61f882c810fa592cf6fd6a89ec26529c9a6d5bf25f075c49bb910e5701ed2cb6

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
Size

24.3MB
MD5

7b1879ce5afbab2ff5d3ecae1586ad29
SHA1

0caf2f3765d512047aea5a94c9b3ca93f41a02ad
SHA256

61f882c810fa592cf6fd6a89ec26529c9a6d5bf25f075c49bb910e5701ed2cb6
SHA512

4409630db9602322cb66b1d71934c828ad617f41750e34a437a62a5d0a3669fc5672f97fe2b8a7ea71312064f138dd1b2ae8a1c02beddaae923f3ea038b71aad
SSDEEP

196608:RP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpqH2SAmGcWqnlv018G+Z:RPboGX8a/jWWu3cx2D/cWcls1P+Z

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2792	alg.exe
2976	aspnet_state.exe
2624	mscorsvw.exe
2420	mscorsvw.exe
588	mscorsvw.exe
2924	mscorsvw.exe
2168	dllhost.exe
2256	ehRecvr.exe
828	ehsched.exe
3008	elevation_service.exe
1828	IEEtwCollector.exe
1088	mscorsvw.exe
908	GROOVE.EXE
2632	maintenanceservice.exe
1344	mscorsvw.exe
2208	msdtc.exe
1320	msiexec.exe
1064	OSE.EXE
2944	OSPPSVC.EXE
1244	perfhost.exe
1584	locator.exe
2140	snmptrap.exe
1644	vds.exe
1820	vssvc.exe
1048	wbengine.exe
2116	mscorsvw.exe
796	WmiApSrv.exe
972	wmpnetwk.exe
2124	SearchIndexer.exe
2896	mscorsvw.exe
1424	mscorsvw.exe
1712	mscorsvw.exe
1980	mscorsvw.exe
3000	mscorsvw.exe
2656	mscorsvw.exe
2004	mscorsvw.exe
1804	mscorsvw.exe
2076	mscorsvw.exe
1692	mscorsvw.exe
1816	mscorsvw.exe
2620	mscorsvw.exe
1860	mscorsvw.exe
1804	mscorsvw.exe
2896	mscorsvw.exe
2452	mscorsvw.exe
1816	mscorsvw.exe
1864	mscorsvw.exe
2648	mscorsvw.exe
1364	mscorsvw.exe
2320	mscorsvw.exe
1956	mscorsvw.exe
2256	mscorsvw.exe
1364	mscorsvw.exe
1488	mscorsvw.exe
884	mscorsvw.exe
960	mscorsvw.exe
2368	mscorsvw.exe
1600	mscorsvw.exe
2772	mscorsvw.exe
920	mscorsvw.exe
2512	mscorsvw.exe
696	mscorsvw.exe
2396	mscorsvw.exe

