c1456c256429d9dbc183dbb018fa5d8981aaa7d689ada57138a5a82c421f00ef

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 08:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
Size

15.8MB
MD5

07c3aa2caec7832224142e24778e0dae
SHA1

d3a42ebbc777c76539c9d24a66942af5e56cc430
SHA256

c1456c256429d9dbc183dbb018fa5d8981aaa7d689ada57138a5a82c421f00ef
SHA512

d0c884894fe222fcdd1681f8cab084e66f1cf04d25a834dee21f7b50c37329c007e5913fb94d5f882dae32fe2b727cbb1aea46859a54f712507eb91a1d9c827e
SSDEEP

196608:lRPRRkAjgpoBMrvZvOHqCflRGRR7+wAupKReCdhjuASHSRD9mCrBrqNL2j16knzh:llRqp+rlREdIgASKD9VBrqNNkz38q

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2956	alg.exe
2792	aspnet_state.exe
2720	mscorsvw.exe
2436	mscorsvw.exe
2884	mscorsvw.exe
2164	mscorsvw.exe
1588	ehRecvr.exe
2160	ehsched.exe
668	elevation_service.exe
2932	IEEtwCollector.exe
2088	GROOVE.EXE
1012	maintenanceservice.exe
1756	msdtc.exe
1672	msiexec.exe
2832	OSE.EXE
2144	mscorsvw.exe
2312	OSPPSVC.EXE
2420	perfhost.exe
2620	locator.exe
1768	snmptrap.exe
2864	vds.exe
1624	vssvc.exe
1836	SodaPDFDesktop14_14.0.241.2517.exe
852	mscorsvw.exe
1228	mscorsvw.exe
292	mscorsvw.exe
1256	mscorsvw.exe
1556	mscorsvw.exe
1832	mscorsvw.exe
3020	mscorsvw.exe
1748	mscorsvw.exe
1816	mscorsvw.exe
968	mscorsvw.exe
2168	mscorsvw.exe
296	mscorsvw.exe
2124	mscorsvw.exe
2888	mscorsvw.exe
1032	mscorsvw.exe
924	mscorsvw.exe
1016	mscorsvw.exe
632	mscorsvw.exe
784	mscorsvw.exe
1424	mscorsvw.exe
1464	mscorsvw.exe
1136	mscorsvw.exe
2016	mscorsvw.exe
888	mscorsvw.exe
1164	wbengine.exe
2584	WmiApSrv.exe
2544	wmpnetwk.exe
1888	SearchIndexer.exe
2280	mscorsvw.exe
380	mscorsvw.exe
1336	mscorsvw.exe
324	mscorsvw.exe
632	mscorsvw.exe
1436	mscorsvw.exe
1232	mscorsvw.exe
588	mscorsvw.exe
384	mscorsvw.exe
1536	mscorsvw.exe
2520	mscorsvw.exe
2152	mscorsvw.exe

