aefa3922ef8f4734726dc6ee61d468b80dcf04cd2979abc41a4024c6287abb72

Analysis

max time kernel
97s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
Size

4.7MB
MD5

0902a25dca7516997a49574d6567ea0d
SHA1

326a110c04c99f42f19837bf0448d275f75da385
SHA256

aefa3922ef8f4734726dc6ee61d468b80dcf04cd2979abc41a4024c6287abb72
SHA512

a6d5ff8c5ebaf21163b33551b8699254083aa4cbf8787503299b13611609583cfaa4c41af8fa9224343a787b71ccf8750365afce913788cbc9fe557ca1543840
SSDEEP

98304:/sbltXkUt8hD3TZerXSFSYGBDVfSXNiu0fEL8FVqHOQq:kJtpadq2xlkueEL8FUOQq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 32 IoCs

pid	Process
468	Process not Found
2292	alg.exe
2828	aspnet_state.exe
2976	mscorsvw.exe
2664	mscorsvw.exe
392	mscorsvw.exe
824	mscorsvw.exe
2012	ehRecvr.exe
2968	ehsched.exe
656	elevation_service.exe
856	IEEtwCollector.exe
680	GROOVE.EXE
2500	maintenanceservice.exe
2028	msdtc.exe
2648	msiexec.exe
2596	mscorsvw.exe
1428	OSE.EXE
2024	OSPPSVC.EXE
1700	mscorsvw.exe
3028	mscorsvw.exe
2996	mscorsvw.exe
1728	mscorsvw.exe
1584	perfhost.exe
3876	locator.exe
1088	snmptrap.exe
2992	vds.exe
2556	vssvc.exe
2632	wbengine.exe
2080	WmiApSrv.exe
3188	wmpnetwk.exe
3816	mscorsvw.exe
1736	SearchIndexer.exe

Loads dropped DLL 14 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2648	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
748	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f221d69a3f41c52b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{84D4D46A-425C-4D83-A43F-29E77183FAA6}\chrome_installer.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe

Modifies data under HKEY_USERS 35 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{93BB9666-CF73-49C8-A6CE-E39296D84AA4}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{93BB9666-CF73-49C8-A6CE-E39296D84AA4}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1948	ehRec.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
Token: SeShutdownPrivilege	392	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: 33	1692	EhTray.exe
Token: SeIncBasePriorityPrivilege	1692	EhTray.exe
Token: SeShutdownPrivilege	392	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeDebugPrivilege	1948	ehRec.exe
Token: SeShutdownPrivilege	392	mscorsvw.exe
Token: SeShutdownPrivilege	392	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeSecurityPrivilege	2648	msiexec.exe
Token: 33	1692	EhTray.exe
Token: SeIncBasePriorityPrivilege	1692	EhTray.exe
Token: SeBackupPrivilege	2556	vssvc.exe
Token: SeRestorePrivilege	2556	vssvc.exe
Token: SeAuditPrivilege	2556	vssvc.exe
Token: SeBackupPrivilege	2632	wbengine.exe
Token: SeRestorePrivilege	2632	wbengine.exe
Token: SeSecurityPrivilege	2632	wbengine.exe
Token: 33	3188	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3188	wmpnetwk.exe
Token: SeDebugPrivilege	2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
Token: SeDebugPrivilege	2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
Token: SeDebugPrivilege	2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
Token: SeDebugPrivilege	2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
Token: SeDebugPrivilege	2432	2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1692	EhTray.exe
1692	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1692	EhTray.exe
1692	EhTray.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2596	392	mscorsvw.exe	44
PID 392 wrote to memory of 2596	392	mscorsvw.exe	44
PID 392 wrote to memory of 2596	392	mscorsvw.exe	44
PID 392 wrote to memory of 2596	392	mscorsvw.exe	44
PID 392 wrote to memory of 1700	392	mscorsvw.exe	47
PID 392 wrote to memory of 1700	392	mscorsvw.exe	47
PID 392 wrote to memory of 1700	392	mscorsvw.exe	47
PID 392 wrote to memory of 1700	392	mscorsvw.exe	47
PID 392 wrote to memory of 3028	392	mscorsvw.exe	48
PID 392 wrote to memory of 3028	392	mscorsvw.exe	48
PID 392 wrote to memory of 3028	392	mscorsvw.exe	48
PID 392 wrote to memory of 3028	392	mscorsvw.exe	48
PID 392 wrote to memory of 2996	392	mscorsvw.exe	51
PID 392 wrote to memory of 2996	392	mscorsvw.exe	51
PID 392 wrote to memory of 2996	392	mscorsvw.exe	51
PID 392 wrote to memory of 2996	392	mscorsvw.exe	51
PID 392 wrote to memory of 1728	392	mscorsvw.exe	52
PID 392 wrote to memory of 1728	392	mscorsvw.exe	52
PID 392 wrote to memory of 1728	392	mscorsvw.exe	52
PID 392 wrote to memory of 1728	392	mscorsvw.exe	52
PID 392 wrote to memory of 3816	392	mscorsvw.exe	61
PID 392 wrote to memory of 3816	392	mscorsvw.exe	61
PID 392 wrote to memory of 3816	392	mscorsvw.exe	61
PID 392 wrote to memory of 3816	392	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_0902a25dca7516997a49574d6567ea0d_magniber.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2976