Loads dropped DLL 53 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1320	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
756	Process not Found
960	mscorsvw.exe
960	mscorsvw.exe
1600	mscorsvw.exe
1600	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
696	mscorsvw.exe
696	mscorsvw.exe
436	mscorsvw.exe
436	mscorsvw.exe
2464	mscorsvw.exe
2464	mscorsvw.exe
3004	mscorsvw.exe
3004	mscorsvw.exe
2776	mscorsvw.exe
2776	mscorsvw.exe
2456	mscorsvw.exe
2456	mscorsvw.exe
1828	mscorsvw.exe
1828	mscorsvw.exe
1596	mscorsvw.exe
1596	mscorsvw.exe
2076	mscorsvw.exe
2076	mscorsvw.exe
2904	mscorsvw.exe
2904	mscorsvw.exe
844	mscorsvw.exe
844	mscorsvw.exe
2232	mscorsvw.exe
2232	mscorsvw.exe
820	mscorsvw.exe
820	mscorsvw.exe
1604	mscorsvw.exe
1604	mscorsvw.exe
2492	mscorsvw.exe
2492	mscorsvw.exe
2188	mscorsvw.exe
2188	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\5e5b5e033db14c9a.bin	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP37A4.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA209.tmp\ehiActivScp.dll	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5B79.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP90DA.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP690F.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6F37.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{040AC3D5-91C4-4B0A-BE0D-BDA12CFE64D9}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{040AC3D5-91C4-4B0A-BE0D-BDA12CFE64D9}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehdrop.dll,-152 = "Microsoft Recorded TV Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
400	ehRec.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: 33	2396	EhTray.exe
Token: SeIncBasePriorityPrivilege	2396	EhTray.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeDebugPrivilege	400	ehRec.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: 33	2396	EhTray.exe
Token: SeIncBasePriorityPrivilege	2396	EhTray.exe
Token: SeRestorePrivilege	1320	msiexec.exe
Token: SeTakeOwnershipPrivilege	1320	msiexec.exe
Token: SeSecurityPrivilege	1320	msiexec.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeBackupPrivilege	1820	vssvc.exe
Token: SeRestorePrivilege	1820	vssvc.exe
Token: SeAuditPrivilege	1820	vssvc.exe
Token: SeBackupPrivilege	1048	wbengine.exe
Token: SeRestorePrivilege	1048	wbengine.exe
Token: SeSecurityPrivilege	1048	wbengine.exe
Token: SeManageVolumePrivilege	2124	SearchIndexer.exe
Token: 33	2124	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2124	SearchIndexer.exe
Token: 33	972	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	972	wmpnetwk.exe
Token: SeDebugPrivilege	2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2200	2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeDebugPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2396	EhTray.exe
2396	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2396	EhTray.exe
2396	EhTray.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
556	SearchProtocolHost.exe
2412	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1088	2924	mscorsvw.exe	42
PID 2924 wrote to memory of 1088	2924	mscorsvw.exe	42
PID 2924 wrote to memory of 1088	2924	mscorsvw.exe	42
PID 2924 wrote to memory of 1344	2924	mscorsvw.exe	45
PID 2924 wrote to memory of 1344	2924	mscorsvw.exe	45
PID 2924 wrote to memory of 1344	2924	mscorsvw.exe	45
PID 588 wrote to memory of 2116	588	mscorsvw.exe	56
PID 588 wrote to memory of 2116	588	mscorsvw.exe	56
PID 588 wrote to memory of 2116	588	mscorsvw.exe	56
PID 588 wrote to memory of 2116	588	mscorsvw.exe	56
PID 588 wrote to memory of 2896	588	mscorsvw.exe	79
PID 588 wrote to memory of 2896	588	mscorsvw.exe	79
PID 588 wrote to memory of 2896	588	mscorsvw.exe	79
PID 588 wrote to memory of 2896	588	mscorsvw.exe	79
PID 588 wrote to memory of 1424	588	mscorsvw.exe	63
PID 588 wrote to memory of 1424	588	mscorsvw.exe	63
PID 588 wrote to memory of 1424	588	mscorsvw.exe	63
PID 588 wrote to memory of 1424	588	mscorsvw.exe	63
PID 2124 wrote to memory of 2412	2124	SearchIndexer.exe	64
PID 2124 wrote to memory of 2412	2124	SearchIndexer.exe	64
PID 2124 wrote to memory of 2412	2124	SearchIndexer.exe	64
PID 2124 wrote to memory of 1368	2124	SearchIndexer.exe	65
PID 2124 wrote to memory of 1368	2124	SearchIndexer.exe	65
PID 2124 wrote to memory of 1368	2124	SearchIndexer.exe	65
PID 588 wrote to memory of 1712	588	mscorsvw.exe	66
PID 588 wrote to memory of 1712	588	mscorsvw.exe	66
PID 588 wrote to memory of 1712	588	mscorsvw.exe	66
PID 588 wrote to memory of 1712	588	mscorsvw.exe	66
PID 588 wrote to memory of 1980	588	mscorsvw.exe	67
PID 588 wrote to memory of 1980	588	mscorsvw.exe	67
PID 588 wrote to memory of 1980	588	mscorsvw.exe	67
PID 588 wrote to memory of 1980	588	mscorsvw.exe	67
PID 588 wrote to memory of 3000	588	mscorsvw.exe	68
PID 588 wrote to memory of 3000	588	mscorsvw.exe	68
PID 588 wrote to memory of 3000	588	mscorsvw.exe	68
PID 588 wrote to memory of 3000	588	mscorsvw.exe	68
PID 588 wrote to memory of 2656	588	mscorsvw.exe	69
PID 588 wrote to memory of 2656	588	mscorsvw.exe	69
PID 588 wrote to memory of 2656	588	mscorsvw.exe	69
PID 588 wrote to memory of 2656	588	mscorsvw.exe	69
PID 588 wrote to memory of 2004	588	mscorsvw.exe	70
PID 588 wrote to memory of 2004	588	mscorsvw.exe	70
PID 588 wrote to memory of 2004	588	mscorsvw.exe	70
PID 588 wrote to memory of 2004	588	mscorsvw.exe	70
PID 588 wrote to memory of 1804	588	mscorsvw.exe	78
PID 588 wrote to memory of 1804	588	mscorsvw.exe	78
PID 588 wrote to memory of 1804	588	mscorsvw.exe	78
PID 588 wrote to memory of 1804	588	mscorsvw.exe	78
PID 588 wrote to memory of 2076	588	mscorsvw.exe	72
PID 588 wrote to memory of 2076	588	mscorsvw.exe	72
PID 588 wrote to memory of 2076	588	mscorsvw.exe	72
PID 588 wrote to memory of 2076	588	mscorsvw.exe	72
PID 2124 wrote to memory of 556	2124	SearchIndexer.exe	73
PID 2124 wrote to memory of 556	2124	SearchIndexer.exe	73
PID 2124 wrote to memory of 556	2124	SearchIndexer.exe	73
PID 588 wrote to memory of 1692	588	mscorsvw.exe	74
PID 588 wrote to memory of 1692	588	mscorsvw.exe	74
PID 588 wrote to memory of 1692	588	mscorsvw.exe	74
PID 588 wrote to memory of 1692	588	mscorsvw.exe	74
PID 588 wrote to memory of 1816	588	mscorsvw.exe	81
PID 588 wrote to memory of 1816	588	mscorsvw.exe	81
PID 588 wrote to memory of 1816	588	mscorsvw.exe	81
PID 588 wrote to memory of 1816	588	mscorsvw.exe	81
PID 588 wrote to memory of 2620	588	mscorsvw.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_7b1879ce5afbab2ff5d3ecae1586ad29_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2624

