PID:1916
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 194 -NGENProcess 37c -Pipe 334 -Comment "NGen Worker Process"2⤵PID:2500
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 194 -InterruptEvent 384 -NGENProcess 34c -Pipe 36c -Comment "NGen Worker Process"2⤵PID:2020
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 324 -Pipe 368 -Comment "NGen Worker Process"2⤵PID:1300
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 35c -Comment "NGen Worker Process"2⤵PID:936
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 37c -NGENProcess 194 -Pipe 394 -Comment "NGen Worker Process"2⤵PID:1636
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 378 -NGENProcess 390 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:2248
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 38c -NGENProcess 39c -Pipe 37c -Comment "NGen Worker Process"2⤵PID:2604
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 364 -NGENProcess 390 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:1664
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2624
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2428
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1728
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1296
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1532
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1832
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1660
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3040
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2704
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2332
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:2724
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:964
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3016
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2060
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2480
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2224
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:576
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1388
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 6002⤵
- Modifies data under HKEY_USERS
PID:2592
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD527d78cbf9db39aac84c652bead8fa587
SHA1c579d4be851e090e3c79b3a8f96a00d1f3dea19f
SHA256a4a25083bf43f730dabbd562965f843d838b6e86a6455acb449b86d45ba4adda
SHA5125d9f49a55aa2a0c583810628dfa5bc50bf2630bb2267c879d732eeb78bb5c49f7c96f0ca570886938cad1a2536bc3c001120c1cfb0e715c2a4cbf73fe0fa19d5
-
Filesize
30.1MB
MD5718a092503c96cbd59e954f3168f306c
SHA175c6784e04a99b644e8a765baba6faefca56b893
SHA2568d119ae6bd094b141a190716ab7518b5960f9b1706691d04e3c911ec7a4e14dc
SHA512f91215db9d9c5f297e46f23041c4b7dfcc845cc189dda943be82eec47f7b7ac1182a8d106ce9a2afc3c1fe38618a80417fe4e68db3ff8a1f3273cfa9701a54e0
-
Filesize
781KB
MD5ce2c6d4b96d28a7a797d59daa047c132
SHA16c388cd11b2f0a4c58591332586fc6222632e087
SHA2567bff9cfbed75226c0a5ce5c6b9d44d2de04414143257ebffd2b62f7b61a495a3
SHA512d1402798da69dfabf757f66d0fa3c082d23a69613a5cc9865c7345764d7298088166bf649b9afecd1edad141a5c899ba7b54073ed9d98cf0f44a13fb0201d504
-
Filesize
5.2MB
MD532182ae49a467346baca48cca1461226
SHA15dedb4e72e463125820e73fe3171757280d2ae2a