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 23c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 258 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1dc -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 260 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d0 -NGENProcess 254 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1dc -NGENProcess 260 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 26c -NGENProcess 180 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:5052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 1d4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:4980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2012

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1692

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:656

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:856

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:680

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1428

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2024

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3876

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
793f90097ef849e3ed046a0a5ca41242

SHA1
a545118cf4156560508f4f5bc3cfb3af16a7289f

SHA256
201c5e7b0ad63dcb33a160e49fccea6e7acec595df3730358f20dfaac8e98260

SHA512
040ba5e4f8c1a2450b0047973857abe6874e2aa4bd6e1c5e084a77f614dfa1e710813835a6a76cc27395c49de87ae4bad7b94f1b657206544bf0592580df97a3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
3.5MB

MD5
9be8cedb9869ed8f8414e2e08b546821

SHA1
a7c046ba4b44a52d871f3da2c0ecb40d4aa562f3

SHA256
d66037954f812f4b03eb3f76c47c1d3688a5fe9a47ef48e6fc53e8122f66be87

SHA512
ccf10760ac76d23ea7cb85c9a735738b1ba68fdd10651e95fd6250a22a6c52bfa1dcd4a0f89d821820d39287d605d122e1aa6006ab147b76aa44c67f2b27194f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
1689a0467c79a256a9d3326831583ae3

SHA1
265417198a9c377727c4ebfa4a9768dd66994829

SHA256
3b45f485d8a3f6a045c9c11f766e1974a480cc79c25bf4fcac4a74b6a354a1c7

SHA512
d00974870f2c85d39af9b2d86caedc52752f5742f871228bd40f3d2c7a55fcb3ef6b5b2a6e475724ca47e1171f13da6836a6be773ff91b397b92d6621ca066a9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
736b2f9884fe6462b5e7513a97d35078

SHA1
4ac4fb811c302592acb10cdda2a2d3cdf575d1e3

SHA256
62ee938d0f78bf44aeabc32fe242a246b45e58474967ba3dcc0fa64cc9d9dc9d

SHA512
62991d2ae9528ef720bd53f6b3889fcc4365a995867f065f28611492943ba6f2fbd00656e1423d7b31745345883979f1de41f9b2f9b683814af5fc074ca8914f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.1MB

MD5
8974c12e4c8d98cf516ce70be2f50763

SHA1
1d65da4579f97e6b47adcb5d0e379336c22d750c

SHA256
a2d30b520594950e80191bb36ab07548e608e2a425132eb7f2a75936aae249e2

SHA512
3bf0182f434db94a47b44bb571b31a42d81f301ff2ca391d7dadc5111485e8f61a855cb6846ef11ac2a406dc6237ecd91240e9fe5c5b9f89c35651ca8bb559fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
164e0cf4561b18ad6204e77ed6ea12a3