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 254 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 254 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2e8 -NGENProcess 2d4 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2d8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d0 -NGENProcess 2e8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 254 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 258 -NGENProcess 2d0 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 258 -NGENProcess 2dc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 258 -NGENProcess 2fc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2e0 -NGENProcess 308 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2f0 -NGENProcess 30c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 310 -NGENProcess 308 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 314 -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 310 -NGENProcess 31c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 308 -NGENProcess 320 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 300 -NGENProcess 31c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 328 -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 308 -NGENProcess 32c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 330 -NGENProcess 310 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2f8 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 32c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 15c -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1a4 -NGENProcess 14c -Pipe 19c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 1fc -NGENProcess 1dc -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 1fc -NGENProcess 1a4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 158 -NGENProcess 208 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 1dc -NGENProcess 20c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1fc -NGENProcess 20c -Pipe 158 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 214 -NGENProcess 210 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 1d4 -NGENProcess 210 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 14c -NGENProcess 21c -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 21c -NGENProcess 204 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 228 -NGENProcess 1dc -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 1dc -NGENProcess 1d4 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1dc -NGENProcess 228 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 20c -NGENProcess 238 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 23c -NGENProcess 228 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 228 -NGENProcess 224 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 248 -NGENProcess 228 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 23c -NGENProcess 1dc -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:2220
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 24c -NGENProcess 228 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 234 -NGENProcess 254 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 234 -NGENProcess 250 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 250 -NGENProcess 20c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 204 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 204 -NGENProcess 234 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 264 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1f0 -NGENProcess 224 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1f0 -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 204 -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 224 -NGENProcess 274 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 248 -NGENProcess 278 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 264 -NGENProcess 28c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 290 -NGENProcess 268 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 268 -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 268 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 270 -NGENProcess 2a4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 270 -NGENProcess 2a0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1f0 -NGENProcess 2b4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 2b8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 2bc -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b4 -NGENProcess 2a0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a0 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1f0 -NGENProcess 2c0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2c4 -NGENProcess 2b8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c8 -NGENProcess 280 -Pipe 148 -Comment "NGen Worker Process"
  2⤵
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2cc -NGENProcess 294 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a8 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2d8 -NGENProcess 2a0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:1040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2b8 -NGENProcess 2e0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:400