SHA256425744591984b32c108a019b32f00335bc8cf1c1b3580c420f9c15349e7e4348
SHA512471c57ce325fd9a3882efd6b52df63fcb0b6e832ede8fd341a083f16feb47dcd4ea7f8aa91ed1288e3d11dcd8249b9cbbda71542ed36eaa61707dca43f0dea6f
-
Filesize
2.1MB
MD5e9cccaff9e78424d382a78da868cf485
SHA1e816229d61c12082bdb793c9ad71157be0b9b044
SHA256c1ddf404b43aa6fd4d98fe63cbd1e3e4edfeed8d63afac339db1356514633a08
SHA5123c5a78b0702b00d6a9b810ed110ce2cc9dcb915f90f21000a58739dddb1056d7349347aad52eaa1b41e286b454c255572c8501a38280de5851cbe5bf4be7f3f2
-
Filesize
2.0MB
MD5ad22841c27e8d466a36b662e68501507
SHA1e8f48b17717f80c8ace637b8559fd752416a0355
SHA2569510dd0bd8d9747f2bbcef39bb46ff37c5b4aee2c8a9d7db802f360bdd55895b
SHA5127be7dd544dd756cfdf54727c2e202aa6357dd591e8635580e14b26e452a34e2a05bde030539eeb53ea4bc824b435fa7a0838491375f343d63182b34e1aa029c2
-
Filesize
1024KB
MD5e4e8bd22f7cb41cb482ed6d096f5454a
SHA1fd9e9fbb155380f3cebd918891f934e7e2b9939f
SHA2564e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7
SHA512a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a
-
Filesize
648KB
MD5b4638f54647875bbfafdd2582e49b7c5
SHA1cad6002d75e27390c1b1dc79c5ddf50d92a8cf8f
SHA2564eb298cec010f7756c061bfec33bd5905c2d4ff26d406821e7caf771e52ea245
SHA512a7fc42c092e904140c36595c66523098551af1c364e61656fe0bc9c88eac394c57a3f539ad4d6dee0fe36bee9289993cb5225e7412b8af56229f7758e0e7aaff
-
Filesize
872KB
MD5fcc00f0d5b1d1078ab706422a88c43cc
SHA102e4a35fde91061fb06346742b937867f5412d20
SHA2560f5499e33d9d056b0ac605041ddfb37bbfb154604077583077db813d58eebbed
SHA512e77388b3e810dad3968d1a35bb019466fd807f5e46fb6ef4aead1840b8793f5a505f8e6a2b2ecb38e7373f31cacb5ae76b9e4607b776de94f8d0e4e48d4451d1
-
Filesize
678KB
MD5cc2b29df4056c16ea21d583795065dcc
SHA1f36dddc5a278e3998ece95344f2bb555c027c1d0
SHA256e00c115e019b078ba6938e723051cc18beedfbfdd90f2a3f5b05b257956be999
SHA51247aaea005c4197dab51f7ac432ab701625cbf046ce953afafc699f9979714702d05ec2a52afa0b6a51cc04bff794e44a9bcd4b04b21974ea32386e283f25e485
-
Filesize
8KB
MD54b5ec2fe0b3015d24bb511ae8b4029e0
SHA1a575f71350950b32b216ece3c69cfbb63d69fb82
SHA2569d1171d6f4e435cad073bf167db6d3d07ad11798cda6facbb8a88d37f42f69ff
SHA5129f1edc54db57aaa82414439eba774c647b43e133567fe8fa2cc5411c48c894926cfcf7c2a980bbab87f77a0e2eaa64735fdf6bc54ce7ecc6fb835ba672043202
-
Filesize
625KB
MD591150f26c4c8f1086b13fabe08285637
SHA17e6ed901fbce931401179916ffe72b0b15fc0a1d
SHA2566eca5ecde3640773fe64e34c9011a654080af242596e9a6702976508f526650f
SHA512cb6d980da81fa892acc69a66a1c2c180137e3f6f78f66132dd7d4ab29f228297a9e8330f6dc16a906c1fb64dbd273904365e08c735c4559ef4b92be39666f616
-
Filesize
1003KB
MD58b4b1e0b3d31c8d3ef228a324a90351c
SHA1e999be4f3582570248c79cd6555d127fa3bed4a2
SHA256ec2907447ca48f7de4e16401d88f86f7e4ade6ec28626026d569474f833ede1d
SHA5122265db41734c2e3753e7e51100dba18e8ff88abb3d42f55780cafee713c5061a930b556a68649c49443fc9367c45a46d830ba17f4bddbe713966dd5e04635172
-
Filesize
656KB
MD55fd83885b71811123d4aa12b16789411
SHA17df4ec6c687511928f1eec31f9a7559f08ecfb1e
SHA256c9fa7533f944222356bd3d8e2e5f8fca7e47e8c3cd8c3245d1d7156f49162262
SHA512237257ee8979780f5637fed781eb1bd4765ccbb70c23811838dd5cad6ad55fac12f3ea1b12dbcd8b0d7b37a694b3369b133fe60af273ffac5e47d1fe8d308ed4
-
Filesize
587KB
