a92805cd1cea9c4a5fec1e351082206c8fc387df4f2e07eb55d6ec2f02a804c4

Analysis

max time kernel
55s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
Size

24.3MB
MD5

fdf2b2afc999203392e9a98d92594e5c
SHA1

6e384beb916b5c76a6a035f0c141e7a61a869e16
SHA256

a92805cd1cea9c4a5fec1e351082206c8fc387df4f2e07eb55d6ec2f02a804c4
SHA512

16848aa4f5651ad735996b6480b0e44c83b9d39ff7edd393c20100277a87567022b8c1c82d488caa0d31a31e0f0001fc682c1948c225341fa8943dddf0860cda
SSDEEP

196608:LP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op1H2SAmGcWqnlv018zt1:LPboGX8a/jWWu3cq2D/cWcls1i

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 34 IoCs

pid	Process
472	Process not Found
2528	alg.exe
2728	aspnet_state.exe
2468	mscorsvw.exe
112	mscorsvw.exe
2348	mscorsvw.exe
2908	mscorsvw.exe
1536	dllhost.exe
1428	ehRecvr.exe
2636	ehsched.exe
440	elevation_service.exe
1816	IEEtwCollector.exe
1668	GROOVE.EXE
888	maintenanceservice.exe
1708	mscorsvw.exe
2380	msdtc.exe
2772	mscorsvw.exe
112	msiexec.exe
948	OSE.EXE
676	OSPPSVC.EXE
1204	perfhost.exe
1572	locator.exe
2604	mscorsvw.exe
1020	snmptrap.exe
768	vds.exe
2264	vssvc.exe
564	mscorsvw.exe
2740	wbengine.exe
2832	WmiApSrv.exe
944	mscorsvw.exe
3004	wmpnetwk.exe
1768	SearchIndexer.exe
1772	mscorsvw.exe
2964	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
112	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
752	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\44fb4a3dae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CEEFE1ED-AAC4-4587-B1BC-503993FF4F7C}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CEEFE1ED-AAC4-4587-B1BC-503993FF4F7C}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{EF86B51D-BBCE-4973-972F-6AB668E0A2C2}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{EF86B51D-BBCE-4973-972F-6AB668E0A2C2}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1384	ehRec.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: 33	1200	EhTray.exe
Token: SeIncBasePriorityPrivilege	1200	EhTray.exe
Token: SeDebugPrivilege	1384	ehRec.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: 33	1200	EhTray.exe
Token: SeIncBasePriorityPrivilege	1200	EhTray.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeSecurityPrivilege	112	msiexec.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeBackupPrivilege	2264	vssvc.exe
Token: SeRestorePrivilege	2264	vssvc.exe
Token: SeAuditPrivilege	2264	vssvc.exe
Token: SeBackupPrivilege	2740	wbengine.exe
Token: SeRestorePrivilege	2740	wbengine.exe
Token: SeSecurityPrivilege	2740	wbengine.exe
Token: SeManageVolumePrivilege	1768	SearchIndexer.exe
Token: 33	1768	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1768	SearchIndexer.exe
Token: 33	3004	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3004	wmpnetwk.exe
Token: SeDebugPrivilege	1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1284	2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1200	EhTray.exe
1200	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1200	EhTray.exe
1200	EhTray.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 1708	2908	mscorsvw.exe	44
PID 2908 wrote to memory of 1708	2908	mscorsvw.exe	44
PID 2908 wrote to memory of 1708	2908	mscorsvw.exe	44
PID 2908 wrote to memory of 2772	2908	mscorsvw.exe	46
PID 2908 wrote to memory of 2772	2908	mscorsvw.exe	46
PID 2908 wrote to memory of 2772	2908	mscorsvw.exe	46
PID 2348 wrote to memory of 2604	2348	mscorsvw.exe	52
PID 2348 wrote to memory of 2604	2348	mscorsvw.exe	52
PID 2348 wrote to memory of 2604	2348	mscorsvw.exe	52
PID 2348 wrote to memory of 2604	2348	mscorsvw.exe	52
PID 2348 wrote to memory of 564	2348	mscorsvw.exe	56
PID 2348 wrote to memory of 564	2348	mscorsvw.exe	56
PID 2348 wrote to memory of 564	2348	mscorsvw.exe	56
PID 2348 wrote to memory of 564	2348	mscorsvw.exe	56
PID 2348 wrote to memory of 944	2348	mscorsvw.exe	59
PID 2348 wrote to memory of 944	2348	mscorsvw.exe	59
PID 2348 wrote to memory of 944	2348	mscorsvw.exe	59
PID 2348 wrote to memory of 944	2348	mscorsvw.exe	59
PID 2348 wrote to memory of 1772	2348	mscorsvw.exe	63
PID 2348 wrote to memory of 1772	2348	mscorsvw.exe	63
PID 2348 wrote to memory of 1772	2348	mscorsvw.exe	63
PID 2348 wrote to memory of 1772	2348	mscorsvw.exe	63
PID 2348 wrote to memory of 2964	2348	mscorsvw.exe	65
PID 2348 wrote to memory of 2964	2348	mscorsvw.exe	65
PID 2348 wrote to memory of 2964	2348	mscorsvw.exe	65
PID 2348 wrote to memory of 2964	2348	mscorsvw.exe	65
PID 1768 wrote to memory of 760	1768	SearchIndexer.exe	66
PID 1768 wrote to memory of 760	1768	SearchIndexer.exe	66
PID 1768 wrote to memory of 760	1768	SearchIndexer.exe	66
PID 1768 wrote to memory of 3060	1768	SearchIndexer.exe	67
PID 1768 wrote to memory of 3060	1768	SearchIndexer.exe	67
PID 1768 wrote to memory of 3060	1768	SearchIndexer.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2468