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2168

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2256

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:828

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2396

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1828

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:908

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2208

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1064

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2944

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:796

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2412
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1368
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
ff8bfa127e38837a3fb3cd6c5bde4d76

SHA1
1595f1c42a9a66f3c84ca6b5ddc22423dac0bd31

SHA256
9d1b2c94d93a9e00a62860a85d2714559d74d81dcdb08293b72602e3bbb5ceeb

SHA512
2eaaacf42fa14aa5b43d145218a4bbd8a56e3357c46a3158406e4c021777c79399e36f590104782352c07acae5cff023d4b42c6e9fb93a8cdc29e5fe6e146451

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
1.3MB

MD5
d158516d10adc02afb5df9e3d98a8298

SHA1
3c116ccaa2a834f2d47cdb2373389a9303f8000d

SHA256
d1e862621e9f85b493773c185f7d7d1089e7c00ce9a976263eaa0d1fa776ff75

SHA512
a899bff48b429c1a6fe8f1dde36b08a57b033ebc64723d19b1dc56813559098ab6f9f46417742faaf66d388d992ea635711f1e9b835412e27e1549a6121af101

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
7e245e81eba00d69e23ba05262dec112

SHA1
99c34f0aa0d8fd28a693c078269cfa44c6363d81

SHA256
d185b26cc51ff56e0c3119919f48211c4d43bbbcbedcd562065f3b157d6a6dc0

SHA512
f3d1f28ecdb0414e71b1438bbfb58759a463563b969d22c517c7746683623ab70e3f20e5500d895675488cc759f4f5714155b547be2198525044ae0d31726c3d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.8MB

MD5
8f9ffc793c4b27679de9db86e9ada008

SHA1
ea7302b76b167a6a12e2db23327de6b6fa4331da

SHA256
3949f351a3a809c5968f65800a60dab6a6a0b24dbd69b2a12c4ccbe42602a693

SHA512
6bf218ffa48993d3f1f3406d88e59968ffdf655fbdc1ee836898e4689d81ce15a3a173112664a842f426879720dea6deadfd130fe89a48a387edb37c6d330597

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
132f89d2f6dcfb2706d43a6add7e8fbe

SHA1
b860e5319e286c402a5bb28ea02fe4df61e0706a

SHA256
c35f91af67d5111fb52e2058a48e9004c709d6fcff45eb1c8b99af3a7eb0a40e

SHA512
ef9376acff72f1d2c9de2247be9bd2c4721bc851e9734358e81e4a5e913108fd15de9c653e716bd196cd9115c46334afd42db3869af4030b2901f5c878c0a81a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
f66584a0671ddba645a0240e9a447633

SHA1
78459be21e0cded7666aa8ac974684f98018a2be

SHA256
9afb79cdb24b346c38304e553604f5efcadbc666d50ea26cf558731dd514b0be

SHA512
7229d6e9c98dedcfbb5d80a3dae4a677c033f1f5460544e317f1d446f652ccd1556ef5ec025c31a46679d74c4788c70d808ff4854d12641c210f219238978638

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
070825070fe2ad27fe6916a1c85fbc1f

SHA1
e61dd571327cf256c865ece3432c2a1fee79dfe4

SHA256
f2ff3aff3c345eba047e4b2e31d96196685bf2a995201a3e0cee34aaab645f73

SHA512
31b60aa98cf509997edfc1c09ee86893e73769889390bc68d08e6dbf97bdac7be8ccffbf6d9421c7d6d8a71fdfd336adc7274a8ca0ceee947d29752d8077893a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
aa3bdeaf0a77e91aab4bf64d6637f6f0

SHA1
aadb403c443e55d9c1941fb7726fc5ddfe2c526e

SHA256
0ff3d69ce6e21dd1396ba23df8c5870e21bc9e74ae60db858f844663477aec21

SHA512
18d513b37c228261a8ff304527e785f212c55ae0bb2ef52789dca6fbc33e5264495f64a29791cf9f507db1b4440e8848751e1d3f978343a0a58598b4093383a1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
64f428661535377276b43aba59fb4a22

SHA1
caf11b9479a072418190d2651fd9af086ea955a8

SHA256
2aa3fe28128a7195c3290dbd0b1f8e0f13360cbef6c4ccaa900b4c143c00d5a8

SHA512
4d197440f55812b4ea718d96a27a940ef483e8964247dc0f14782b63b40b25b437db9272b6599982e10ef24510353a122be4fd8665ede67de208f32efafc243b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
8f505d53707d5e4555324fa156706066