SHA1
6ab8aa8a3a3300344f643dd9e7fd78a071603ac0

SHA256
122677092c9e9ecaa9fbcb22901f87df00f722f2821270d3ad62f8194d87cdf2

SHA512
0ab3398a5fd9e64f093283ce7fa40d564a8fbca33f14dc5cc209775750d71a30cdde44eda8d4bdc6ed5ad1c6bdfca734f560aca8222f7566b1ad764190e85158

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
006150b85d39648c97bc07d1b57d3b37

SHA1
772f2950cc61a8c265f2dd120991a4681aeb313d

SHA256
52a62e2513c49c85904d5c958c57f35ec3ba0490f391b43286e6527fed6adbf7

SHA512
a1e7151ed50ce64fedcd31e1e793d25abaebf0a47637779a4d1567879e54451f49262c3d5c72e9cf619b33423df5720d41723756bbdb01b57d31ab0d6e42af23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4CCB.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5353.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
2ecac527313cef647f9f642b9c7ed515

SHA1
82bf593191e6eea4bfcf2679a66f095c5aa1c8c5

SHA256
7b724fd032356e7d19ec0c3d95adea6165ce5e826427c061861b129a7fb25d31

SHA512
8e4a3cb82b27bd5f10d80eaa53f0bb3096a03225c58bbf1ab01db7757d2bb821a731c02e8364b1e9f44f571007dc938d318c536ef28a942519a1c69cf2226dff

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
4b263c810b27c79b799ff2af8f714071

SHA1
bd67c36882b93e7263ca22968595e4f4ca36bbde

SHA256
352bd1f6cb648875c7a8aac72d7c428102ffb2ad6a9550996b97af017fd543b4

SHA512
329e63eaf88506d19a7b441ff41849e8b698ddd554f34f89abcc364dfb98533c3deee5ac317858d9eecda49a1c664240192028874fbf9591b00ec135c88ed63f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
15636a7aa2d089c8039caf52c6d8cc54

SHA1
43629a09beb672c6125afa8cf51396854f87754c

SHA256
a85e3b430057173bc4e32b86a02896529ae8cfcf896307fd3dcad66e83ab8fd0

SHA512
e625944072c87ec29c21c913e9a8145c17379cbb1c5e9d8ff1ffeb69f849faf5491c6992c48b78eb22a0c1f9173a1f0efa3de0c4993ecfbb48016a47977e8e90

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
7b07440ed3607bf24f3b2d83f166dc28

SHA1
f5ba8b5d24398e7a68f299ce5fda16829310c713

SHA256
806c5430a3c1c8f02b1f68c698cd9fa7e6750a9779cc9c944f4010256cd0e3d2

SHA512
cac7175d3fc7c8611b7a6d3060202620c86be094f0ebabd37cf0fd0c6957c8236bd62a69548f7e2c81bb65f708d7fe0bfbdca0c8c0bba4a9dfa8f444e697b75d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
128KB

MD5
2bab426f5eec9d035c1cf54a72b6dc60

SHA1
1dd84db3b63b6070f7270eef948d819ac494b1ab

SHA256
f9f464af964d7a2a62e932e574d3d2fbafd40068cde4c94059f62fef9b2e1a9d

SHA512
d1a6607caf3afdcd509640891a26741bfd3d061d76b2e3d7f47d6cc775bbf387428597fc81a7a09261f5a5b909a944f13dc009bdcca7935f9d0460780fe99c4a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
149302ce30b9ea69457c6bc571d36c03

SHA1
344817a1f322022747df57a871cf6161a962aa8b

SHA256
13d26648fea12399625024e9440727e94cfa2f0e2f35ae10131598fb77a87d74

SHA512
2950b3544f3c34b2e4123c088ca4ee9450c898049081a7a4427b7c12dccf116d7e2071c06cf86ce50627e8f3750d52384cbf4cccdc3b141c8e3aba9ec92d5905