Loads dropped DLL 53 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1672	msiexec.exe
480	Process not Found
480	Process not Found
1732	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
480	Process not Found
480	Process not Found
480	Process not Found
772	Process not Found
632	mscorsvw.exe
632	mscorsvw.exe
1232	mscorsvw.exe
1232	mscorsvw.exe
384	mscorsvw.exe
384	mscorsvw.exe
2520	mscorsvw.exe
2520	mscorsvw.exe
2652	mscorsvw.exe
2652	mscorsvw.exe
1380	mscorsvw.exe
1380	mscorsvw.exe
1844	mscorsvw.exe
1844	mscorsvw.exe
1236	mscorsvw.exe
1236	mscorsvw.exe
1912	mscorsvw.exe
1912	mscorsvw.exe
2248	mscorsvw.exe
2248	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
632	mscorsvw.exe
632	mscorsvw.exe
1552	mscorsvw.exe
1552	mscorsvw.exe
792	mscorsvw.exe
792	mscorsvw.exe
1912	mscorsvw.exe
1912	mscorsvw.exe
448	mscorsvw.exe
448	mscorsvw.exe
2644	mscorsvw.exe
2644	mscorsvw.exe
692	mscorsvw.exe
692	mscorsvw.exe
324	mscorsvw.exe
324	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\d94b1306bfe435d8.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	GROOVE.EXE
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	GROOVE.EXE
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB960.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	elevation_service.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP979E.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8A84.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	GROOVE.EXE
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9AE8.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	GROOVE.EXE
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP39B6.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8F83.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	GROOVE.EXE
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC4E5.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{F0511EFA-F6D9-4095-B088-7EE28B62F541}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000010315df36865da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000907095fb6865da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14_14.0.241.2517.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14_14.0.241.2517.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14_14.0.241.2517.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	SodaPDFDesktop14_14.0.241.2517.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	SodaPDFDesktop14_14.0.241.2517.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
868	ehRec.exe
1836	SodaPDFDesktop14_14.0.241.2517.exe
1836	SodaPDFDesktop14_14.0.241.2517.exe
668	elevation_service.exe
668	elevation_service.exe
668	elevation_service.exe
668	elevation_service.exe
668	elevation_service.exe
2088	GROOVE.EXE
2088	GROOVE.EXE
2088	GROOVE.EXE
2088	GROOVE.EXE
2088	GROOVE.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1732	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: 33	688	EhTray.exe
Token: SeIncBasePriorityPrivilege	688	EhTray.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeRestorePrivilege	1672	msiexec.exe
Token: SeTakeOwnershipPrivilege	1672	msiexec.exe
Token: SeSecurityPrivilege	1672	msiexec.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeDebugPrivilege	868	ehRec.exe
Token: SeBackupPrivilege	1624	vssvc.exe
Token: SeRestorePrivilege	1624	vssvc.exe
Token: SeAuditPrivilege	1624	vssvc.exe
Token: 33	688	EhTray.exe
Token: SeIncBasePriorityPrivilege	688	EhTray.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeDebugPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	668	elevation_service.exe
Token: SeBackupPrivilege	1164	wbengine.exe
Token: SeRestorePrivilege	1164	wbengine.exe
Token: SeSecurityPrivilege	1164	wbengine.exe
Token: SeDebugPrivilege	668	elevation_service.exe
Token: 33	2544	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2544	wmpnetwk.exe
Token: SeManageVolumePrivilege	1888	SearchIndexer.exe
Token: 33	1888	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1888	SearchIndexer.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2164	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
688	EhTray.exe
688	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
688	EhTray.exe
688	EhTray.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1836	SodaPDFDesktop14_14.0.241.2517.exe
1836	SodaPDFDesktop14_14.0.241.2517.exe
1836	SodaPDFDesktop14_14.0.241.2517.exe
600	SearchProtocolHost.exe
600	SearchProtocolHost.exe
600	SearchProtocolHost.exe
600	SearchProtocolHost.exe
600	SearchProtocolHost.exe
600	SearchProtocolHost.exe
600	SearchProtocolHost.exe
600	SearchProtocolHost.exe
600	SearchProtocolHost.exe
600	SearchProtocolHost.exe
600	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2144	2164	mscorsvw.exe	46
PID 2164 wrote to memory of 2144	2164	mscorsvw.exe	46
PID 2164 wrote to memory of 2144	2164	mscorsvw.exe	46
PID 1732 wrote to memory of 1836	1732	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe	53
PID 1732 wrote to memory of 1836	1732	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe	53
PID 1732 wrote to memory of 1836	1732	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe	53
PID 1732 wrote to memory of 1836	1732	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe	53
PID 1732 wrote to memory of 1836	1732	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe	53
PID 1732 wrote to memory of 1836	1732	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe	53
PID 1732 wrote to memory of 1836	1732	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe	53
PID 2164 wrote to memory of 852	2164	mscorsvw.exe	55
PID 2164 wrote to memory of 852	2164	mscorsvw.exe	55
PID 2164 wrote to memory of 852	2164	mscorsvw.exe	55
PID 2884 wrote to memory of 1228	2884	mscorsvw.exe	56
PID 2884 wrote to memory of 1228	2884	mscorsvw.exe	56
PID 2884 wrote to memory of 1228	2884	mscorsvw.exe	56
PID 2884 wrote to memory of 1228	2884	mscorsvw.exe	56
PID 2884 wrote to memory of 292	2884	mscorsvw.exe	57
PID 2884 wrote to memory of 292	2884	mscorsvw.exe	57
PID 2884 wrote to memory of 292	2884	mscorsvw.exe	57
PID 2884 wrote to memory of 292	2884	mscorsvw.exe	57
PID 2884 wrote to memory of 1256	2884	mscorsvw.exe	59
PID 2884 wrote to memory of 1256	2884	mscorsvw.exe	59
PID 2884 wrote to memory of 1256	2884	mscorsvw.exe	59
PID 2884 wrote to memory of 1256	2884	mscorsvw.exe	59
PID 2884 wrote to memory of 1556	2884	mscorsvw.exe	60
PID 2884 wrote to memory of 1556	2884	mscorsvw.exe	60
PID 2884 wrote to memory of 1556	2884	mscorsvw.exe	60
PID 2884 wrote to memory of 1556	2884	mscorsvw.exe	60
PID 2884 wrote to memory of 1832	2884	mscorsvw.exe	61
PID 2884 wrote to memory of 1832	2884	mscorsvw.exe	61
PID 2884 wrote to memory of 1832	2884	mscorsvw.exe	61
PID 2884 wrote to memory of 1832	2884	mscorsvw.exe	61
PID 2884 wrote to memory of 3020	2884	mscorsvw.exe	62
PID 2884 wrote to memory of 3020	2884	mscorsvw.exe	62
PID 2884 wrote to memory of 3020	2884	mscorsvw.exe	62
PID 2884 wrote to memory of 3020	2884	mscorsvw.exe	62
PID 2884 wrote to memory of 1748	2884	mscorsvw.exe	63
PID 2884 wrote to memory of 1748	2884	mscorsvw.exe	63
PID 2884 wrote to memory of 1748	2884	mscorsvw.exe	63
PID 2884 wrote to memory of 1748	2884	mscorsvw.exe	63
PID 2884 wrote to memory of 1816	2884	mscorsvw.exe	64
PID 2884 wrote to memory of 1816	2884	mscorsvw.exe	64
PID 2884 wrote to memory of 1816	2884	mscorsvw.exe	64
PID 2884 wrote to memory of 1816	2884	mscorsvw.exe	64
PID 2884 wrote to memory of 968	2884	mscorsvw.exe	65
PID 2884 wrote to memory of 968	2884	mscorsvw.exe	65
PID 2884 wrote to memory of 968	2884	mscorsvw.exe	65
PID 2884 wrote to memory of 968	2884	mscorsvw.exe	65
PID 2884 wrote to memory of 2168	2884	mscorsvw.exe	66
PID 2884 wrote to memory of 2168	2884	mscorsvw.exe	66
PID 2884 wrote to memory of 2168	2884	mscorsvw.exe	66
PID 2884 wrote to memory of 2168	2884	mscorsvw.exe	66
PID 2884 wrote to memory of 296	2884	mscorsvw.exe	67
PID 2884 wrote to memory of 296	2884	mscorsvw.exe	67
PID 2884 wrote to memory of 296	2884	mscorsvw.exe	67
PID 2884 wrote to memory of 296	2884	mscorsvw.exe	67
PID 2884 wrote to memory of 2124	2884	mscorsvw.exe	68
PID 2884 wrote to memory of 2124	2884	mscorsvw.exe	68
PID 2884 wrote to memory of 2124	2884	mscorsvw.exe	68
PID 2884 wrote to memory of 2124	2884	mscorsvw.exe	68
PID 2884 wrote to memory of 2888	2884	mscorsvw.exe	69
PID 2884 wrote to memory of 2888	2884	mscorsvw.exe	69
PID 2884 wrote to memory of 2888	2884	mscorsvw.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\5b7ca2cd-7792-4166-8191-b625fa39bd66\SodaPDFDesktop14_14.0.241.2517.exe
  C:\Users\Admin\AppData\Local\Temp\5b7ca2cd-7792-4166-8191-b625fa39bd66\SodaPDFDesktop14_14.0.241.2517.exe /update=start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2720

