2570f7d0acfd5f00738add4b4f569d3c9ff0471a1733eafcd84384ac8f271fc7

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
Size

4.3MB
MD5

aabc1f5bb48f0cb1d7da970ccb117cd9
SHA1

20e1d073765b950af0fbc952292f3c319a891732
SHA256

2570f7d0acfd5f00738add4b4f569d3c9ff0471a1733eafcd84384ac8f271fc7
SHA512

c3169513858f2165ca88906fa63d0ba6bee6ea56e05aa7eafe80f68289def921c696ab2b653e6742ca107865600c321864c1fb69a54263501d6d9a87ce04e5dc
SSDEEP

49152:BEPLpO1epHil0RFLu2CPy1zJiDIgZKUxT2hQgHF6c9OtZkRDYf5zaCpXxPuR6E92:sA0Hil0RI211zhgDx2hVoDw/z

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 37 IoCs

pid	Process
480	Process not Found
2572	alg.exe
2616	aspnet_state.exe
2512	mscorsvw.exe
2424	mscorsvw.exe
2960	mscorsvw.exe
2976	mscorsvw.exe
2800	ehRecvr.exe
2816	ehsched.exe
2888	elevation_service.exe
1000	IEEtwCollector.exe
1752	GROOVE.EXE
2064	mscorsvw.exe
2004	maintenanceservice.exe
1704	msdtc.exe
924	mscorsvw.exe
1524	msiexec.exe
2624	OSE.EXE
2156	OSPPSVC.EXE
2488	perfhost.exe
1368	locator.exe
2700	snmptrap.exe
2312	vds.exe
1336	vssvc.exe
1748	wbengine.exe
1272	mscorsvw.exe
1500	WmiApSrv.exe
2896	wmpnetwk.exe
2208	SearchIndexer.exe
1532	mscorsvw.exe
856	mscorsvw.exe
2848	mscorsvw.exe
1008	mscorsvw.exe
2316	mscorsvw.exe
3056	mscorsvw.exe
2612	dllhost.exe
1744	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1524	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
760	Process not Found
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\97e353aabfe435d8.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2DDF7E49-7F60-471E-84ED-C5B213798BC0}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2DDF7E49-7F60-471E-84ED-C5B213798BC0}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e09467859e73da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{E10086B9-D32D-4561-AFA3-2F896AE807B5}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
812	ehRec.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: 33	2172	EhTray.exe
Token: SeIncBasePriorityPrivilege	2172	EhTray.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeDebugPrivilege	812	ehRec.exe
Token: SeRestorePrivilege	1524	msiexec.exe
Token: SeTakeOwnershipPrivilege	1524	msiexec.exe
Token: SeSecurityPrivilege	1524	msiexec.exe
Token: 33	2172	EhTray.exe
Token: SeIncBasePriorityPrivilege	2172	EhTray.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeBackupPrivilege	1336	vssvc.exe
Token: SeRestorePrivilege	1336	vssvc.exe
Token: SeAuditPrivilege	1336	vssvc.exe
Token: SeBackupPrivilege	1748	wbengine.exe
Token: SeRestorePrivilege	1748	wbengine.exe
Token: SeSecurityPrivilege	1748	wbengine.exe
Token: 33	2896	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2896	wmpnetwk.exe
Token: SeManageVolumePrivilege	2208	SearchIndexer.exe
Token: 33	2208	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2208	SearchIndexer.exe
Token: SeDebugPrivilege	2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
Token: SeDebugPrivilege	2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