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
601KB

MD5
660ab60e5f3d52d17b4820b11edffd79

SHA1
0664c24152c3d654c1ac3d670c2243024fe8ce8a

SHA256
4bfe7c2a34ff0987380f59219ac9600aab1b2b838e55e35c36aa691d71bb65b0

SHA512
e2e43329a3629ae5b0e8553bc0ecb2c86a630a6c33329df339a68387c8c1b23d7b28f6a58b2b3960529782dbb5ac6d7d54930065bee1608b433301f9514d94ff

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
21e08dbb2a37a6122606b48460ad979e

SHA1
ad68337130542dcc4f6884ef962aef9fb9131dde

SHA256
d9870f147bd104f4ad3941650a024cdfc477a53bf1266973eebc11ce60c662e1

SHA512
edef52cfac8e82ed8d9211752479410550c5e87ff60cbc340395950b0856c42d055834a301fa90d21b5098e7666910e01f6c2ea5bee3bad52f036f611d554c00

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
88aa78e6bdaa95948008de2e4210f854

SHA1
1c9accb7b040e6d27902581568d7bd3f6b83e1e5

SHA256
8f9bdd556dd714bf4afbf215198ca590697bb466989142acf3cae325d17fd1a7

SHA512
cd28a64a2757cfb3ca1a55ded03f9505eb8fcf1901f83991b7c0b51807ce5acf59cafa28a7f23577a833cd77cc1f1a4aa67f9dee93e6fa7a97170bf125b6e031

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1024KB

MD5
854fadf9e89d93e006283204e4e8b345

SHA1
c27c5f34a8ef1dce08b300198b91b675659d085e

SHA256
fe914f20af80a3e90d5910fb882f46a38cd598978fe59137079f36fd5905718e

SHA512
0cb242be96e8981a07d49767ccf99e9eaa95e14491807868e83298c314a9eee869d52596a3efb40facd851be2337419c34d350c24e14d70257c0533cc78b647d

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
5a4df766721edbca6f83d4c20e92d7c0

SHA1
dd834be3f83d263f12b10e1bfe7d1a8fff6611c1

SHA256
71542dc3fffb0cd93f87d61b4159dbce40aabf6ed009ea3cf4469bdee1020774

SHA512
6c536f50ba45c92d4d23a570d74ebba0c45562210ce25b14967fa135a1ec90b9c03d9e46208433b8ca650370f59e69ed5382a4f93716a83801610be2b73115d7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
25540be19f476ced8d2beea960e616d5

SHA1
d913f1262deb82202455fd8d8906f98eb515d525

SHA256
f73a9ab24de73d91992340a1cc06e899b4e9805b9079ef20909747e8f024bc70

SHA512
19f1df018d34b0adb209c61ec05335b4f63d174e6a808783f68a9838ce089759e796f874d719767470d2762f5eefc6427e9637fead670ac4b64680907b430353

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
3b58f8fdab3a236b6a24f48ceea5e73c

SHA1
04a21e28ce7ae97216957b45dc1dc91ad714d13a

SHA256
bd53ce6b7db7184fd56228fb095e627493fc1a96cf0b7ee673eac42a540af4b9

SHA512
bf5918d6b3dd64a6fc8d52f7d43982f8850c0120a9e5a3f0fe3d59bf9c476093a2da1c15ba7b1dbba99b9def498ca769a6d7a6859cb723e01ccf4840759bb45c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
c32fe3e13d87cd88a8a350eda433257b

SHA1
7c6a6204794334bb77863a7c1ab10c489deb1afd

SHA256
d19e930c3d577c613ed091af05b93b90a1e1401372feb0e4feaff1d35ddb0ab1

SHA512
2b2538bb8784ff0849c7e264fa2cbd0d75751be6e92975f988a1fc904855e7ec3e4028ac79ac406721b02779a72063e60635af75687782b63792e8a0d69f1835

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
a92a16d3cb83771020c86e40db767865