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 23c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 170 -NGENProcess 18c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 1f8 -Pipe 18c -Comment "NGen Worker Process"
  2⤵
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 268 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 250 -NGENProcess 1e0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 258 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 28c -NGENProcess 1e0 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 120 -NGENProcess 294 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:1764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1536

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1428

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1200

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:440

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1816

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1668

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:888

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2380

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:948

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:676

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1204

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2832

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:760
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:3060
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.1MB

MD5
587a1c5dfd4e3258dce815a76f645120

SHA1
b1efb51ae3e0e3123606a066bb232c34b8b171cf

SHA256
9ef5e97256d5024acdf1c173d34f2e1cc7935ac556bcd5fbbebb25cdf6c679f6

SHA512
6706c2a7e0d669de39a89d7ec7773e7524671c7fa5b5c62c891290e884705d5b556998b4e285ca427ce3f5b75fa3b41465c50dad8791cbe01881953c6eea41e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
2.8MB

MD5
a4bc6e157c402ae8bcdb1dfac31a56bf

SHA1
40406e3add91bd9e710319b5e6de72b0ebcffe6e

SHA256
0cba789a9648790c0c1e26c20bf8a4ec02dd0252c4a0e1554486b5bf8bda5e29

SHA512
d7d3186438e220d81fc9a3fc8d18f295556095a170772a1895fa4c015c85368908b8d9a21df727e4d564c000b16e43a0dddafa88d73eecd62324c7afb5918612

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.1MB

MD5
333b8d4eb97fde79b6564557450ea1e3

SHA1
0201d22262d92bbe3e7bc043900cc5f3bda3d7bf

SHA256
2bcef0e5c319b23458ba1727a6fa6c5a6fe4f476c1cb0aa213d6c2e2e42075ea

SHA512
3f9e48d7d00a4ea545778e71a8af42905439b760b418690458a9ec6ea3c5a7a90fb0163a0236548ecee60f7ebd984013a0f006a70fd93ef9aaa20b0ae9115bc1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
3a688c3d8bd3bbc82161175eab782473