Token: SeDebugPrivilege	2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
Token: SeDebugPrivilege	2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
Token: SeDebugPrivilege	2192	2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2172	EhTray.exe
2172	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2172	EhTray.exe
2172	EhTray.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2064	2976	mscorsvw.exe	42
PID 2976 wrote to memory of 2064	2976	mscorsvw.exe	42
PID 2976 wrote to memory of 2064	2976	mscorsvw.exe	42
PID 2976 wrote to memory of 924	2976	mscorsvw.exe	45
PID 2976 wrote to memory of 924	2976	mscorsvw.exe	45
PID 2976 wrote to memory of 924	2976	mscorsvw.exe	45
PID 2960 wrote to memory of 1272	2960	mscorsvw.exe	55
PID 2960 wrote to memory of 1272	2960	mscorsvw.exe	55
PID 2960 wrote to memory of 1272	2960	mscorsvw.exe	55
PID 2960 wrote to memory of 1272	2960	mscorsvw.exe	55
PID 2208 wrote to memory of 2936	2208	SearchIndexer.exe	60
PID 2208 wrote to memory of 2936	2208	SearchIndexer.exe	60
PID 2208 wrote to memory of 2936	2208	SearchIndexer.exe	60
PID 2208 wrote to memory of 2324	2208	SearchIndexer.exe	61
PID 2208 wrote to memory of 2324	2208	SearchIndexer.exe	61
PID 2208 wrote to memory of 2324	2208	SearchIndexer.exe	61
PID 2960 wrote to memory of 1532	2960	mscorsvw.exe	62
PID 2960 wrote to memory of 1532	2960	mscorsvw.exe	62
PID 2960 wrote to memory of 1532	2960	mscorsvw.exe	62
PID 2960 wrote to memory of 1532	2960	mscorsvw.exe	62
PID 2960 wrote to memory of 856	2960	mscorsvw.exe	63
PID 2960 wrote to memory of 856	2960	mscorsvw.exe	63
PID 2960 wrote to memory of 856	2960	mscorsvw.exe	63
PID 2960 wrote to memory of 856	2960	mscorsvw.exe	63
PID 2960 wrote to memory of 2848	2960	mscorsvw.exe	64
PID 2960 wrote to memory of 2848	2960	mscorsvw.exe	64
PID 2960 wrote to memory of 2848	2960	mscorsvw.exe	64
PID 2960 wrote to memory of 2848	2960	mscorsvw.exe	64
PID 2960 wrote to memory of 1008	2960	mscorsvw.exe	65
PID 2960 wrote to memory of 1008	2960	mscorsvw.exe	65
PID 2960 wrote to memory of 1008	2960	mscorsvw.exe	65
PID 2960 wrote to memory of 1008	2960	mscorsvw.exe	65
PID 2960 wrote to memory of 2316	2960	mscorsvw.exe	67
PID 2960 wrote to memory of 2316	2960	mscorsvw.exe	67
PID 2960 wrote to memory of 2316	2960	mscorsvw.exe	67
PID 2960 wrote to memory of 2316	2960	mscorsvw.exe	67
PID 2960 wrote to memory of 3056	2960	mscorsvw.exe	68
PID 2960 wrote to memory of 3056	2960	mscorsvw.exe	68
PID 2960 wrote to memory of 3056	2960	mscorsvw.exe	68
PID 2960 wrote to memory of 3056	2960	mscorsvw.exe	68
PID 2960 wrote to memory of 1744	2960	mscorsvw.exe	70
PID 2960 wrote to memory of 1744	2960	mscorsvw.exe	70
PID 2960 wrote to memory of 1744	2960	mscorsvw.exe	70
PID 2960 wrote to memory of 1744	2960	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_aabc1f5bb48f0cb1d7da970ccb117cd9_magniber_revil.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2512