MD5fe1fe129ed3b705eba51064d13d7ab09
SHA15ad77c5ea83848cafbd6cf2a95f0e89bb768522a
SHA256b9625e157897c81e4e83fbdde916729e1f890a6d3adcd90b06aef44529a385bc
SHA5129b3c011ec0a1b16fb630386062f6271dfbaff1db90c7dc193a0404092c2607f6dddbb0792314e24924f055eba792b38d3e062c1bdda63b7e068b670ca355aefc
-
Filesize
577KB
MD54ac72504f37df801006d6d7cdfdb1e93
SHA10166fb6cdbbf9d30a69e470e3e33f3bc02da0357
SHA256febe0cecd1db444bd8fcf78fb8352d2ba7588de6b9dbcbf7100ae69a250eea5e
SHA5121760d40708a2614aa9156d1cda2d73ac1856e028c473ba97e52d07ed5bf2975151dd15dbffaaa07406634ff37531dfee276f952e8e5a6b7123168f2f0a339fe3
-
Filesize
1.1MB
MD512dda0db7c3094a2d2c7fd19d81d81b8
SHA15a8f46df3821c10804846e6e8b8e6e3d2dc0adb6
SHA256b18e19145f70737e13d1dec5219201e40c7a05450a3ec08baf190606a2d21a71
SHA512a6c005e2c7aa511d641869955ec400c4e84367b0725b201d4cb93d165d57f4a9b4266b184806306d7839b30e47b0739ef9f7d2a0fe8ae5998449be38add4a9bd
-
Filesize
2.1MB
MD54b36ea9fade5ce76e72c06856c372ed7
SHA198e47a96ab7f5a128cdaf4926c624014250179a6
SHA256386a4738a80201ac7ee0cbd3854e45795d36ef1e0bc87f32dd8561ebae2807b1
SHA512c9a5fd14849923d6ea2387f3b22b6c6ee4b447b59ca9c597e794007f731ed4f11e1a7463c8f389ceae97fe25314fe4636173c30bc4cb105b26a6a7d72c70a3bb
-
Filesize
644KB
MD5b539279e4d38f98c466e8471cdf9b404
SHA15e32b880de87d8e0e142aef1cf3241ab9cfea915
SHA256e387496e8f2f00cc115325e80fd62e725f10447b4b55e31c841aadca110c683d
SHA5125a79ed90008c87ed87748914e44b963eb7bca59eadcdd979de05ef025b1a0ae110f7eb02f40bef19b25dfc075cc733d94a4d1d34f8aae64e5ae18108861acd49
-
Filesize
577KB
MD51390791141c0d1c411e29d4f53c39f4f
SHA169eedd05e046ee5d362d363ba5c9f207a251b842
SHA25611d2f0a2203e9311757de5cd297713183bb9525f2058c8cf8cb987fb00f083c9
SHA512ef893116a2f5783374f2896e139042a3e0fc775d5daf2463f31e331c69a4068934f982269a760437a3d46408d7ba14105471199927f2c9d29bc68b61b2377d1c
-
Filesize
1.1MB
MD556984312ce250e7ee0cfb036c3cb036f
SHA175519980f946755a5d35e9415dff7e8880414028
SHA256a6409cb04b9c52a76b62ea950eacaeb8d70ff07cd29ba22d555aa959a3ff0206
SHA51286511dad07fe500f59da9af4e9a5a297686f974a2541c7424cb1501c8820b1ca427634520cecec513adba537461a5d5ed4ae37aa287f535a01808dc0b3f5e4e6
-
Filesize
2.0MB
MD5c39edf361dc7d60e6793642866731615
SHA1b00b982b534fe994e542e85dddb3da1b812dbe50
SHA256599f32f6f359160177632fbc5f97a0effe9c91089e4509480e43e4d2c15fbd37
SHA512299354f63de39c5f49c2c8500a0918a659384fb989b5022bcb8ae781a87bd6d0ad98b512372184b6d04c012843d53f64a9ca9ed5e290b7bed5890504b31d2905
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll
Filesize105KB
MD5d9c0055c0c93a681947027f5282d5dcd
SHA19bd104f4d6bd68d09ae2a55b1ffc30673850780f
SHA256dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed
SHA5125404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize248KB
MD54bbf44ea6ee52d7af8e58ea9c0caa120
SHA1f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD53d6987fc36386537669f2450761cdd9d
SHA17a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA25634c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA5121d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize205KB
MD50a41e63195a60814fe770be368b4992f
SHA1d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA2564a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA5121c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1955bcce45d6b1058996298f74f5c446\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize271KB
