948a99a872a34e0d7456de1a4f268b24d82e33ee7e41991b6cb03fdae8242e3a

Analysis

max time kernel
150s
max time network
164s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
Size

1.6MB
MD5

78f3a1793ce06093cbba5023d29e650e
SHA1

c4d5739de577f3d4715d3f0ff9eda8b8e69f63f8
SHA256

948a99a872a34e0d7456de1a4f268b24d82e33ee7e41991b6cb03fdae8242e3a
SHA512

ed67a96a9eb2bdf62b1ec6d796aa1f2350fc9c73b8c318f6d21e5b63d60bf4f94364a3b345b1667f3c78bedd48eb8c0192984d1b40bf07f40160b69a5f94c0c6
SSDEEP

24576:xPHeMy8QQGeQrRUm7KAd6JtFMGFWwH5iksXSGBwKMDHreO9w7chAdaD38VvhYPjs:tbhSnKAwCWjZmXtgBwpi3Fj5Ngb9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 47 IoCs

pid	Process
464	Process not Found
2300	alg.exe
2720	aspnet_state.exe
3016	mscorsvw.exe
1044	mscorsvw.exe
2780	mscorsvw.exe
616	mscorsvw.exe
2040	ehRecvr.exe
1056	ehsched.exe
2324	elevation_service.exe
1672	IEEtwCollector.exe
1644	mscorsvw.exe
1648	GROOVE.EXE
884	mscorsvw.exe
2224	maintenanceservice.exe
2944	msdtc.exe
2716	msiexec.exe
2180	OSE.EXE
580	OSPPSVC.EXE
1768	perfhost.exe
2892	mscorsvw.exe
1872	locator.exe
2116	snmptrap.exe
2968	vds.exe
2824	vssvc.exe
2632	wbengine.exe
2664	mscorsvw.exe
1764	WmiApSrv.exe
2196	wmpnetwk.exe
1704	mscorsvw.exe
1480	SearchIndexer.exe
2792	mscorsvw.exe
2444	mscorsvw.exe
1388	mscorsvw.exe
1828	mscorsvw.exe
2420	mscorsvw.exe
1628	mscorsvw.exe
1584	mscorsvw.exe
1868	mscorsvw.exe
1244	mscorsvw.exe
1056	mscorsvw.exe
2664	mscorsvw.exe
2040	mscorsvw.exe
944	mscorsvw.exe
2428	mscorsvw.exe
1716	mscorsvw.exe
2340	mscorsvw.exe