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 200 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d0 -NGENProcess 1e4 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 25c -NGENProcess 1dc -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 184 -NGENProcess 1a8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 264 -NGENProcess 258 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:924

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2800

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2172

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1000

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1752

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1704

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2624

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2936
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:2324

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
7e49c5027a0644764cf0b9c8d0f5bdc8

SHA1
e7016b42b8d58b03df8c3670ca0e22220ca647a8

SHA256
081261bc72e76c4fb95ee174bdd9988b9a36d3d8dfadc254b824c0b381bf33ac

SHA512
1856bafad1c3f7fe29453062f71750d3ae853d0f71a0fd3122e6b32dca042c7ed0c051f3317a47a45c6861c5c940fc00ac3f5db8108c3dac274272da9ad279b1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
704KB

MD5
bf276679d0ba1b6c5346340dc8d4577d

SHA1
1904719dffa34983258faa904bca86f8a9dd8ae4

SHA256
7477d5087c62ea0db07ef73348e9f03160186ad994b1feb558c7e497f1938580

SHA512
b3801d1a92b46a44545336a568032c6510786820f7303340a763817694753cb15094bd7ed80e40050ad6b97e972e594a348a391699213ff0a2cf744747b59040

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
a6984f45283835246da307bd21ef9fa4

SHA1
3076aabf7b2d2e18a7a15f561f7ab489b9822176

SHA256
bab44281b39e19dbb190630c2aa37e389805a7b07e34bca5169fdddab25de2f0

SHA512
67339b3b6483de96fcecf4bb639f0a048f357dda37942b9b7bd06499b558777a0e4896a77fdfe8caca73ac6f9bf799a0baa753ce691cb4678646ee0b2cb0c1af

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
2.5MB

MD5
13840e94c20694ca6bbb106650d70210

SHA1
2bf7149b3b6abb071b2e677e27c865af5de842aa

SHA256
aac6dbb8c64e3afbef3e5254fe514b9283dba11d3969bc0245dfeabc17747c53

SHA512
0b17039d0047c08c3e97783d1b0d76cdb175e66d0bb343c016ae0de6a619cfe889ed17b3c6a86b01211b02e199a8e2c6f191331fc65d1ec88a81c6d3edcf65d8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
92fb567cb32c284accdf9c9a626fc44b

SHA1
7ae6afd3a206f1d836db77467b67a983e6d86043

SHA256
e8771c6869e8c0cc3b98e43f9161caf5c77e8819b38bd18d413c968142b622b8

SHA512
c098408a0f0d61079df40d097b0bae9963ca85fbc81b3a13718d194b004e090190f3076cce9b366854109d16671c67584f83f493e07b9a6121ab14334f1e6ac3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.4MB

MD5
98b2229f61986bb242698c2c50d9153c

SHA1
e1232c90d1173c26ce6f2a359c51b910813d3576

SHA256
4470cc64ccb8e05deb72d3f078a5381728b66089960b6fd8a16584f3da8272dd

SHA512
22147fe3bca0ba3373f656b49940d2d704ce5f45b83e889698a4449bc5e004e1bac746b8d44c6de1f84914e41bfc616893d1b62592f09c05d6be1222b7f8a5aa

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
86f9ea1f543ed9ad5c957988a75bfca9

SHA1
cf70699e5d2d14385b9e194ed8e4d97ae9fae718

SHA256
fc48be2f19f2a58f4628ceed62e509aa14a84cfef15a9f3170e85202c9f96001

SHA512
24066285e1fa84bf59b0a4a6757660c102451a525edf057c28415f43f7abec2fde2b30346a661e19fdc4f83468c85ee43db80a196b2ed452b58e259f53984b94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
0c569d442f97d87608d55e6be371dda4

SHA1
876d25c3798f40b12736a43216889088ddcf6ce0

SHA256
d37acf2042ddcd58cd9811a160ae210379b39dbb947b6399a67f77b502542d3f

SHA512
142015c8ed5fe7cbf915b44eff84eb3d78b3dad27bf2e3d40366f9de505ad22b0e40736d6b0590c8da43cd51dd0303d2464f42e3ce85279ca7f625da065afad1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
50bfd01f87aadbf17f60cc9dde821150

SHA1
72fc4cfc4ca0d3303a51062c1cb3a881bdf7f9b5

SHA256
d839be06af17e843eebc10f94011ce6fa0dc8ac0a55197fb2cb849a0822a4d7a

SHA512
56c447f6fa6d813dcf9a84e13fa9ef190dfab3bcb5cd68753e031247dfab4bdad555f978e7f9a170abc8e4aa4273f5bb14b32c68b510f1953930ee014849a378

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
58ac078b32045837dbd5ab119b9a596e

SHA1
10a480555a7a2fcbe4022deca2f17fa88639507c

SHA256
93e85e4fa08e4b2508104cf132737eedf436aeda80ef64ad352642140460c850

SHA512
42207a87f0f07d8dd7eddb81b81367dd5e4145fa3be612c90a456f0e551e8477dc0608f01a8c5508c49cb90894945453a69036c4c72aa5658b01c9d5292f1b11

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
2642d67e8fedba9e73312148acdaf08c

SHA1
6d866573358dbe21c632e63afd877b433170d371

SHA256
abde80b71773c9c55cb1d20e88dcdf4ded8692c13f7639c13dd3ce2208361253

SHA512
5dd8eda4bed62d4dc272f2fb64e3c69e1aa74450e93337f49a9153e7b9a5844d8cb5d7731941946ee4d3a05e95e8c9427cb8959a6c50a42822761a9783136d1c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4c537bb416fd06c0da3dce4c89d0c81b