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 248 -NGENProcess 238 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 2cc -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d4 -NGENProcess 2d0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 248 -NGENProcess 2d0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2dc -NGENProcess 2d8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2b8 -NGENProcess 2d4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e4 -NGENProcess 2bc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 254 -NGENProcess 2c4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2bc -NGENProcess 2d4 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2d4 -NGENProcess 2b8 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 2d4 -NGENProcess 2b8 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 334 -NGENProcess 2b8 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 2d4 -NGENProcess 350 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 354 -NGENProcess 2b8 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 360 -NGENProcess 338 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 36c -NGENProcess 330 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 354 -NGENProcess 374 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 364 -NGENProcess 330 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 364 -NGENProcess 330 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 380 -NGENProcess 2d4 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 254 -NGENProcess 388 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 358 -NGENProcess 2d4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 384 -NGENProcess 390 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 158 -NGENProcess 15c -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 158 -NGENProcess 15c -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 154 -InterruptEvent 19c -NGENProcess 17c -Pipe 148 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 19c -InterruptEvent 1f8 -NGENProcess 1e8 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 1a0 -NGENProcess 200 -Pipe 19c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d0 -NGENProcess 204 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1e8 -NGENProcess 208 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 208 -NGENProcess 200 -Pipe 1a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 1d0 -NGENProcess 214 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 1e8 -NGENProcess 218 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 20c -NGENProcess 214 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 214 -NGENProcess 17c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 224 -NGENProcess 218 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 20c -NGENProcess 22c -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 154 -NGENProcess 218 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 234 -NGENProcess 154 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:2628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 204 -NGENProcess 228 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 20c -NGENProcess 228 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 23c -NGENProcess 238 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 154 -InterruptEvent 244 -NGENProcess 23c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e8 -NGENProcess 230 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 154 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:1248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 154 -InterruptEvent 24c -NGENProcess 230 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 17c -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 228 -NGENProcess 258 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 254 -NGENProcess 25c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e8 -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:1260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e8 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 230 -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 274 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 228 -NGENProcess 27c -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 280 -NGENProcess 228 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 278 -NGENProcess 1e8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 284 -NGENProcess 228 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 260 -NGENProcess 28c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 288 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 17c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 18c -NGENProcess 294 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 18c -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 18c -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 298 -NGENProcess 25c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 29c -NGENProcess 284 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 290 -NGENProcess 18c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 18c -NGENProcess 2a0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 18c -NGENProcess 290 -Pipe 17c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1e8 -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 190 -InterruptEvent 1e8 -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1728