Loads dropped DLL 14 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2716	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
760	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e264c5824501ed38.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{9D2AA601-D83B-482C-B2D4-011350A7A86E}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{9D2AA601-D83B-482C-B2D4-011350A7A86E}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1480	ehRec.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
Token: SeShutdownPrivilege	2780	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	2780	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: 33	1316	EhTray.exe
Token: SeIncBasePriorityPrivilege	1316	EhTray.exe
Token: SeShutdownPrivilege	2780	mscorsvw.exe
Token: SeShutdownPrivilege	2780	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeDebugPrivilege	1480	ehRec.exe
Token: SeRestorePrivilege	2716	msiexec.exe
Token: SeTakeOwnershipPrivilege	2716	msiexec.exe
Token: 33	1316	EhTray.exe
Token: SeIncBasePriorityPrivilege	1316	EhTray.exe
Token: SeSecurityPrivilege	2716	msiexec.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeBackupPrivilege	2824	vssvc.exe
Token: SeRestorePrivilege	2824	vssvc.exe
Token: SeAuditPrivilege	2824	vssvc.exe
Token: SeBackupPrivilege	2632	wbengine.exe
Token: SeRestorePrivilege	2632	wbengine.exe
Token: SeSecurityPrivilege	2632	wbengine.exe
Token: SeManageVolumePrivilege	1480	SearchIndexer.exe
Token: 33	1480	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1480	SearchIndexer.exe
Token: 33	2196	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2196	wmpnetwk.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeDebugPrivilege	856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
Token: SeDebugPrivilege	856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
Token: SeDebugPrivilege	856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
Token: SeDebugPrivilege	856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
Token: SeDebugPrivilege	856	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1316	EhTray.exe
1316	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1316	EhTray.exe
1316	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 1644	616	mscorsvw.exe	40
PID 616 wrote to memory of 1644	616	mscorsvw.exe	40
PID 616 wrote to memory of 1644	616	mscorsvw.exe	40
PID 616 wrote to memory of 884	616	mscorsvw.exe	42
PID 616 wrote to memory of 884	616	mscorsvw.exe	42
PID 616 wrote to memory of 884	616	mscorsvw.exe	42
PID 2780 wrote to memory of 2892	2780	mscorsvw.exe	51
PID 2780 wrote to memory of 2892	2780	mscorsvw.exe	51
PID 2780 wrote to memory of 2892	2780	mscorsvw.exe	51
PID 2780 wrote to memory of 2892	2780	mscorsvw.exe	51
PID 2780 wrote to memory of 2664	2780	mscorsvw.exe	57
PID 2780 wrote to memory of 2664	2780	mscorsvw.exe	57
PID 2780 wrote to memory of 2664	2780	mscorsvw.exe	57
PID 2780 wrote to memory of 2664	2780	mscorsvw.exe	57
PID 2780 wrote to memory of 1704	2780	mscorsvw.exe	60
PID 2780 wrote to memory of 1704	2780	mscorsvw.exe	60
PID 2780 wrote to memory of 1704	2780	mscorsvw.exe	60
PID 2780 wrote to memory of 1704	2780	mscorsvw.exe	60
PID 1480 wrote to memory of 2492	1480	SearchIndexer.exe	62
PID 1480 wrote to memory of 2492	1480	SearchIndexer.exe	62
PID 1480 wrote to memory of 2492	1480	SearchIndexer.exe	62
PID 1480 wrote to memory of 1152	1480	SearchIndexer.exe	63
PID 1480 wrote to memory of 1152	1480	SearchIndexer.exe	63
PID 1480 wrote to memory of 1152	1480	SearchIndexer.exe	63
PID 2780 wrote to memory of 2792	2780	mscorsvw.exe	64
PID 2780 wrote to memory of 2792	2780	mscorsvw.exe	64
PID 2780 wrote to memory of 2792	2780	mscorsvw.exe	64
PID 2780 wrote to memory of 2792	2780	mscorsvw.exe	64
PID 2780 wrote to memory of 2444	2780	mscorsvw.exe	65
PID 2780 wrote to memory of 2444	2780	mscorsvw.exe	65
PID 2780 wrote to memory of 2444	2780	mscorsvw.exe	65
PID 2780 wrote to memory of 2444	2780	mscorsvw.exe	65
PID 1480 wrote to memory of 2044	1480	SearchIndexer.exe	66
PID 1480 wrote to memory of 2044	1480	SearchIndexer.exe	66
PID 1480 wrote to memory of 2044	1480	SearchIndexer.exe	66
PID 2780 wrote to memory of 1388	2780	mscorsvw.exe	67
PID 2780 wrote to memory of 1388	2780	mscorsvw.exe	67
PID 2780 wrote to memory of 1388	2780	mscorsvw.exe	67
PID 2780 wrote to memory of 1388	2780	mscorsvw.exe	67
PID 2780 wrote to memory of 1828	2780	mscorsvw.exe	68
PID 2780 wrote to memory of 1828	2780	mscorsvw.exe	68
PID 2780 wrote to memory of 1828	2780	mscorsvw.exe	68
PID 2780 wrote to memory of 1828	2780	mscorsvw.exe	68
PID 2780 wrote to memory of 2420	2780	mscorsvw.exe	69
PID 2780 wrote to memory of 2420	2780	mscorsvw.exe	69
PID 2780 wrote to memory of 2420	2780	mscorsvw.exe	69
PID 2780 wrote to memory of 2420	2780	mscorsvw.exe	69
PID 2780 wrote to memory of 1628	2780	mscorsvw.exe	70
PID 2780 wrote to memory of 1628	2780	mscorsvw.exe	70
PID 2780 wrote to memory of 1628	2780	mscorsvw.exe	70
PID 2780 wrote to memory of 1628	2780	mscorsvw.exe	70
PID 2780 wrote to memory of 1584	2780	mscorsvw.exe	71
PID 2780 wrote to memory of 1584	2780	mscorsvw.exe	71
PID 2780 wrote to memory of 1584	2780	mscorsvw.exe	71
PID 2780 wrote to memory of 1584	2780	mscorsvw.exe	71
PID 2780 wrote to memory of 1868	2780	mscorsvw.exe	72
PID 2780 wrote to memory of 1868	2780	mscorsvw.exe	72
PID 2780 wrote to memory of 1868	2780	mscorsvw.exe	72
PID 2780 wrote to memory of 1868	2780	mscorsvw.exe	72
PID 2780 wrote to memory of 1244	2780	mscorsvw.exe	73
PID 2780 wrote to memory of 1244	2780	mscorsvw.exe	73
PID 2780 wrote to memory of 1244	2780	mscorsvw.exe	73
PID 2780 wrote to memory of 1244	2780	mscorsvw.exe	73
PID 2780 wrote to memory of 1056	2780	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2300