SHA1
e5a0e3191c4de5caa142e8229c16dfa89c80ae85

SHA256
0f9b3df1641fd98753ffc6e2b6ebe15ed2ec735fdff898058b28acb1166a4b33

SHA512
ea91222e4891573cdcc3cd54357f3899ecf91a4d2a7ef302ad91ae1756090d339ab1b80f81fb7badb3256c11ab1c548442ea89116e578634ff4fe7ba3937da1c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
500bd42fd6dc8951d2a4b5807eda6852

SHA1
33bf4749042df6b9b9a2496a6c9366c34e6383f8

SHA256
b95696d70ec590309730a7bb4a5bdc2cf6baec26a5aa94ab294fcd29c6aed7eb

SHA512
e0ac340c6a6e96a65ebb8173d35363634add0d086a299311be01aa3954472f6b2639fa1f04d888bbded5581aee480c47135bfde556dbb0f4c976d5857eb54c91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
e947521b87ed8205cbcc230dc6bc4527

SHA1
2c5e3dad9cf74b94fccd80264c929e21f37520ef

SHA256
9639e6c68ba1535d5c3482cbc7bffd7f448f0ceea20a418733a6d876f8302101

SHA512
0f68729d12ff4a81cc0d4bbc8a863162cf3f52c84944051deb6f0df0320d660f7b73cf2b9be40f64bf4430d1171c181301f4bd833184996b62369b5acd30c2ad

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
633KB

MD5
01ce36869900e680d843019f4bd3a1b2

SHA1
2b0e1e0a9e50a164c14e83a3d682513ab58643d3

SHA256
c8e96c297292f5a2880c7292f74611e432b4e06f4402b1964945c31e45f88abc

SHA512
f7e26462b84ef9f523a3583c55f034c72e01d563200083f758b7cc5f01cbc6bce83ccdd1990b850136b322ba163d655d0a54c9dc3232c58f14f1804f1e857f0f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
747KB

MD5
f877ed6adc0c5ae35c349f1a434e2de7

SHA1
ed6809b9073e65215f5475f103288ba017331745

SHA256
554002410917fb6906c6f074646c16e82bce0b139e969fe8bef007c8de393537

SHA512
b2bd07ae17d1a8ee002327ffe66a70a34f55994d49315f2dc77228856098808fac354ae71bd36b6c7bc080ddba013164a4f3a1a497482c14833c073f26f950a7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
7f805e6221224084c0f8037fc73067bd

SHA1
4afcc83b455b37a9988d4af8fd423947dc73ae11

SHA256
b702fc6f935a46b6731d839a36e1a503cacc564d397d801aafb5a52f56186c7c

SHA512
538253b8f9f80d9f06b70626e2e68322f3c5c4eabec29ff2eec0d7dab0852564664c41fdf0a62f4a2065e123b43833eb3c1fd98c351f4e32a34e05eca93cbcc4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
bdd825fdbab391dd2a196cfa22cf3c0d

SHA1
a9add26adb7a85a9d9d5342267ae4d6881805f0d

SHA256
fbac9cb23df7c9659ca7502c8528fd7826cb74cea43d4e4908c126921d59e53f

SHA512
5bb305bd84863f3645352db7c704e9c6acf2cc79b06372894364d098663ad71fb3b1e499733f11df640f3bf300ac0ec8d7cb27bae4ea6d1e8521c2c64e5493a2

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
256KB

MD5
4869d4b60cb8914ba4d1a3a898b7f925

SHA1
a34f874a06cfe7dbed068eef81b0bc184e90bfe0

SHA256
3fef943e03ad96d11c69bed8e64a8ca6719c52f84f23771df7daca902e17bccb

SHA512
6cbcaaf6bc1ec2abd03d532c1bebae8dfa3ae15891f69c185750c23192ba047de84b9eb8ef91b84790999afef0dd1e89ccea7cb154cb07e2cfcd2eea403bd00f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
8985887fae9fedcab88b65a4eb3d4b40

SHA1
54277cdafdcbc05b690980703c604cdb661196f4

SHA256
7eadba85eb3bb2aac647e98243f8f8d5a65f51e36e5a4017266337478c258eb0

SHA512
084e1cd40886e18644e6863cba6fc8fd2aa36431c08adab0919db99d88cad7387d82bbe7e8a057d21422d40ad503c8d1b624a3cca9f35e980b9827a0c253bcb0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
b74de9f41390ae3d0aa49221bc69a603