SHA1
01af745855976bd5fb9175739214e65b014e09cf

SHA256
046b1f78dbe1c2e46ad7d2646801f031c1269ce0ac178fb7a1778351ccba525c

SHA512
9af8c604b924ffb90b0772b5f2bb915808cb5b9f3fba3f03972b25c2b463212db885b88af5e3743da178a39ae1d2f4b7c974f0d0d6332fec305f73dd5ca08b3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.2MB

MD5
2bbffc73f2c9c8c2cd5be7999ad2da5d

SHA1
efd6b7d5e5b301c76d5648ac9a540a6e406fd88d

SHA256
19ef26863965c5c7428dc8c029e076aa260fc27760505a1d68343669d9b24640

SHA512
e2b861d29a52ff16c1ee236657653e0f0dc4904eaa00e9dfddccc0bc35677689312bbead024d73409b313ba0db9d63b841f859a8bafdfa15801cfbff21cbf49f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
67f3b930c46bf0632e4e495fea01136f

SHA1
9a00a2821d317cbbfe2142ab6e7cd9f9cbad7d76

SHA256
b1dbf1b40c34f73057116443ef916d119fc9335e5ec1019c5408d5082666be74

SHA512
b7500345db198be9da5b28f43155457c5375f04be1d241628ab64e6d961ab057846555454118bbbdb13b0749be35f76f3a32f16f89f2d2c7cca5d8770036a4f5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.2MB

MD5
6a18d5065ca02d54c2bd1b8466336fb3

SHA1
1a5b4fbd272048e8d81813a2987623585c6cfb6a

SHA256
3b89b0ff3387b8172cfda4d8adeff4a516319e4d4a8d00f7339b8a3a65a98f1d

SHA512
2341f027d76fbcfd6ff9a04eee4ca0b524d12c045628d351d8e6e84ff631eb09eb3fdc3367b9bb236793c77fed3d65fc92d34d6669043dd0d875a49d6b3330bb

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c42e3ef71d8f69c9b800c9242a67c410

SHA1
a47e68ae4d7a95f40c6dcdd5b1f3d2e9e4788e60

SHA256
0a3559fc3909481a838c46e3cb3476c0a86874d12eb8b2d61775119e848ab5bf

SHA512
c43c766a0db3c17abbc17f1900bf0c6dd5f6cd9fd08e7773ac53d341f6a604a5624d651ea9f13ec241d86cef4d2e617eaa8b068a2fb523456d8ea25e2e0b447e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
27d3b073c69870d1ad551561942e2ce3

SHA1
c48ebb75581b21c2f48fed3d0477ed6eadedd421

SHA256
995d5ee05f53184a0d8ff408531456d03b7879b977af6f0832ba3481ca8a20c6

SHA512
976541c5f3dc6ee547193ccaa4da192ba6a1c418891e3d78c86d1ff12a78b5fcafbcdf7cceca35455f7939708d1b79169bda289efbf20672f3d5d5bd5fecbf2d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3c432764bcdfce6781efe688d29dbaba

SHA1
1ddc385e26541ab0f063e042d30ceb8a449cf5ee

SHA256
a6f67e86257c03ffa20328275780970b8e58b81747664464348448cdd537f073

SHA512
5b3fdddbbb1fe57f70290f88166bbd50ab105663eb1f29d3c43a4d1ee0ce76f04c7ddd913116e78110df6bf90d2ff66bade54e0d6559471531b4701ef5c30aca

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
27da22fc24c2812b2e25cedc4a4d9d09

SHA1
a9bd70e6d9ed1b970cdf9b6b81ef8b7c1fa592f5

SHA256
ae1d6c523c4128773ec2aa1a95ddd16d63484552f4d405c73f7c3ae5180ef851

SHA512
4376bf1e7c3745fb4a48c566a275239be7a52a5a63b0168ea32036f4aa3659b0c07986e9b915b059324b039ed653b023d6d07ed1a075c9294c039afe80081ca6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
c6a4bdb78e249b4742303e092a6de092