SHA1
058a9df481041f8ee312231262ca1a9165f2b6c6

SHA256
52821608d28350d461cd973984bba68361107acd69b23b52b5aee8b22d8ec3b6

SHA512
d33979676af5f964460888857ac347b1f7a902fa1d0bdecc9ddadb302b4f774b6febc3fe0081712d6c065969400fdfecf65d1b7d9c197c4dbcac3c7173023f19

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
71f00f14a60c47be1cff7ce1b8a2aa53

SHA1
2732f48274281f66389f08a3fa254103c7bc6dac

SHA256
cf981ca1d41141db54923d9480c2c0e2455a8ede96713ce80a438088baf82f50

SHA512
eeeca34808d42ac55ec24430c2964b9473a05721e49d3d3109aa8c7b818490f7443b3319685af007147bfb268ea68fa8a136d90d52edb86f8913aca67af41fc8

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
5ee547de584a1fca82de922a3c24584d

SHA1
8dc42f108bea01d9e0bd50cb5114942b39cabf09

SHA256
0b75ae25932d4972e9a647a4c4096d9a6229bf477ad1eb094c951a060615bd03

SHA512
44898b00c684ec2ad87ce9a71ece4d9ccc5206f7dd3f18b0892dd8b0d2764162e70c4f5bfad15d5ef4fb535153f7d7b74bf287658ddf2be96c55b94d9f6eb296

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
704KB

MD5
32d08c90f2b5db53aad9bfcf491bc142

SHA1
89e6aef2f98b61930173930861f9a600e78a428f

SHA256
0a76372b201c0bda5dcbad940b20489657c884c2068d21a82b9fbce776316dd1

SHA512
68a119505f3b527ced006849783cf788113e2e2b0ca91b26c9606db7dbf1dd79563866132e320500d55de73f0b184f877e5c63aff101cd28f24c941313350875

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
60b3b640fb7a7162cdd8775296eef939

SHA1
6f7954e229a5e73c965f00e19c7ffb4d310c1776

SHA256
4bef70607314d8372cbae678c24590e5d11d03660e020a8715408bd840101efa

SHA512
e49ec11daac9c286b49cbbb07120f05336eb633b1502e48186e0ee05ac61489b5de652a2edbb011a15dc0da72c22580ffd8a34ca82260634a81f5e098426b564

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
29150df6a5c0f20dcb38e036c3958a5a

SHA1
1312c37ade4710f41af68b46bed8aa714251c6c6

SHA256
69f8d4f7e0004480a266b6ecf296192e0c7a6e7e23c4784a50d8edb3f73dd9f5

SHA512
ace24f825bc8a0ac4c86b1a5a17b3a7212b6b6fdc9df3f076d91ccc86a1555ad16f7bec6a84e022df0a37051b4812655afab4ea17493a010933d2aa3db29b4de

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
69d5c423bf5db1ec27406760e0d540a2

SHA1
9b6bfcc403e77f1c71cd239bb36360d6e4c32aed

SHA256
21a7fce498f51ba9aa2ce4ec608d7e761a75b9baee91cd14c143748cf5451a64

SHA512
fa77aad274663f617c1023af4f87b3180d4610ea31d258f0e5f8b5ebf3fb4d36debe597853b98ffdee57fbc1fed89951d5e8c5618bb85158c9af7fb4c2ac629d

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
3fe577ba7fcb168c86b43eb03b1795b9

SHA1
e39e39271bc993df48e22654a85ae56e593e6112

SHA256
65d76f5dd7ab4df18437a4d128d3a4bea880bd25ef315a2c687c5a834d852956

SHA512
159c2df91b6c30654f8cc5e4c7f614f22aec7806417543873c8a87ab6a60fd87e90c49cd42e843c9d359ad3f553f0727112da71cb0b1fcf67da4e6713a662254

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
9120cc6d31b8383d1af0cb2d3f39ddcf

SHA1
2b6b70221c6f653ad61722f09da2e5feb9fff1be

SHA256
07e59057be3a7b7a349d268a714ade938e0daa210793133ea02b51f3fe939024

SHA512
6fcc423f89277152dba732aca431d6291b6b3c8c262ddb6d4e0c4a4ab2687e88267e154e148aa583c98103176ca0ed09114d5477170ee6dc231ece95f19a1052