SHA1
f288468f1dc01634407a332ca0d110064bcf28a3

SHA256
4f2f6dbdfa3249d80bc4aa19c3c456c1b74c1b0c707d6109812e0ac670dd6f04

SHA512
bc25f476d75641176e0c179a9fc74e942ccd4e1cc1a51c5b00c06d7b7b9cc40ad1fb43100b0d9b112be06d6a48972183c3a6cf9988c6699c420806556a47c538

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
0020e8681aa602edc3c648b66aebefc9

SHA1
4f3301c1d5b39b71a387c6fd992c2c793b30f04b

SHA256
3dbef807563c3d7f4fa3465c4db6e9416b9a91c95494c2e666b2235a473608db

SHA512
6c8cf043a579febd38d580908d47ac7a556b1ee68bf9d4744ddc7344cabb3ef8f67b9d002f2c872e296f6e7771c7f4d89c59a9d6c12a1955fd68b45a3ce07fc1

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
f429d6a1ff1fae24f20b7186e67730ac

SHA1
15874516d75279639cdfbfc06499371f2f87d295

SHA256
73432155a10b151cee75cbbab3e59ab900d250c784ce80d4c23d6effb61b9cd2

SHA512
09dbc462c9d521e60651df13c98d0db31bd7e8f84f18831d6ecef8a0f05b954f82212d83ca963e1e9077dca3ca393c398378f6216583a4df3af46153920e463c

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.5MB

MD5
fd6dd453e87e87c58b4612c5aa4bdc13

SHA1
4e42babf2281c5a901d05c0241419bf24a176536

SHA256
0d781d3ec39794a7545c7217e14c83dfaa2dd31a53fe1b9a67d6f8478585bf9c

SHA512
715110cdd9450843323cf6fe8c916d2d608ad0515644988e2613d302d827a75762f68e37db98031210c38d83d55a6540df5c4b750cedcab2b7de15131d66d5c2

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
128KB

MD5
964a8d9b95b969c783c7cefafcb3334a

SHA1
cf91e5ed6bc89c18e76e7477036afe84d1934416

SHA256
346390105420f39415460f5391dfc3a44606f3da1376ad6ddaf17bfc18a52594

SHA512
e472a3b814645e7f758a6b62b1ad83c91990321fd727255e97bb4ce753db2221ec74a33276a613a77368d9575d8e274ec3f40868ca29dfc9a4c70f67cba1c396

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
9b71068c3d0cb2ff7720b37f920fce58

SHA1
d94a8a4cfef3c4510803ff054c9e2c01544f2d88

SHA256
ec03d0f46e3bab13b6e2f13147e8077b4f4510d76e97b7bb09ee655971ac21ba

SHA512
ddeec0f93811a9cadd42a74f3b07c2a2208f75a5db7d61c80c622f20006d7669a17b238cc617378fab5d42c5090101e3aea83a8d312c9ea1090ec92ccbe9d6c1

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
adaccd66e023cb1392913f95340d50d1

SHA1
58037a3afde130720a9df998836a0ec12183fcb6

SHA256
58de086abb9db58ee49cafbee48ba0577774cd170332570c0f0ed9769b43b155

SHA512
c963e9638414d7332fde8d80411507f55eae55e5532c8b56b8049dc3d32c393eec5ccf03da5c2e9c678296be9bf1fa17bf356326c7e99585b52783967e9baff7

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.1MB

MD5
b57df320dfeaf7aa0005d765a788f19d

SHA1
2312dcd63620a9af60d7de520f65de21b5ded572

SHA256
3a12ce35908efea4bcb02c940937dc9f2e4c945cd090f3008e5187c28e7deab5

SHA512
a45b220ece5194caafa79befe09811223f68c98e66dcabb90e7887b44bcfe372ae0becb6c87ae1f9ef0fd9c1ee13888f078516eccf2e89145303d8c31dd0816e

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
97088983507ad50633d5c73096570d29

SHA1
ea648075c5c79261b3d9b0e372fad82b0b1728b4

SHA256
a95c3beba588d835ce641038ccc42dc1ccadce8a31b8ff3cca86d985f7ee8140

SHA512
a5167e20cc45e917954902a45a85536eec088e30d9c9b71f3a620b8fe4d6c68bec125251f5dd35fc0a139b2091d1d04b863c3c084cffaacdc61958a0b5761414