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1588

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2088

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1012

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2832

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2312

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2584

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1888
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:600
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
3a8514ed9e33cfae63c388857f834b09

SHA1
e2cfa0962dd925f5af87fa10326c4d5d04ddfbe7

SHA256
9283a97e8cdc60625c1db9aa7c51ee41d01ee03229fe17b30edbb220313c41a0

SHA512
40e07fa9d436e04c47c046215249d5ca1a38138d771bd2604255c4ccaafd28a3c981df5a43a95442a1b3fef5e1c98a7e5833b2359de4a6373d82756ac908597b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
1.9MB

MD5
309e4b45fee3f379696c7b5af7ad158a

SHA1
e581363ab5f23d604f00e3cb760da7188ccd6f65

SHA256
eec33ac867225568bf498b2145c0e4702531516cbe0f520ce5df50b138a61ab6

SHA512
e60ebb45bbba99bd3266f6047d908ea3b64ace1b4bf82b8fb91c88fb997d7c3836684a64d6b704fb83cbc308455682a49f78dffcfe71fb99f0e9125bd114029f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b018175538671f3be1cfa94249c2cb0a

SHA1
e224a40713e621a66362ea4bcbfbe8ccdf8ad5c9

SHA256
fdbe4b31ecfa4ca07df5c985a955acc4b6451f0f6a27b529ad53a1208a9613b9

SHA512
ab414357ddc54ce942f6b3ddbcbdb3f84f1580e17eaea13d1eb6244ca9d223befb6da8a2e78cc2af7d4ad4a5b93ba70c40f7d450952903fff3ffac27fd7b47af

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
e8dd6becbea98614807ff2b83b5f88cb

SHA1
315ca6bcbade47a4fcb3fb25f029ae3017cf89c5

SHA256
2e68543231922ca28e20ae13ef1179a37c296cb9e0287d14413afa1dd1cb9c4b

SHA512
f7710d4b4ebb03874331fbc3369827aa55f4d0ab3ad913d7138d68550b3a278f79e778f01a752864bc20c9369ff9cc2fe1094ddf24e0fae68883c2f0bcf78332

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4a4e294a8355b680257c87bc70b55bdd

SHA1
606895a6715ab91700816c9339ee1e85726fb485

SHA256
546b36d73ad5dc46c1dab65af56cd3ace44ee64a282219f1497e17cc0d1ec2da

SHA512
466831454fdc7670f570283eeffbf13847413a82d8d01a81132ed42a04212b6da0e7abd5840ac24f132bf257c4a6d282a4fac87d2d6ed9f96ee0cd14a49372f8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
86f9ea1f543ed9ad5c957988a75bfca9

SHA1
cf70699e5d2d14385b9e194ed8e4d97ae9fae718

SHA256
fc48be2f19f2a58f4628ceed62e509aa14a84cfef15a9f3170e85202c9f96001

SHA512
24066285e1fa84bf59b0a4a6757660c102451a525edf057c28415f43f7abec2fde2b30346a661e19fdc4f83468c85ee43db80a196b2ed452b58e259f53984b94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
c72660f6e7ce9103ea02f54c13dc2d19

SHA1
edb93076d708370a68dde1d2eeaddb22a8cd0cc6

SHA256
224a9d5d37d0b54963ce24e47609facff96e9f79ac644941371292970f0cf035

SHA512
028ad4af1ce6ad9c468b3ea1d9c5148c0c904fc11e4c3d878ddb43ba805988b4ef2827c0999da7a06ce08bb244e55366be68e7a2253a83ae3a4caae8f8a4b40d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
8e20c55e506558389cf91fd388c5bc2d

SHA1
d4d8d1f226135ef7ef3d6ca2c9b689536466a471

SHA256
7c8e99685f39833cf6677ad318eff5ac92d611369c3225723da3c27eab63474a

SHA512
fcbc08ca16abb17ef032d31a5a00f3afdd8c1d8f92d2cba321ffd5c3223acc1fc153a5e56991966ddda1412fc04e12f0f658c8d4b88c45c5999d02d92a569693

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
472fdbf90cb1e49badb510dde2d38faf