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3016

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1a8 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 23c -NGENProcess 1d0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 260 -NGENProcess 1ec -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 238 -NGENProcess 240 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 1d0 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1ec -NGENProcess 268 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 250 -NGENProcess 27c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 238 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 24c -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 23c -NGENProcess 288 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 290 -NGENProcess 288 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a4 -NGENProcess 284 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:884

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2040

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1672

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1648

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2180

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:580

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1764

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2492
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1152
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
2035fb666d604e1b404b45ca0d134b83

SHA1
aeb204371a2f5ee574ae74d086a529fde96c8b77

SHA256
22ab78079e2d72e513057a746fff72088045e74041a72a3e36eb98917bc78832

SHA512
e7d6c7492ba0b40808108880599e0f50a86bdf20d394570013aa13472eb4f004775dcfeb8e370a90872a9a56cbe5800ed63f06b0e668425eab5e048a83ca44dc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
f4b022bd6f7b913fb2ab2a06832e0240

SHA1
a2dca84cf236acf0d398cdd1f93543f0f179a18d

SHA256
b3dc3a2b35bde4668166857a2f7993b69f8c048853a60bd70dfc1a9a160d0347

SHA512
7ea9bc39c41269cf67290b024a12b15f3fbd175de14132dcace98c190206948afe1991921d9e80d88a64cd3c0018447c81363e3943d674e57285a8a47ab7e6d4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
e7a9e7e37baa14e0c2c6614acf0eeb23

SHA1
85beec8e4c1a875e4e5b4223a6c2861303298e7d

SHA256
dc694847d72df3bfd4be118becbf68205821af2a1b03df6159a5f1290a451c12

SHA512
d6f5304f3f31414831dffd9b62907bb47c2ae132f7ffdbb968c09788b3709719b4fa0297549275188563e246e9f3735b1dbd93169f4815adba2400e5060dfe82

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
25937a377762326f880b26dd53d3a5a9

SHA1
9b1d5de88d8c0d15949420000aa9cfd360a4b96d

SHA256
841c64bf6be523c636fe2238d7cfc5852abb81aac4f63e68963d11f889dd9062

SHA512
0ef128f4260553c33fd290cdeb53fe86ec7ee6ee4e3ad5a12eec39fec25d0b7077bcf47c8895db57bb3c7d70bacde5218116dec144d38bce2e88518f1d05ee23

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
213dc139614cc643696992ea9c581cbf

SHA1
c6963bf0053797014a7201a51a551778576edd9d

SHA256
db15c4336de1d1551834e698b837e8f0ae2c04720d4ce4ba702243e5231c099a

SHA512
1434f3d4750fa7b76454a6b746fb46645aecbe51875f734c5a9812899819745a67d32b88ab5a55b2b22201140ba0b14166c3d0a716d4ac1af3af81fef552dd63

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
40077e58c61fad92519e140e0dc34022

SHA1
2cce66177530344f88e37eb84f0043be701bf444

SHA256
6e3868949a3dc1443296f14a96c93c58e3b50bfc4b177f37ac0b233ed8baa1f0

SHA512
20e5128d8533a27568aacd900a58a947cbbce92dbd1bac8dce44871d1f7edb57b8d303c21c1b9945e386bb42265c48ed32347b3f4b275e0dd835c30eab2f662f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
25176c043f00a01a1b4407149e53a050

SHA1
943830e672cf7c62fa42957eac5627ab270a8a71

SHA256
fe494844fde132fefd15eae656db694a046d8c09b757f49930b432493d68202a

SHA512
e63a3e5aa6176d174ef2b7dac2cdcec943de3bd22edce8c9a8af87ad2a16799c4a6a7fcf731cafc67809cbb2c60e667469e13cfa4683ff6d7ad0c8617a500145

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
d20553a998aa6252a011b24694f507c4