MD51f99ced329572163f0cecfe3f908cd2a
SHA18684f050e03b110a1cfedc1409e7662080ef8d7e
SHA256ef04f0affb3d17766ccb0b385a47421a1b7df32056f7854b6d8ea808bccd75f6
SHA5124d582aa340198fd01ff2c75625203c90de67a64ebc4bfd345bcebb1d6b8bbfaf8c109e0f6b5a0ffa60a5c30693b15bbba79313302579002737c47cc3306efb85
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1fda59e891c0dd3f8b3fcb220567993a\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize305KB
MD570c5cbd035d12eb4c4acbfe7712e96bc
SHA103ab0d1b1900f57408e92bb689e67ab2b5762fc6
SHA256071928f27cad1bbe01af9f9d06f44399ccb7c1c28058c596f5bf97df8fe80727
SHA512cc0c00fdead268740995c37ec9b4b5dcfe540e596e4f72311f1806f4a3c32ebac19cea8f25da6a6099ca08fa580a2cd7fe1abd9aaaabcff85b8ffee7654e2aca
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize43KB
MD568c51bcdc03e97a119431061273f045a
SHA16ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA2564a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize198KB
MD59d9305a1998234e5a8f7047e1d8c0efe
SHA1ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA51258b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\52ae6f06f09a95cce3eaa245fe26e8d8\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize122KB
MD511ef8abc4657860ce33b6041f7119841
SHA1e82b745c079ebc5d9e682cb592779476ce94db06
SHA256d9314d4cba3059c057730a5bfcef34c7c5543d57d3d78c000a3801370308c1ad
SHA512fb7b7b6efc359a16eaa663b6665bedf24eba6d855bb71ad895f66c2ff7dcf8599ac26602ce2cff3a2bda25c8cbb5192958f1a98f2aa271122e6ab19ad6be65be
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize70KB
MD557b601497b76f8cd4f0486d8c8bf918e
SHA1da797c446d4ca5a328f6322219f14efe90a5be54
SHA2561380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA5121347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize87KB
MD5ed5c3f3402e320a8b4c6a33245a687d1
SHA14da11c966616583a817e98f7ee6fce6cde381dae
SHA256b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize82KB
MD52eeeff61d87428ae7a2e651822adfdc4
SHA166f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA25637f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD5a8b651d9ae89d5e790ab8357edebbffe
SHA1500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA2561c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize85KB
MD55180107f98e16bdca63e67e7e3169d22
SHA1dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA51227d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize298KB
MD55fd34a21f44ccbeda1bf502aa162a96a
SHA11f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA2565d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA51258c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e45a0e1bd97a5a0eae6d678180325b04\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize221KB
MD59142ed1e4d5c6f93cb6764a8c481cbe1
SHA11f03135777b0db6d3ace50dbd8f99af3ac2d21f8
SHA256c985665c74fee7fc0ca238820772915c33c4d031f227176027832c26bb7f9ae9
SHA5122c9d0608e2d62aa477f6b38ed69583c0a43d1fb3c7ac4e795a0dbca5668f712b79a59a135f05b486e560f4c3f8b824af75c54f2a7df7d08049577fd1af8e2fd2
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize43KB
MD5dd1dfa421035fdfb6fd96d301a8c3d96