SHA1
434ade7bb4bcb7a12d2da86b589f12c6757766ac

SHA256
1de05832d436610462b2f601a0e543d251e1bd4c3ada24b3f0b4c4cc174c561a

SHA512
b479433f4fb0499d1fb4d64280b820ba3b59e39e721121c59145b23f398dc942c5ae49aec077919bc13a56d1b13487ee40681a7d79bd8f27589bbba76cf940c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b7ca2cd-7792-4166-8191-b625fa39bd66\SodaPDFDesktop14_14.0.241.2517.exe

Filesize
3.6MB

MD5
c595036ef9abe42394c72cf3ba7c6da1

SHA1
7a3ed90e8ba16eef2d65e42226219e919970c40f

SHA256
4b4481a9830b809a5dd767c20b86157c86803395ea8028dbfcc910ccb4255842

SHA512
fd149d8b016624f4322ff7aed629a63b9b1e9f1f88e368ca6146dfbea0ff8fa24fbd045aa21c5aec8228885f9562c6a59a9614dbac60bb8d04a856fd3bede523

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b7ca2cd-7792-4166-8191-b625fa39bd66\SodaPDFDesktop14_14.0.241.2517.exe

Filesize
768KB

MD5
4dbf4179eb4a9bb40d3de513148058d4

SHA1
eacc8647a5a9e7ed6f596ad3f94e726635dc58a7

SHA256
f399d25f37e7a9d47d10014a9e74482ee86ae348e56dcbd532b802ce539eabd4

SHA512
4a28cdd542d2b2ece597f127c1fda7c1152aa794c30ffec884bfd5f2066678c4d38351adf2134bc8494779680191b027813174b5b1b868872724c31507bf6b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1641.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar16EF.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\d94b1306bfe435d8.bin

Filesize
12KB

MD5
1cbf278f9282b3632ec40b23d1be1a39

SHA1
249999e61cb41a897750ddbf30c7de9f4d1cab9c

SHA256
548f89d670ceb622648922a7b5523e6ec4f1f2d8b7459abbc388136c3be82103

SHA512
57a4446d03e04e59b6c1a8dba195605a4abfd844d6da10e0ebfc26c73a9652b004fbf26a9378481064d0e5476d446bbc3f4dc48d6c4a34470eadcafee79aed74

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
e7bc000d79eadca2c3e6be9c38bc650b

SHA1
033a0647d5b8648f1db0f0bcffb9934e485761f1

SHA256
79d55a5c8c0b90c2737ebbe7e59096a6bd0c53c08373b79f28440a6399d6ca92

SHA512
f81c9afe1f2a12a84a548e2778f20504cd2b446f1eaf539fdb66f70bd25f3d7908d15dfd773f3fa0c922692fb07335a1cc68425d3273ffbb39811f1a460b56a9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
e45a5978e6e340be40208cf5f27a37ca

SHA1
fa82c0fddad00dbce3b221f45541a41e25d478f7

SHA256
06bc1808ea826236b7ba64ad6ca3ba6f88a15e811e6386e7450efc59a9d4b189

SHA512
6e8f14c4b6d30b95f2647ffe8e2a67ab1600bbf40191cdba30d7a1a1f6934424084e48146882b21e34387b6347a3812e345b8be2c0dbe84a70b04d5856197a23

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
128KB

MD5
ab63a7b718c49e007e320ffb0a11b0dd

SHA1
eb0ea59aa29a162933ba2015872bf2c5c993dc4f

SHA256
aebd613c16d0d7e413265f526793d96d8e67f821f25b3c56840733164753e1d8

SHA512
28203cfc239e27e2c20161f28fd45d458b0cccd78175e235f14158271b5a233128252869460dfe050f9bbe3aa0ba8fd379ad8e93ea3c5cd19d8e0339a6a88ba0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
599426fc5a39c924580f8526d5a632ea

SHA1
b022b33fee9fbfe515e8c14f4c76085bbe591364

SHA256
e7a46cf1201fbdfee9e7ea9ce71c42aec104975cef074e976cc17933d73a5a0f

SHA512
1fcdc1093ad64bb523475c84b26f7e4f2f09581c8e9a1855c7494f2e62974b6b53e327580f4643dc394cc4120e346c30d152eb2d5094427e33f5b2aa080d1724

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
4e9fee4b9cc61147399725e20c2c9794

SHA1
ed17114be69494b1a0fc0db3cb78bd6691f3cfb4

SHA256
0b1bebd75a14cff0d3d6ecfa4c69ef7e9f56a62752c2d632eb6d280fad24bb8d

SHA512
3271b28de2d223693d7bf301f800ea377f7a727372867b36d4b0af37dada5c97620df973fb048159b93f8db3e31e11b27e883960d29aaddb9f5a6afb8a6428b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
6d7547b4252c69063bc2484aa1bdd82b