SHA1
f4bf8c7758fbd9ac61fec539e6db8e64e8079adb

SHA256
3607de6e24ee2e1df82c2af88388b4a164b367d506df387b213c61d01fa14c94

SHA512
b18597c0f6de3e2e20e30eec4e1e240eb3fb14c0068eab046b978e59540b96d65acf6fcedde5575ff7f32e4bbed785121aad7db199ce18ba671c77e3a0f9c860

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a8227ff66515a61d0a5b6a2bfd9aa367

SHA1
ca9ecdec7f9771419cc317a0912a4af7628d943d

SHA256
7a078e5faae5a97d8fc5e8ee2375e722694d7405164d9f35382b75272999868e

SHA512
e8dc1272fca01ae622c9791a21040d16daf3796914eb97f3330851c9e8583ede31c40de82be3cb6d9710fae07b2d229d9f33ca489f8aac90e9a13cf42c7649f7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
93f825a63b6f738d48ec7b55da9b8347

SHA1
9eeb9de8c88b7250e5cd26fb638dd58b1e95c63e

SHA256
0511cf38d2a930f66b76285471292a96d6e9f3a1062fd3e8c20e22da9b2d6dde

SHA512
b1877d8885e809aac5ae8e9186e72fda2f0aee74289ed185bd9deeaabf85ba8252cb8f6eb5d15c25b25a9813cd7f3f35a6742a0a6dbe931fe8776a6f7fadd287

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
a7a16736329be9f7baf641515dcf2dc0

SHA1
cf6e43a03604b66ad907fcaf8a2e732eb9451a55

SHA256
7da1c3d6614f204d2f983faf7ae0fba16946cfff7760ff4cf509dc3cbe1c7a86

SHA512
af56841877e86f85122b8254e2b99442607c6afb29900b1232bb36ced05dc2f322974536a585776f7e768a5d70ade877243de365a9522d4d7e9c315ccb081c08

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
fb1a7606e6d4f885c5f33dffdbf8424d

SHA1
47358a4ec23cc75afe9f4e69a2faac518c61bc33

SHA256
ddbda77ff53690e9d3c140e2d9a79ce4a77a4be6a9c7e1d7600b96b3876d2395

SHA512
8a0e04adc00ea5e87d5c052d8d45910d1dadcf4a0fdefc8c73d0ec718f0a70d720676c05131ecb12f86055afd6c296fcbd5ae9b0635596318e0457bc6a0185fc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
849b35cc2c16c3dc77a64144bf77aa90

SHA1
ab67a42aa1da3751eeab4228374d6e4537db9ae4

SHA256
516dfb0dbfc58db182e20e64a081e123b26239fddd6823af0be583caacc61e99

SHA512
5185dc4eff102fed520f76a438213b54f51278e0bef9170d25d7f50748b87eb770da8bdcdd4ed3be84f866f7d774156ba41100aee72fb2b10d474155ddbafd80

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
d39b93d8207be395fe18306503d51b75

SHA1
b96448d66725394adf664201a981434fbc358017

SHA256
2c35c03a7eaadb08870fcdadf0ee7f84f6e6adb1808a41e3849a76f41e968e2b

SHA512
81285e63bcaf2823ebb4b4a96257c9fccdf9cafc89051ea98317651ef7e848c97b09c361b42f21df97226c331eda9eabe68688689da7522443820bc6d20af48e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
837e6a7a8bee4e683cda444a787065bc

SHA1
bdbfdec049907d6f3726aa67e5a2ed1a33ec9a6c

SHA256
08814d9d109e8de44042949f1fccfe5025e5858182d1c29138126aaff2458551

SHA512
2536ae7899115478ac2072f9e7e443c1baa40fd4906fd69d5d9bdc09fa411770bbed9bc77c8670f9a1f9d4a4198b1b578b899d5cbe2dc3315f1f04fbcf2c839b