SHA1
4441ac31ae1ef17bb4c156173c4ca9d8b8fad676

SHA256
0005b35b86970432026b5513741df874fa1049bbe49d5ed447936286978d80f1

SHA512
3134be0451815c01a5d77f0edd723f8af0d2af28ef43c7c8ead6471ac1f1ccafc346c38e9565b0fd3e38a6994ccb808a0349bc3bc7cbc7831d7e4a43fc4e8c6e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
01ae75fbf22ea669ce0e8c87027b33e9

SHA1
04e0a4327f1c0189cd9d9d30e42ee20373669a0b

SHA256
b2962e9745203c8865e121ac449b6441cb7e3e701201cc33e2f924584e65e048

SHA512
48e8734b545f0f4d84432f95c6f2d17a8f491f11947a2930bbddd5520b0e410df13801bb77e05f366b5a538032ee4581cc0ad7cd6eae6e7c51b480097d0ac540

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
960KB

MD5
53e713e5787e34a1ed592145b2b01240

SHA1
118b51bf50b74605c172a43f7cda24d685e6b32f

SHA256
7ab9a8fa80fad2c257719dedc4ef598e591c2a1ef560a22a25c43057f2a54e3a

SHA512
7f11aed372fb37f3024cc28f98f3c4ef32f9ef9b71ba8a7f9fd290029793be5d403161c364ec7a6c338cdfac4fd994696bc1923c1f93297febc7536e01720422

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
db041fc463f201cf745c0fa204dcfe63

SHA1
1724f79e8b0601f21285a606cb0049cd8f8916e3

SHA256
7d38bef7a959c5afcb1443a52c7d461ddd04cf3db29fa148f9fff6b53e1b30d0

SHA512
fae82b096d15760df306e8a43b5333a3f3ffd801ea4ab4e2371bdc5999ce595df17997f9a2606adc446785c27b4d61479989805da13710168553b5b9496bbaa9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\5e5b5e033db14c9a.bin

Filesize
12KB

MD5
b4810d844199045fa4d2248908129f38

SHA1
3230b8ae04159dcf9671e9494693691e672981f9

SHA256
4bd721b684e4afb386213ab79edd4ea497c4b39f827078e51e54a2206e8d9c54

SHA512
7c9d04224848971c4903bbc340bf546c4018889c3dfdc18b5e38faed0f93eec441998d766b1725f908afc5147bd9ed2e76b30beff82e4388af651bb776b72ccb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
e5e6aac6a52c31b2ab5485fb60ea700f

SHA1
8b9a68bd53bfedb28462fb693ca45ab1d78a6eec

SHA256
a37ae0809bbffab57705a75acb62be33fbce46a86e3f2412d33ea45028f97c84

SHA512
7aaed7e6211522d56003df70dab83cbb9c1a9b9e8cf8b9ae88742910eb09589bd97732d7608457d1e1a78350d59e99c63a672d9237cc9a00d8ff9c6f4579cd95

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
c7dab76fd2393b284463f67cddf5c882

SHA1
cedf8004cccb4f0a7e5a8dfe76f3254871474168

SHA256
58e70556ae49a21fa3c675c32dfedfd855b64968fe943a6d99b65b569f1949c5

SHA512
112ebf36e4985631d1ca6d60e1e733883daeaceb03d4dd3556b3a01d416aa6a9f4a1fdd6076dc1bc5b658927c2f88c2dc9007664d10dd629e8b4719231d15f20

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
f27719249f6380be93ac4dd102fd77e0

SHA1
a01e57274ba86598a3e152716ad4ca627ed98bc2

SHA256
53f7d64d6b9c8ceef0db1ce50db68a95725da898a2f951fbf19e437136a20504

SHA512
524d53852c7b41bdd88684c69ef5c460ffeb7584b381dea5e46112d1f22d9212f77549f097b424df93fcf9d3015ff1963e55eb98f900a2af87816ee48cfc62a7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3bafbfd423fd89ef8ea1596e89678a61