SHA1
2f6d8d3b697ad7319a028838f8b3186789c545e0

SHA256
457013c9298fc46b00dcd63d54bc653b3b51e1e8a4667fc6872d0d8e002a99ce

SHA512
b32c9953084621e2cd06b186c07bca23ba80d6cbe7e2e9012737e44d8d29f4dc94d6d171161f82180f2ac32bfdd1d636cf76b36ccdcf4f95023527696e063262

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
8d03debdc2280cc6af3936328a9f3228

SHA1
2686b0c4c14a1061d103403406cd77110e82253e

SHA256
909ade610db318569c1bc8b821b495fface963b525a7a5bebda9abf75ea84571

SHA512
e74211911fb9e685cc8d854631f1b75027420dc483e5d8ecb9bcf4d448388c94c2eb28d7438af0b792b8b94ffbf8659ebcee376e9a489b4bb53fd629a6ca0a24

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
894d32496064502168465724b4dca998

SHA1
52d56b3f5339c705bd06ec407d628d947c38c895

SHA256
0ab7af6fb6e1d8e7e1399693a4d097171091ea8276e086e6516792847189f2f7

SHA512
c91e47e9f7d6f99e8694980c7b7340d80046b7c12a09584b4b3c6859a93ff99c892dbc01728b8f7d559b0841afbd98c249e48fe315422df1318ffd2b45ff1e0c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
768KB

MD5
986cade0450d2ae0dbd25ec612f3e0fd

SHA1
ea8001d48d017edcd382c9817128d3de88dea26f

SHA256
e9d860e9b606ccb7034b8bd6f6453ca155f52b1e8454914cff4af9955f29af1f

SHA512
5f32b5683da49fee8639de544c6c8694b3d615acb7fe0f414ac80092731a59b54848b33a32534e9c2f2fab1990f405dd89281082207aadd35c385539cc844865

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\d94b1306bfe435d8.bin

Filesize
12KB

MD5
2c5ea45c0cee7539e8cfdf68197a084f

SHA1
8133c2830e72be3074ef70ee72cf1443e7dd1267

SHA256
206bbec56ca49332bae7a71ae64ac8eaa572ab05180d1fe13701254a4262e5cc

SHA512
0937ce7b978f826ebac9a2f2d39bd81f3900752ac6f660505bfb6132d7d1568c67abd2a3887d0e8811be5e163804737dc63802ade834ef5f06e8c8bea8673d11

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9322b980f0afaad9aa9dea4c11c1daec

SHA1
bbd44a55e00e2cc0eaa38e8d66c9dc496c3cc013

SHA256
bd71cb566e95d0e4012a9c88fe2dd550e74d5df0461321f36bcea998ce9e3b58

SHA512
a7bafddce7fca3140f6157327b4624e63abfd0883a201c4b6eb0cf6d52f34e791a0f2a3fb958fe075365c01fa6e68e5b4ac177825d634e2e0c71c911bc11fc9b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
b59e465c2633303f5624d2ad3e4534a2

SHA1
5bc8e0d504e3ac0c258bed5a8f1b989cb7f4903b

SHA256
cffeb1e3416a4fbf2b409432479865ee7d35361fac56344053455c32d323a4e7

SHA512
6cca35763e07c879096500fe0eaddb292e369d4014d99d1012942643ca956b683540b72dcd2066e6cef4647b45560e2281565e708160cef8db33f9e1ed11a624

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
00504a4bb4e539b8110d12d7c6f41045

SHA1
78dc1e73ac50fcf26ea049caf4fba24a568f6348

SHA256
da01701fb49c219ff5b5231a9ec01fa840cb3674e3cc8f840352e874b767c5a9

SHA512
62f7efb95d039193ac3555143559e4ed11619ba0cb2b8c430de0cd76accfe447fab064d045937b781fff91ddfffcfb8a9c70aaeaf52f55db13f98cb4e29b1ed9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
3485ae6440446fd703acbbafd4279f48

SHA1
6c641e6801c90f3762cc88f3a55f51caf5fedb3e

SHA256
f8cbb9d072b6d2a829b971e692318850b9b94e1ec2946b6afb189a86e80a30b2

SHA512
22d8e7b74d05fc840ae655d3c1e2f889fa1c92335abbf84b140a94c4e00e39d52ef72de5baffeb6780bf181528b6a24f23232b0538303eb67c1b4c857957fb6e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
d731d2e217346579fbbff6eac3bf943d