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
70aa74b08bcf241dbead09c0d6b898c1

SHA1
891919b77a5e634f105a785076979fd52ddd0a0d

SHA256
2184b74a11f4ec97bd14ceefdfc72949c75bc855cd86a427a9449947bbb358d9

SHA512
14deeadedc2db6ee9e2896203441bbaee93eb71a7fc71c77f35c302231724d0b3cbde435543481fbac3bb646a5644946615fcc9a1c2a826b5ec40f329835f4d8

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
e2c230232d0ffd05d57e77060540828e

SHA1
18f6b342abc5dc743e3117ea2dbd10e5efbfb20d

SHA256
78863cc01a4d53bf2313e26d09bce5c9610eaaf39bee2999a53e39844cc01076

SHA512
59801e2d807e005c7032eb09ba0b0af5f5914bf93a52cd5b25e4da80d63c999afe93f8e2ad4a0572b76f51570ebc5530169c58add9e0487b6797b7c8af9af18e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
90d1ae9cb562f9646f5c6529f8455093

SHA1
3262d3830fffa6a56386908b19681e931f6ad59b

SHA256
a5b900412d929f0e7457b6bdf0f3cc8a7d5cd2ed274dd452eabdb15bf132734e

SHA512
b43e0ee35fa7115930f0ae700b414e93ec865fd387353e0f56767f681c8a5a8fa8bf3b32f492e60488ff8d2d9cbe3e138d75b9c57002d482265ad9c03e307c9f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
53e5039a2c0be9af960ecd524a2e9c72

SHA1
1e95e2f4e32c2f89a15ef6e6340a7900fd4720e3

SHA256
f1ddc2714b228c7e6553069ddfc9286e8bfc738622e9495a57efb3920ff95d80

SHA512
cc78022274afbfefca16560dadbf999215762202e4699107fb3b2c3ddc111053383d038c88252b8885a712b842974acc29ff07d4fe4e19ffd23e00e119f0326b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
431f15fd2fc419f202a6c4b0f52167e7

SHA1
64ac0bcf100a58ac1ba128b9c0f0b374c08850e7

SHA256
43336bcb85d08f10f987fd917e7dee4dd7a6f9ea44e31c79159aebba0d2d3025

SHA512
d450c92220747a8e862949569a2b6d413eff973318c5302c227f3d87a75ff6428588462bab81df7e689e522e1add8953d453d53e46cd6e47c662e3446fea2376

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
80651c0fba2d44c39177b0d9dfca1d0a

SHA1
faade327b3460a0978abc06dd9a656d91f57b19c

SHA256
fabacac008c5e55abb05a498287ad1831a27d01d919fb2001b5bd108103e6658

SHA512
063345008992b079cf7372b69732344de8ee774d41575cf982775500812fda8d0e911669813901992934c6dc9f5903d6b69be1516f6b8c27c94befd1bd42cc72

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
559750b6b25d1298b38d59dfb9fbd9ce

SHA1
f246c61185aebf3560e1a9988f176648842ee421

SHA256
d6e7b37a158ab19e3f05ba137909957e0fc4c5de788970b1949a1ca025c9254a

SHA512
0e517385ae5bc4214de8bc36dfc7f41019d7a13c912b1111b4b4467ed6fa84de0aaef420e0501f89967d15f5235757616d10cd6e7ec5556c3f5e45689dda5e72

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.5MB

MD5
b0265011cfa13a94627ff8d24dc77392

SHA1
c33615c1033ce4e78cc80a42b4ddbbcf8601cf24

SHA256
5043bb3869c3bd5eecdbdbfbad64b96fe0b4fa1d06c587d4d2c167341c41daea

SHA512
678823f6fb1ba5ea4be4e2102e2de116fb820eaf74fd8aee09b55483d075c7b4260ad11cb3595611d753378a4e9c4156762943f3f3ad72c06751c1d9dd61f056