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.4MB

MD5
7ff722b165b22a7bed940d8f4fe1bf9b

SHA1
082adbb92d012374ff87433772b963c3d214932d

SHA256
1bd18bf30ea7a95e7cccdf1cb4088fd51a85cd2c249554a1f2f0d5cd0d2b0c37

SHA512
1f9dd8f0c7219145cfaeda30e5ef3d32f469df7462f5d35daa6797e0fa45e660970574b4818aa9ace63bfcedb5862959b95c49fe33d52eb82156a48ddac8d989

Download Submit
\Windows\System32\Locator.exe

Filesize
450KB

MD5
1cc0256b2b6432693326990ea071e8ed

SHA1
83ec7f2a6c669016db36c0608fb84cb44715b27d

SHA256
34ed18c8b4c09bfacbed0d1a0be24bb17d26e2467c740a4239d774f3a671d85a

SHA512
712b27a6db64149439c12ca3b7795197048293eac008eb0467d95d5a83152c0ffdc4134739e0b589aa6bac588f80ee36578475d1aad9da4830265397dab05f59

Download Submit
\Windows\System32\alg.exe

Filesize
1.4MB

MD5
3de4a6fba6549f8ab6656880e6b9553b

SHA1
36a3a448c6ac74228394dd18ad611a471b4bb433

SHA256
1fc310a0c7f069e0b1153c1387ea3bf4c71ee8804ea6f07a0fd6b4a475ee92ea

SHA512
5a3b760eb41023929c8a735955139c24c43997766191bfbe0a2ec5f2bb95a07f34e534f64eaea66d853340855f88e8bd617cd7d10907c9ab099956850203ec47

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
7a83bb634e4cddd9648056ecbafd27db

SHA1
dcaaccca76d29e07d1d8a00ee18c1509c714a33a

SHA256
e684e4f98a40e2e9924a6b0c55b6ce59360f177c02c8d5282486d25dca12c726

SHA512
49a6cd128272e25abd8ae4c12e9ed83d8b76a4f43577d39ed5369970b18e4f26f7831e757aeab994d3a64afee3953b634d770d391ab038687efb5bb4f5c84cf7

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
b4c569da9d7b6ef1481b15e098d736d1

SHA1
3521c872b38d6541a55237a04dafb301734f2e28

SHA256
56a56fdb0ce1eb03872fddb8977266ec5ca83f5f7aa71b3b188fe3b7046acce4

SHA512
61c04380067399be9b85fd31e2cb327f9bffceb231890a5b26f7836d3fc352d26e43dca5a02736671f20db3263334db56582c9f50863d4843d525eb3fbeab139

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
5cceec9f6bc25e67ea86684ba068da49

SHA1
a74f8fd4a076d4c507906eb92e3a5dbb9eedd564

SHA256
c7aa1d0ce4df1e5ecbc7943d18f8bbbd71cc93e56a237c117f01337a07c8bd4c

SHA512
e034d57c0cb95f4c832056210c1d4cde636540b99fcf0df9abd1afa79b54fb7e7eb3131ea6fcb60a3f69e56f52b7018cc34ef6ebd9d8ba2a851183ce6b6d8324

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
9b580e64e2ec3b7848ffd8081f7ec277

SHA1
12e2a4d60b72878d04b233452576ea96fc3cd8bb

SHA256
dde6cf2af0a3777f5850d6715f0da87d8ac4420887c735357fce281f68412a34

SHA512
0204089134d5f34c977c5f160ba2618ff917d999b74f225d8800dc66b7a5d8add2a103008ac4d0f3a7eea46b2287015967e16867744fa09701e05c99a8379495

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
4c585e913c3f552416b47eb63d038432

SHA1
48e689ce11bd9ef532b572a6dc80be20807128d9

SHA256
b45e93b40678309009d34b7846b601228429165c99850f657ddeb81f3d0181fe

SHA512
a97c2dbfe64591edb93449701598d9564ce1018ecbaa8961dee7e753481f260897bcb6083b6154372ba4292ff5ee8bc53876b6103bd96918724ec383f3289bcb

Download Submit
\Windows\ehome\ehsched.exe

Filesize
384KB

MD5
44eb2e1b27e6da7838076507131a05ad

SHA1
1d5caf1027fb01a81a11e952cc0325e5537ac60b

SHA256
89bbeb61abc752dfbb730bd77b30f4dee9217ddbb931d5f55aa0c14681475304

SHA512
aa4dd809e0ff11f83d86da5904f6bcaa4fa2b8966d97556ea273ab967cbbbefec7b97649395d16289d4aff6844a23aa793d5ecc3a81ebe73740b8ca97e7f5f66