SHA1
aa898f261dfc76e1455479c9a32b40e54e9f823e

SHA256
90c9e7585d95f9c385e2e4f39d34b8f392b15be009c1ca848919b49ebe978dea

SHA512
f2926cd3b4de4586c84511896fdc3e5e01e1edaf0eb8beea24aada92a48472d5edf08b3b5dc40393dd64602f156b64a4d2cf9caad76fdd750b5fc0fd93bb3e9c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\90283c8aa1da5ddffba96cbea568828a\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
79cabb09917a390ed11ac82c5b7b7b1c

SHA1
f5c86fa54bb17ebf1732b75bf6153ffb69b4e324

SHA256
fbd84bdf62469ce1bb7b51c971e8f2e48604e3b4a97c252e844f0f57a6165c53

SHA512
fa49d77068a8f528596423560e7e29a8844fbc8519557f8e984920f8ddab1e6b186c18dd452bc0c3982dbb7004c52d5760b95680ed1bbf4b27185699f2f75345

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\92491bcf2aae97bbfb72c17f5f539f2c\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
5fbd890677395b8b2f42d99a0e9b3a38

SHA1
8345d88556f41f1a1a36d78cab93fedbad321222

SHA256
11aad99c896939c5a977b1809ed7bfa253c35e62d02c6e013274b4047fb80e78

SHA512
9f57ba300696ed7faeaf27be00c6ac15420a01c60803b0a4f36ef697583444fe9aa629e9beb33a4e4ec66c36527e0bd4e4827df6b83510843921fb29f20fca41

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\aa427c7ddb299aec00aab752ca1b7179\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
b61f08af842cd9d4d74b5e897356df42

SHA1
031c9a8f3fbd9daa35b418e7a79b09ac4316bcb7

SHA256
49e3830d88999bfe30169e8dbeb60f431cc49ba612198869b60c57d800c77966

SHA512
880368e3c42c79fb5408b72bba9454d4a29e2a94f02fe996412d9a9dd2649432a25d6984fd8a98a31438d0f73b62e80cfa353b0dd07cca7faf01ea6018e31ec6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\cfda1a7ee3985c246f34b33d5d810d7d\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
58ca27ae609ec8c745e39863ea386692

SHA1
14e8429888dc85ca9a3ff688b5f7daccfaafc744

SHA256
c8688d67daed2aaea0a4e1e31a1ffa73bbc7ea2ca517ddfff93ef53b7b514a0d

SHA512
4e033ca64f7777cc2923120d8f7e7ea0e332152daac428526be41503d4da587e4ff1b80d285d1a0372400ffe15dea4471ea7e474969bdea2a3dfd91c62c9779b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
be697b3084fe84b4f71b35a54173052c

SHA1
7a42514644e15b5d95e34e2cdcf197f55ae353e9

SHA256
ef80c72cbd1b3f1cb9b744e8e5fd32dc856bcca64168dc5f41be1688dbbf7cc0

SHA512
d90056a37e885a8af1660e90e9fe175b444c819b1cb068904444cab4cd9cbf4047ef2aa7d9aa26401926d396df914715290fa1d79bc71968313fa57e58d37fef

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
3c97172333ab82d3c4285d46c32375d3

SHA1
343d260954a1c5bf9eb38df702cc63594d2b39cd

SHA256
f5ee3ea29b5740ff35b9c144084c5acb6fca54644a5bfd324909ea96af30d30e

SHA512
d4d26a04cf7ed4bb258e5c5843fbff12fc2e1e62608340cf1f69210f098abab70f51491a5fd30e6d5addcdc1d37e063676805a73d39539d2e99bafd9104fa71a

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
f5298a81c06faa994892f57817a640be

SHA1
28848fd2c454e25a77bfa1f066f3d6b333c01a1b

SHA256
355f7741493be17a431f8c9c2725114554b2cdf3ba0c9f2f4e78e7cd9c296d5d

SHA512
9e6782e5c8dde2fb9e242e8cc6f08e1562126465cd7123f721d0109c8ce5fa4f199f39b220f08b8a9ed8f5421cc6be8f7aeccbb263f6977d9471f56c1ea99d11

Download Submit
\Users\Admin\AppData\Local\Temp\5b7ca2cd-7792-4166-8191-b625fa39bd66\SodaPDFDesktop14_14.0.241.2517.exe

Filesize
6.1MB

MD5
921829386ccc68229b24d59ad0e4b21f

SHA1
b5aefa968046ecaaac30e2536ffe81e5849a1883

SHA256
bd27a98b4fe1e40fc658a49efe5650c920d576c8c8c0c37f2ae64e3e9e9d1eec

SHA512
65aac41ca27658db74f077511b150c90c096ae171a9c11e8178258ea28e6108cbb533fc16a315889083bb0304046eeb01f4b3f370bfecd1049a2863790324279

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
6e242c4a3047e208a4feb6cfbdb26be5