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
8e9df32a293da5869f0a3d1822be41e6

SHA1
7b2814ce3926d10463d50ffdab23ce707e8be3b3

SHA256
c9093e729b3156ba679ecdc0bc6565832cc93c4c1f8a3cc27b254561e6a32578

SHA512
b10024b218434fdba6eebda47217af0ff9b540794631707a49689fb57b206e89ef57171754e74c1bdf5d4a924e2a9992ad3670be089d8843d0209ec47b82b78a

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
1806706637914a1db2a66ea16ef34d6c

SHA1
5838835fa1fc6a1ff7949d0e2a3544690abab734

SHA256
eca6d1760c84f58487656a85d644ecfbc12e37b09d8bff04b934e04d128d34e4

SHA512
d5763ccdda4cbcb4c901b318be5cd4167460e3ee896fc6c7e4a7db18688d9e79aaa43d15c1eb3fcb9e5233031ac0647e039e9e440735fc036634acb8b9a90f29

Download Submit
memory/392-56-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/392-57-0x0000000000A40000-0x0000000000AA6000-memory.dmp

Filesize
408KB

Download
memory/392-62-0x0000000000A40000-0x0000000000AA6000-memory.dmp

Filesize
408KB

Download
memory/392-127-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/392-63-0x0000000000A40000-0x0000000000AA6000-memory.dmp

Filesize
408KB

Download
memory/656-116-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/656-115-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/656-122-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/656-255-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/680-168-0x0000000000300000-0x0000000000366000-memory.dmp

Filesize
408KB

Download
memory/680-163-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/680-278-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/824-78-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/856-128-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/856-135-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/856-130-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/856-268-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1428-285-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1700-387-0x00000000729E0000-0x00000000730CE000-memory.dmp

Filesize
6.9MB

Download
memory/1700-381-0x0000000000A60000-0x0000000000AC6000-memory.dmp

Filesize
408KB

Download
memory/1700-407-0x00000000729E0000-0x00000000730CE000-memory.dmp

Filesize
6.9MB

Download
memory/1948-166-0x000007FEF42A0000-0x000007FEF4C3D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-150-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/1948-148-0x000007FEF42A0000-0x000007FEF4C3D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-284-0x000007FEF42A0000-0x000007FEF4C3D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-280-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/1948-374-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/1948-273-0x000007FEF42A0000-0x000007FEF4C3D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-390-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/1948-233-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/1948-406-0x000007FEF42A0000-0x000007FEF4C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2012-85-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2012-84-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2012-91-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2012-96-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2012-97-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2012-106-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2012-180-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2024-331-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2024-322-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2028-244-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2028-376-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2028-234-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2292-14-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2292-92-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2292-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2292-21-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2432-7-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/2432-1-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/2432-75-0x0000000000400000-0x0000000000942000-memory.dmp

Filesize
5.3MB

Download
memory/2432-0-0x0000000000400000-0x0000000000942000-memory.dmp

Filesize
5.3MB

Download
memory/2500-250-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2500-185-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2500-251-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/2500-229-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/2596-265-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2596-386-0x00000000729E0000-0x00000000730CE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-385-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2596-321-0x00000000729E0000-0x00000000730CE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-282-0x0000000000A50000-0x0000000000AB6000-memory.dmp

Filesize
408KB

Download
memory/2648-388-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2648-259-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2648-389-0x0000000000380000-0x0000000000432000-memory.dmp

Filesize
712KB

Download
memory/2648-281-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2648-261-0x0000000000380000-0x0000000000432000-memory.dmp

Filesize
712KB

Download
memory/2664-47-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2664-74-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2828-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2828-104-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2968-101-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2968-109-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2968-110-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2968-100-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2968-227-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2976-69-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2976-37-0x00000000003E0000-0x0000000000446000-memory.dmp

Filesize
408KB

Download
memory/2976-31-0x00000000003E0000-0x0000000000446000-memory.dmp

Filesize
408KB

Download
memory/2976-30-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3028-402-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download