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
6d7dea531cc3c5cfbb00498c70e0f241

SHA1
b2f227ed305d445b8ad130a4d71c9f9ed594ff71

SHA256
7ee21ae12dfffe037831002a4fbc416b034e5c19b56d37f15c2d4795e0a9a3ac

SHA512
4ad4c86cfb78a3fd3c239689642933451bc95afc0393104e20070c6b046d9c20dbc74bf552abeeea6ec658b186e45217c4f3da5402ec4653f7fa733db1e631c5

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
983ed8b834f19c2642e5684a0b3875f4

SHA1
b0b77367375512b3e9bbe692c5a0dea70388c7ab

SHA256
93020797514366e3b08e982dfc96203c1178b77593c3840653ca4972b2696b96

SHA512
b1b5d03dbb1b520406bd845695160332cb3acf566dee940763a01bc92f7f61199a73062b3f51fd28c1436d6ef2d0b7c67e76424ab1beec71d8eff43ecae40a9b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.4MB

MD5
33ef6c66277575fcdc7b731a716715b3

SHA1
3e46f2416330515fde8751267ade9219ee439ebc

SHA256
540cd74ee9dab8f2fc6a2092021d2d480d5ae7701b43455dce77231840b9e9a1

SHA512
f6ef2a745abadc5053520f620021fdbc36619c9a629eabb41a71526cb882107ccf98c06631607ad90a9a652685818c0ac63385a024f29b98c739912ad321dfc7

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
9b4b30b682814c4700ae70221cbf8ea4

SHA1
cd2e945da9aaa1cc3ebe127a64d07e5f6e95d87d

SHA256
4c6e8b5a7ffb9893d6fe1db2c1a9ef00ef0cc70dcdff2202db058a842e751b07

SHA512
8ae2eb882b407265b7b15426f7b680a2282b20c9b85173ec53bd0aa7a73eb3fa2b50a9219a51c270495dd94aa392d548de903c3871f69980687683bf31fdad3c

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.2MB

MD5
1bf4b120f2da4e322b4589e9f254ea8f

SHA1
7da07cce6a28812c1b4b3bbfa6a486eabfe36c35

SHA256
98eab37c7c569aa7bdba3c2aeff6d7e9d6522ca3d2ad354f6cce2208e1eed441

SHA512
8ef0112fe9a6c7214e68ef74da97375232c167092bc3db37fb3fa6bec65cf1c65cac519c6d7fca57d746e10acbbaa28fe0ebc2fe73f0b0c73b85a98a8f42bc00

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
e135b257cf9e56ae3ad472bde692d82d

SHA1
330f969433f667f0e0f6b88cdcd2552f3f3bd23c

SHA256
16cb2ed08f604ae6dd55b5cd27bc9cbd4bfdba3d4519820cadcd6b22306850bc

SHA512
f417e7dfef12af7eac3161bb69687b9afda40cb1f524be32607ef890b400ef881a7d8e1a1e25e303229c03042767f575027bffb4df982a2c84d71d91c36c8091

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.2MB

MD5
5fb230ff60ff2ebc979ffdab7aefc230

SHA1
e90740faa6a3b0d6a0dc3285b310dcf335f32db6

SHA256
a9b9a929f8859496b42584f029218e3c0537f920d71d0df71d0e98c4ad4d8100

SHA512
9723ea2044f12d019cc4057fa65ec6037f703c58b91374ba534918637893078aad03c916764f3a9a168fedc110e3a9de203867aed75141f3275bbd662429a1be

Download Submit
\Windows\System32\wbengine.exe

Filesize
1.9MB

MD5
c9019af5c93219b073ae2ac5efc11cb0

SHA1
df322612f9fae86429750d2fc67c7eea101954ad

SHA256
017197405691cc4171a92210fc50918f9202f892e8ddc38392f1e8e5c632954f

SHA512
b8c878b843d116349ee71b543888553a325df3d5669c9703aaea65a1e5c28fc400f1060f4810b3e3497a078b5498914ade82e79cc100f63113a34defb8e2119f