SHA1
9a2e113dca1a86795eeccf03b8044b3d07c33ab5

SHA256
ab173eb04d0c0b16d9d2398f742495cf893f8c8422775fd0b5b210088c33135c

SHA512
d9b49ffb0a306ad693d9fb809f44f5d541d08700ac06652b945f09c3888a36420785e51c7e9e9e8e8f2e9efc11e2fdbdac61e7146b3d3f9a65a41c81180805a4

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
fc2cc558c8c38a4b61fc5e6a8ef8577d

SHA1
77e0489821ca570de711278f8f3cd452b41ff47b

SHA256
0d507a7ed363c90833a25d5fbd7df3cf1845a0bd461938126e291d5c5f95b00a

SHA512
544e40622293db266b9bd7a38181acdfa8a0e6eec44203cc3af093ecec70d7b27f66a193f0b94ca953851eb88353a27a59cf052590c02f2af06eec75d75f835c

Download Submit
C:\Windows\System32\vds.exe

Filesize
960KB

MD5
a3023fd8d24dd9a90b5fc92ee28ea631

SHA1
b2e793e1fbf5dcfcb069a48a340458a1aaaf6fc8

SHA256
2fedab80a3c057e1ced5dbb5f8ff4901279d0686aaa713ea2fe3ae63cbce01f2

SHA512
6d53f2fcc0b31ecad57398288f8e33cc64c7e9f1ea7f8d95bb756c24eedb6b7c1ae3ee17235d591daaaaf839f0b57f841d81554658659de31b2d6a1bcee14863

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
640KB

MD5
5df3214471db5fb956a7ecaf0daededf

SHA1
4aad8ee90c7a3dd7120c5f42584fe7ac057d6b7e

SHA256
86bf74e80e2264bbcab2146ec46e2e8fc70c0b93a669fa38b4800217fe81fe58

SHA512
f24c19c4aa4e31c76c28cde367ad2ea5beab4b7878676ae31eb251dcd11c94fb27a1afe69270b69854ac759779019c23e60ba3ca2b0c60a80aa82181ce14fb38

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.6MB

MD5
3c5b7b3b9f4eea50a81f30c5c175ec56

SHA1
4386e52c8c21e931e5aa141c1cff4078b978e64d

SHA256
cf86a2822b13ef2db13dbe1cfe1b91ceff63323fef24b5b468317e3f27224d3c

SHA512
b959b96102c5ce2ad5856eb127393d50ee477630a6d328261762c223e632e7521a67274d0f53bb573cf33a8770f3f23f62b4972faa010d3328fef502eb97da36

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\08866dfeac7be6609b88157bd33dbf20\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
b93f2b27b14f960b8d615103b230df3e

SHA1
4e0cac3dc301a252f71afd236471e5dcbb56752f

SHA256
ec39828fa3bfecb14a3dcdad4e36d418b9ae59412e62d19e8f4d97cd3157bfa3

SHA512
67481ff521ca33c54f94560d7e6c6cbe8058b4e48eb51d482f7ee9a56ebbbd094fbc89144b71aad2028161659e383b45965eca0228e9117fe0f6997d1af179a1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1bce5a16a5727a57c53116f79bd267af\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
cfb019dededfa6ea96d80ee3484baf20

SHA1
07081cac42ba7c3feba9bffc7b403664e465e1ba

SHA256
a06a5d6cd014d1f2a0d37a6ad973c76b7fcc712c59e982259b794bd2751d9f82

SHA512
e7ae097dbc186913f520b45435f3631d7684e8efcecf6f85cfbb258f24a814e37c0f52b20cdcacbc3d7ffa72cb8d468f018609be219239b8fdda7d62529deb8c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6403a9e7b3b4c28a6c0fbdd9a48f5b00\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
8f87cb36e88dcf05b21eb8475c7f223e

SHA1
d6a1d27c27c2655a4ec3cdf2f3ad05770e3a0b94

SHA256
c2c828f8eb7018573fb08d343c8bce80c55d50cdcf2bdd005fd353b3c69001bf

SHA512
137ecc5756f2b5d354ff274c205b6395fd0c86697d0ff44d809efdf8040e644d282fe786f16af159c82954328a581d6b7f1e0add015d8e0488194d311d699f06

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9a45676b1771806a84f2aaf57d1748da\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
0a4f10f1edf854ec953b5db217894531