SHA1d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA5128e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
Filesize124KB
MD5929653b5b019b4555b25d55e6bf9987b
SHA1993844805819ee445ff8136ee38c1aee70de3180
SHA2562766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2
SHA512effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
Filesize2.1MB
MD510b5a285eafccdd35390bb49861657e7
SHA162c05a4380e68418463529298058f3d2de19660d
SHA2565f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a
SHA51219ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
Filesize88KB
MD51f394b5ca6924de6d9dbfb0e90ea50ef
SHA14e2caa5e98531c6fbf5728f4ae4d90a1ad150920
SHA2569db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998
SHA512e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476
-
Filesize
603KB
MD5986ba8bb2750db9389ecb7053fe27d64
SHA100f22e845e8c6bbe4dd6ae51284774d92abca1df
SHA25695ffba995af18bbab8691318132e53e64168cad0104a32b58ae4631272b3c929
SHA512b6cbba0c216d601bea5af96d41432d01545203560f2fa1b48b55abe9a25d51a4497d243a780595b4300c980985e5e3c87cda7195f4b9282867dea3e888f214f8
-
Filesize
674KB
MD5a09550eeefe45c2321a39f11d76dffaf
SHA1b4dbc8f43b80c682264ec7f1510e942cd10b5098
SHA2563f29ce373c4c0a0c1eb6ef5f044396b0350d6e7d250724f5174227adfd8b21d0
SHA5125580e0b2b7e6b0cb9bff5e5bdaffaf6d1ffe73d96ddb544eb1856d3a42d74e10c18f63126d255dc2a4e46cbf9741a343314cd08b83fccec14d880908cdc9cbc2
-
Filesize
705KB
MD5a06e5fc4b3cec57fd253d609ee3eed99
SHA1268eab3c70cbf77a258355074b9f42de7df81d72
SHA256716ebcde6f5467ab7c37d3d3e1e8e40eaaf46b4075d52f1124c09311b28dd0ed
SHA512703420d532c03eb656417766ed5b3d00d7e0945cdac3351c498064feb24fc134ac30210f9f6a8f12e96a25bd29113e71acd8613914e33370f91bfbb5485c891a
-
Filesize
691KB
MD5220f75bf21bd0f13785dfb70ddc408a9
SHA17589f880f37601f3eade8aa912e95d8c3774ee2f
SHA256866b0df349f1f4a29b516ded6e19eb7abaf4470859f5896b92723c8eddd5ca8a
SHA51206bae87c0aa420d66c4b70c862356bc35fa8021e0503f6ae16a5ba6fa244caf719ca4817739e13d5617311a4e56efce5f479eb8d049f0186cdf88e2923fdbb63
-
Filesize
581KB
MD5c3f192c4b5d0e8dd8911f8c441277218
SHA1969a68fc0bbd6afcf1cb5cdcce6e0ea4079436c7
SHA256af6e93ba1d10e3f0a8b61a52897618726fd54a46ee08942f9b9a0eec2c5f845c
SHA512c0c7e7b1b2b8204908691408392cd907762371eed4d1f4b143418db18c7961a11a3c459ea131ea5b0c18d2148800b6f3bd6bb48cbaa72ee688aeeac92df1b48f
-
Filesize
765KB
MD5822826d1584f29513a5635bf4a376480
SHA1791b3e69cdef0b7acc60470fa731d772219ac5b1
SHA256633a1eebbc7b88ee54c76538178a4ec86c160658d7e59f3363c5e9783db02677
SHA512577026b7390e4fe467785798600a5f3748d4c91c8d2b9bd5ca5b06fea20250a29bf013f4f8349d99450b13e21da34b028bbee6883f8007e12661d4d05343a298
-
Filesize
1.2MB
MD53abc70ae2246a9a4fd16b854a0b97c3e
SHA1d23ad93730a785034d392e94f815f705f6c6085d
SHA256e1cf6e0cde105ed7490604e60c9dc98847d97528ba5fab1dc65e8034795f3aa6
SHA512f637768541cf1bbf9b352d9c5d80fcbd099249a21238270e73c34821a719a25142467210ccc70d0fe73ca1b7c838eefd6f28051d428ef1048b94c3f4225ca60b
-
Filesize
691KB
MD5543d5ff2b66034e1811cb563e5a57663
SHA1a92f2e9931fa6f2dbcd409c94ec4b90abc2ba5c5
SHA256ea14344e4136325da87548422c9991e0b7432e7cd99f75b951327224b6f49bc0
SHA512c1c0455901af5978a4ca2f8054892b81db3b4deda2db663c4be5f56f85333d5abe103e078270b428421ed0be2066d55c528f600f956efcab7bd259681c6e11b5