Download Submit
memory/812-242-0x0000000000BF0000-0x0000000000C70000-memory.dmp

Filesize
512KB

Download
memory/812-131-0x0000000000BF0000-0x0000000000C70000-memory.dmp

Filesize
512KB

Download
memory/812-217-0x000007FEF4B20000-0x000007FEF54BD000-memory.dmp

Filesize
9.6MB

Download
memory/812-198-0x000007FEF4B20000-0x000007FEF54BD000-memory.dmp

Filesize
9.6MB

Download
memory/812-128-0x000007FEF4B20000-0x000007FEF54BD000-memory.dmp

Filesize
9.6MB

Download
memory/812-133-0x000007FEF4B20000-0x000007FEF54BD000-memory.dmp

Filesize
9.6MB

Download
memory/924-260-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/924-226-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/924-248-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/924-191-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/924-184-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/924-241-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/1000-125-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/1000-205-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/1368-243-0x0000000100000000-0x000000010022A000-memory.dmp

Filesize
2.2MB

Download
memory/1524-201-0x0000000000690000-0x00000000008D7000-memory.dmp

Filesize
2.3MB

Download
memory/1524-257-0x0000000100000000-0x0000000100247000-memory.dmp

Filesize
2.3MB

Download
memory/1524-200-0x0000000100000000-0x0000000100247000-memory.dmp

Filesize
2.3MB

Download
memory/1524-258-0x0000000000690000-0x00000000008D7000-memory.dmp

Filesize
2.3MB

Download
memory/1704-181-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1752-210-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1752-136-0x0000000000470000-0x00000000004D6000-memory.dmp

Filesize
408KB

Download
memory/1752-138-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1752-129-0x0000000000470000-0x00000000004D6000-memory.dmp

Filesize
408KB

Download
memory/2004-183-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/2004-157-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/2004-186-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2064-202-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2064-177-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2064-154-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2064-188-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/2064-189-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2064-143-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2064-144-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/2156-230-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/2156-245-0x0000000073E38000-0x0000000073E4D000-memory.dmp

Filesize
84KB

Download
memory/2156-222-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2156-235-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2192-13-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2192-1-0x0000000000400000-0x0000000000858000-memory.dmp

Filesize
4.3MB

Download
memory/2192-6-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/2192-0-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/2192-64-0x0000000000400000-0x0000000000858000-memory.dmp

Filesize
4.3MB

Download
memory/2312-256-0x0000000100000000-0x00000001002A9000-memory.dmp

Filesize
2.7MB

Download
memory/2424-79-0x0000000010000000-0x000000001023C000-memory.dmp

Filesize
2.2MB

Download
memory/2424-36-0x0000000010000000-0x000000001023C000-memory.dmp

Filesize
2.2MB

Download
memory/2488-238-0x0000000001000000-0x000000000122B000-memory.dmp

Filesize
2.2MB

Download
memory/2512-29-0x0000000010000000-0x0000000010234000-memory.dmp

Filesize
2.2MB

Download
memory/2512-60-0x0000000010000000-0x0000000010234000-memory.dmp

Filesize
2.2MB

Download
memory/2572-12-0x0000000100000000-0x0000000100239000-memory.dmp

Filesize
2.2MB

Download
memory/2572-73-0x0000000100000000-0x0000000100239000-memory.dmp

Filesize
2.2MB

Download
memory/2616-17-0x0000000140000000-0x0000000140232000-memory.dmp

Filesize
2.2MB

Download
memory/2616-96-0x0000000140000000-0x0000000140232000-memory.dmp

Filesize
2.2MB

Download
memory/2616-24-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/2616-18-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/2624-220-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download
memory/2624-214-0x000000002E000000-0x000000002E24A000-memory.dmp

Filesize
2.3MB

Download
memory/2700-249-0x0000000100000000-0x000000010022B000-memory.dmp

Filesize
2.2MB

Download
memory/2800-83-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2800-100-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2800-85-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2800-108-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2800-91-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2800-97-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2800-152-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2816-106-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2816-99-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/2816-98-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2816-160-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/2888-119-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2888-190-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2888-115-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2888-112-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2960-51-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2960-44-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2960-45-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2960-124-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2976-63-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download
memory/2976-141-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/2976-69-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/2976-71-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download