SHA1
5cb5d438f8b0a0478bf81b709342ea9e8bc9cb8e

SHA256
15fe58a558faa0792eb0b869ba8e2e196604f1ac6d01935f0b3c28bb2b45c579

SHA512
ab30784e3c5f35b7dcecc11e9ba53bf397989d040bc7a3a5f252bf2bcf08dc52e36dfb155541d7fb7e2641adf5c0f8722c6b7ccfb7f55d0235ba224af1df3265

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
0046a2663323f40bc5117a3474065e7d

SHA1
5a21aa4070986010740fea270885c620aa66aba2

SHA256
e966c9225d0e7682b2578253076c1b5f3017cf262f723e2b87589e97e7d31b45

SHA512
30853449466eacc2f2f1052a9eca465f22bc4581151cd915cb99d262218078c6e62f1fb083714fa463cca8a7c5153cc0d5cabe320f92795af1f5a09c71ff32ea

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
4c1f34869ebf9c8144a5516a03866325

SHA1
d9f6fb60ac208548e2f78257c37be6cdd2180d8a

SHA256
d95ce21bf04afe2a72e63d8e3d500003b6203622b089cfb9025ef0667b1d0c02

SHA512
692f936b83b4106eb0784e6cd3eabb2ad9cc140e2cdc35a07e23877a095c82e9dce73cf0c9a5afd9880ee038059149fd99811b5b0a65585d8344576febf06f82

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
24f4e032418a931b772acd1709c05122

SHA1
6f3dee66ad5525df3ab3e0a011c482666f12531e

SHA256
aac29352bfb634d82eb00389a73eda0fdafdf2edea41efcf371534dd1c01f803

SHA512
e04ded8654d64d4d13a63fd303f5d8e4b4617be276e8562418c3c72fe4ebfafd578a4521067a6ddfe1b3fd6e9ddc6f0e69b31bc886b91f769d3827f562e5bb61

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
91acff1ced65d05e5cb60bea91f8400a

SHA1
860c7d123f4ac74f6986a1db6c6531e6e24f5ee5

SHA256
cff3372fe8977e26eb50688de6125951feddd03dc5357fdb82e9db8c4f5f9dee

SHA512
8498a5af8961afe867276f31dcbed763cabc7a071513901db035bac26a1d8cb8a93b9af6e93de3d74ec0040f4ddc48e0da417cbaff7e2320b0acad0e54e24d88

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
cd6049f356d7fafd6f2e1ccfa2cedc88

SHA1
dc5a856d212295da0d0546a0636d58c5c8cf86de

SHA256
28903204e5b9cb6c146a44dc2fa4a75a9d826cb942a299bba1c0c68db4e4330a

SHA512
48c16316b666b5f8b1d2630741ac102b9a2f5002dcf67f0f5d5e006b4c1bd1e44f6eb3c6ff8b06036f24b15beab2da6849590a323ee6593c4443798753d0363c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
a337cc2971496c6618b5e7060a8bd89b

SHA1
80241ed47d5fd2d1eca055c5dabde80a1e2c5242

SHA256
89f7322909e725f64d53f2ecdc7ab294308bae2b727424a157d31be621948593

SHA512
98b53262728a71262c11137cdfc0c9170a244dccd3b841600efbebc93d43e1eb99ae7613d9f1f65630505d68076c00fb7220c2ab31ed517c691ea92d74d3bfa6

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
0b092ebe094d47683848b5a17492b85b

SHA1
30c08ec1219a8d1ee6377affa49f3a78e07848fa

SHA256
39369d88714dd18b74411bcbff5e76798d3c5f32e241f59e543b5892ac24cd28

SHA512
a9e1be57a848ab8d9ff43de5972cbd576177c4e989ec0dadcd35f41d6882d106cf63324ae0b07c37ce52c75fbc69aedaea26ba506492444abb14e4fb208c2be7

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
41409d652e9492657f97e74ab51e4bf7

SHA1
8e889294544b240ab39a87dfdcf4265cc31b88da

SHA256
5707fed797b082c54d95f258e06e4bd8b40c6586adb947199732e98307beafbb

SHA512
46cd3e776380a36b960f32c7cd3f700e27047c023283d3290139d268bba7d9ec762072c8cf97c1d6e568af7865d2bde8cd051fc8e5fb62f6ea3cc1bb0cfb2408