SHA1
c8bfff24c45919be0cb72ca1af4dbcb9655d1efc

SHA256
ae7cb716d9e1bf9e10d89e6315421a43d0ac09b64e19546576efeb526d08120e

SHA512
12032a57e5978c9b5668d110e9145dff58c6a39ba4c2b345b6432681b8329082e861766ff122dd41fc65f54367e5d0cd6778324aa125ba289105aa0eb79ebcad

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b9310c2bda1459d3fbfec5b874bd445c

SHA1
f28b7df44aa27afca4f6ccef2f66fd405d8b612c

SHA256
7458137f3b81baea50d1c00e50a26c4ddc76249f8649b446b635fc579e4270fc

SHA512
c2b841a31c10b6d98eb751c4a8812f1582d4f965d750a61802deb353ff2addbe4477ff14c749d1eae35ee6e04449d10d7b3ba96fcef1cf79be8d855d72a3c4e4

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2068d7af2e252ce93a27418ab08cb740

SHA1
45a8bbeff62d06d8b15820c318a7e4d97583d683

SHA256
8c2e89992bb37fd57a23e6c7525ac72aa4a317c9f9c8a7385ebd002de029d843

SHA512
443edb3829d492df436c643977f33deffe2d5d16ba922e01dcf517a0c26300d349fcad38eef67dcf903afda5f47baf7c24a7ac775b03c11689ee5c72321c4367

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
643d4b5daef24d2c828dbc620fc9208c

SHA1
26e9e856d01443737c0659f75a39d5373e3d4011

SHA256
9b1d0223800467099b172396c845d91811866af1f7387143192f6b31175d6003

SHA512
aec246ed9ea0228d552b68dd87b8ed5edad6cf1394a7e895150ea9633d1cc797ae4a655c7b4c594fcf625cd23cc8c3790aa1804ed9513d403eaf52330b42147b

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
bc04ccb12c7269df109664bf4253ee12

SHA1
a4b19ffd8d86de3c54f6c2abec66bf4a675a82b6

SHA256
5e03dc9ff09ca147043da3f11b83870519654dc5ba8f1fd824f6459ed7bab6ee

SHA512
c28ea5a2f19c7eab37b1cf97bf4bba114f5e5ca1de43550620d32b4b3d588de20e1d203bca13d5d55ee0b72a2006fbe0b7aabcec8ea38538cf1083deb28b16db

Download Submit
memory/292-455-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/668-262-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/668-463-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/668-141-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/668-135-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/852-411-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/852-409-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/852-407-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/852-365-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/852-387-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/852-384-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/868-275-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/868-325-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download
memory/868-270-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/868-272-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download
memory/868-348-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download
memory/868-464-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/1012-170-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1012-169-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1012-163-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1012-157-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1228-434-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/1228-419-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1228-442-0x0000000072480000-0x0000000072B6E000-memory.dmp

Filesize
6.9MB

Download
memory/1228-457-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1228-459-0x0000000072480000-0x0000000072B6E000-memory.dmp

Filesize
6.9MB

Download
memory/1588-133-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/1588-259-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1588-122-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/1588-80-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1588-452-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1588-83-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1588-74-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1624-333-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1672-287-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/1672-293-0x0000000000580000-0x0000000000771000-memory.dmp

Filesize
1.9MB

Download
memory/1732-78-0x0000000000400000-0x00000000013D9000-memory.dmp

Filesize
15.8MB

Download
memory/1732-7-0x0000000001630000-0x0000000001697000-memory.dmp

Filesize
412KB

Download
memory/1732-3-0x0000000000400000-0x00000000013D9000-memory.dmp

Filesize
15.8MB

Download
memory/1732-0-0x0000000001630000-0x0000000001697000-memory.dmp

Filesize
412KB

Download
memory/1732-245-0x0000000000400000-0x00000000013D9000-memory.dmp

Filesize
15.8MB

Download
memory/1756-284-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/1768-330-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/1836-336-0x0000000000400000-0x00000000013D9000-memory.dmp

Filesize
15.8MB

Download
memory/1836-337-0x00000000013E0000-0x0000000001447000-memory.dmp

Filesize
412KB

Download
memory/2088-281-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2088-148-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2088-153-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2144-302-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2144-386-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2144-307-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2144-385-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2144-316-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-388-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-118-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2160-341-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2160-95-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2164-65-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2312-311-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2312-343-0x0000000073018000-0x000000007302D000-memory.dmp

Filesize
84KB

Download
memory/2420-322-0x00000000003D0000-0x0000000000437000-memory.dmp

Filesize
412KB

Download
memory/2420-318-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2436-37-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2620-327-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2720-63-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2720-26-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2720-21-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2720-20-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2792-345-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2792-17-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2832-295-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2864-331-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/2884-418-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2884-44-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/2884-45-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2884-51-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/2932-266-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2956-13-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2956-340-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download