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
2c6eefa52292670fb396333f886001b2

SHA1
153e8176595ef6dcb2b82b24505c66df4878e9e7

SHA256
fa6619908a94a638f7664d4eb039dab2359315776853410bdaa34e5895b8a8ea

SHA512
26cb7d545abec213aaffdf02349fb88dedd5f2b76988f2bce61118fc8adde87c77ea7b22368ea59cc083bb126650e81d7d30e5734fb87d79f9a4814e04cade72

Download Submit
memory/112-45-0x0000000010000000-0x0000000010183000-memory.dmp

Filesize
1.5MB

Download
memory/112-284-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/112-66-0x0000000010000000-0x0000000010183000-memory.dmp

Filesize
1.5MB

Download
memory/112-260-0x0000000100000000-0x000000010018E000-memory.dmp

Filesize
1.6MB

Download
memory/112-258-0x00000000004F0000-0x000000000067E000-memory.dmp

Filesize
1.6MB

Download
memory/440-144-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/440-201-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/440-134-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/676-279-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/676-286-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/676-288-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/888-181-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/888-224-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/888-190-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/888-223-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/948-285-0x000000002E000000-0x000000002E191000-memory.dmp

Filesize
1.6MB

Download
memory/948-276-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1204-303-0x0000000001000000-0x0000000001172000-memory.dmp

Filesize
1.4MB

Download
memory/1284-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1284-72-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1284-7-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1284-5-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1384-157-0x000007FEF4410000-0x000007FEF4DAD000-memory.dmp

Filesize
9.6MB

Download
memory/1384-151-0x000007FEF4410000-0x000007FEF4DAD000-memory.dmp

Filesize
9.6MB

Download
memory/1384-153-0x0000000000E80000-0x0000000000F00000-memory.dmp

Filesize
512KB

Download
memory/1384-174-0x0000000000E80000-0x0000000000F00000-memory.dmp

Filesize
512KB

Download
memory/1384-217-0x0000000000E80000-0x0000000000F00000-memory.dmp

Filesize
512KB

Download
memory/1384-212-0x000007FEF4410000-0x000007FEF4DAD000-memory.dmp

Filesize
9.6MB

Download
memory/1384-254-0x000007FEF4410000-0x000007FEF4DAD000-memory.dmp

Filesize
9.6MB

Download
memory/1384-281-0x0000000000E80000-0x0000000000F00000-memory.dmp

Filesize
512KB

Download
memory/1428-166-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1428-116-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1428-117-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1428-178-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1428-118-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1428-106-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1428-113-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1428-105-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1536-92-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1536-99-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1536-94-0x0000000100000000-0x0000000100171000-memory.dmp

Filesize
1.4MB

Download
memory/1536-159-0x0000000100000000-0x0000000100171000-memory.dmp

Filesize
1.4MB

Download
memory/1668-173-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1668-176-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/1668-301-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1708-195-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1708-204-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1708-240-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1708-241-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1708-245-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1816-161-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1816-160-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2348-64-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2348-59-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2348-130-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2348-58-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2380-283-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2380-215-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2468-29-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2468-30-0x0000000010000000-0x000000001017B000-memory.dmp

Filesize
1.5MB

Download
memory/2468-35-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2468-56-0x0000000010000000-0x000000001017B000-memory.dmp

Filesize
1.5MB

Download
memory/2528-13-0x0000000100000000-0x0000000100180000-memory.dmp

Filesize
1.5MB

Download
memory/2528-12-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2528-20-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2528-91-0x0000000100000000-0x0000000100180000-memory.dmp

Filesize
1.5MB

Download
memory/2636-121-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2636-187-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-128-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2636-122-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-104-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2728-26-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2772-259-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2772-256-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2772-274-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2908-142-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2908-75-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2908-81-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download