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
576KB

MD5
d97707714276cddc8c99bd4407955bca

SHA1
c97a72e984e162112d0b89e35a0cf2614659bfe1

SHA256
ed673ced46d30f2c50dc0c6676ff8d0d09d8fa7aa1f686c6d49702162a4d15b7

SHA512
39c8cad32f19402ff3274614b7c6e164cd3c5f478521218ae082c558bb7c216e6043d293787075a0c2ede7862791f6f4aee4b0f781ac215dd1f6d21b02294223

Download Submit
\Windows\System32\wbengine.exe

Filesize
1.9MB

MD5
bac65e805961200c89813727e5424ae1

SHA1
666c195c678e7a5c179ce9c03b0bae4b16e2c48c

SHA256
0b22f5c5073e2f5f8a5df2f40b2dd656a9cdbea427d32142c0dbb11f6fd2f774

SHA512
43ae5b1311fd12c83e099b24bfe9f27db9bc4fc8c251c63b5e1e0b697a2a643ca5cdf876c943e8a7740ff87689bfd7926bb7b2d041e453f47ff0b58edc4bb1a9

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
c63574983a47533abde14a96bc81cc22

SHA1
493f626c299c99dd65113c5c211998ea70eb243f

SHA256
abf74e765ed7f0796ebf800ea4964d1b0ea7372444dbc289c971072c48cbcceb

SHA512
025934a0b916682ef7fec721cbea4ac0e705567e8d911a4200641752fa272a4a9dcb9667b7e83ea15bb9988e2363edbb373943a6569f388e3636c025f7ea11f7

Download Submit
memory/400-261-0x000007FEF4C00000-0x000007FEF559D000-memory.dmp

Filesize
9.6MB

Download
memory/400-253-0x0000000000910000-0x0000000000990000-memory.dmp

Filesize
512KB

Download
memory/400-213-0x0000000000910000-0x0000000000990000-memory.dmp

Filesize
512KB

Download
memory/400-208-0x0000000000910000-0x0000000000990000-memory.dmp

Filesize
512KB

Download
memory/400-131-0x000007FEF4C00000-0x000007FEF559D000-memory.dmp

Filesize
9.6MB

Download
memory/400-132-0x000007FEF4C00000-0x000007FEF559D000-memory.dmp

Filesize
9.6MB

Download
memory/400-127-0x0000000000910000-0x0000000000990000-memory.dmp

Filesize
512KB

Download
memory/400-257-0x000007FEF4C00000-0x000007FEF559D000-memory.dmp

Filesize
9.6MB

Download
memory/400-247-0x000007FEF4C00000-0x000007FEF559D000-memory.dmp

Filesize
9.6MB

Download
memory/588-117-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/588-46-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/588-47-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/588-53-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/828-103-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/828-111-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/828-104-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/828-223-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/908-281-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/908-160-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/908-218-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/1048-273-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1064-221-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1088-196-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1088-139-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1088-148-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1088-206-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/1088-197-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1088-143-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1244-231-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1244-237-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/1320-211-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1320-212-0x0000000000530000-0x00000000005E2000-memory.dmp

Filesize
712KB

Download
memory/1344-210-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1344-220-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1344-215-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/1344-250-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1344-251-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/1344-249-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1584-248-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1644-262-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1828-133-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2116-279-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2140-259-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2168-75-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2168-74-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2168-140-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2168-81-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2200-6-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2200-67-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2200-0-0x0000000001F00000-0x0000000001F67000-memory.dmp

Filesize
412KB

Download
memory/2200-5-0x0000000001F00000-0x0000000001F67000-memory.dmp

Filesize
412KB

Download
memory/2208-209-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2256-90-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2256-88-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2256-151-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2256-228-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2256-107-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2256-100-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2256-99-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2256-95-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2420-36-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2420-60-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2624-25-0x0000000000480000-0x00000000004E7000-memory.dmp

Filesize
412KB

Download
memory/2624-19-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2624-20-0x0000000000480000-0x00000000004E7000-memory.dmp

Filesize
412KB

Download
memory/2624-44-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2632-177-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/2632-174-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2792-87-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2792-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2924-69-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2944-224-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2944-255-0x0000000074548000-0x000000007455D000-memory.dmp

Filesize
84KB

Download
memory/2976-96-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2976-16-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3008-116-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/3008-119-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3008-125-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/3008-246-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download