SHA1
e74cb7b78fed34c7e55bd3edb979ac8bcb1db26f

SHA256
a528f373a316b5adbe0236e3f380c648f607d2e5185c3f18459d702f4d0197f6

SHA512
4a4dc76abc7a6b95735337a305e7258c401936fa2f3298448d2904b055b5b19d90efa3d40c04c7caab07bbd9b327ade31b55dcb8d38df3cec754766137afbb83

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
54aa7d416f0488581274f5ec16515db1

SHA1
d3d3942fab80e6769773a862fc76ff33ec87d1f8

SHA256
d55f998b8a96c588b5d4bf3873d0f4cc7550e5fa2dc31d336ca809c575acaeb2

SHA512
d9029a8eed802d6dce28a8f4419d91e6e033b148247692a327823c242332fb42d831be7eac4f1e432ec2b69038d39a2e0b3f7e901f121ed57c0382da2fd43f59

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e63e3768f6cd7cd1f4742c19c32d1c6d

SHA1
2e1c91e28f1723868f1c104ca296cc3edb3c6fd4

SHA256
01dc3dfa34c599a47b32380e6ddb81e0393b3926098e62f850b518e5fc0f2594

SHA512
84b5f2e7a2348dfaee280400bef8166d54141348db8e1c6c4300489a067e5a94287c7cd4dd398cafbeb124d119fbd2a2cc4f98cf0f245dc96c4d286336f9ce84

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
0d8f0c80380fc1fcf990713343a95e49

SHA1
9f762750ebfa8643c3e24134f068e9d5ef38814f

SHA256
b8a4fbc285a12943630e5612ea6ad350572c961e211736238867860b445a7d96

SHA512
4324f165741abfadffff6064fca1338572915df23ff296e5b89e4b8f6e5f0503389d2df42bfebe799c37efccfaf426371649cae21b55a9ff8f8318b1da978ed7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
a49c5600346d36518024981ceb40f6e0

SHA1
e58a08ddc57e80b0b133ca25683b22807cf42053

SHA256
72a357b630fdf524eccb97d5d7d3142d38b6876e02f04491df5217c99d71a0d8

SHA512
60ed4f64b602b7a425a2d15c4dd5ef788701209e1212c3d4079c07cced42a82945f42348e6dec7a6abb25b19a18a46e969f3303506b997164bae288d1306b5f4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
86f9df05cf1b99c14e9bb8da6ca9bf39

SHA1
e39aacf37ca58f79bcc1b6a67a601c07a99baea3

SHA256
2790e07c4de813a4805ee196e50917909dfb359c62e5762c89080541b970f85c

SHA512
7426eb726e243b5f11b54607fd4300d005f224a7078b8892792bca3dc516cf887de513fd4c19a850ab76b1f2dcfb359427f02e12168a7a6837262df898e8e23a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
759ee1d71cc823cacf98edd0dee034c8

SHA1
b2df11f66d31c092ab43adcf6f36005e4922cb61

SHA256
21815f3917553b7bfbc353c2b9716e6e1c708fa28fec349e4e5ff370706dd717

SHA512
39d710af26b282a021f32dab4cf5c50a5aa681e70bf23afdfa7b05fa30b77b0b5ac5b8db91ec0ce5c2fd4f68bea126fc14fde6f5d9833dd7c499ab5a20793361

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
2222bdd702574f106d09352b8d3f9c14

SHA1
f59a74017290972a7e2f4af55a156ce6467ae2c1

SHA256
6d7df0fb4bfb00085b2aa40309bdfaf57bcfdc98aff8961d2022d9e97b11f031

SHA512
6c2ec3b38079e6f0abd8799db7c72fedda57fbf31ddf3dbd8a9782940317231035389187791b3b0ec2edc1d90febfb946226e14b78f0808a88ebdbf6aab33a1f

Download Submit
C:\Windows\System32\vds.exe

Filesize
2.0MB

MD5
4cb35b9e149e2a852430825f3ab4bd4c

SHA1
1c525fc8e58619c0bb55b1ee56f632bd94848881

SHA256
75f516a7c09c56d0f33a034ccc92e897b0df7fa4fade644c784dff5aedd88238

SHA512
28dbfabc2248234485abeddc6ac2b045eb6dbee5fbc570f91b1c5bf40dc6ac0f50d51aa04349f4213865c4fcb44e459c9d86aed5856e68343c9544c7a4df2a2b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
e39dfc41ec5c1d5a284a3b16a7edde3a

SHA1
b11a44ffe192a84ce59dfa7e7485995b885f5060

SHA256
f2714dd4f107d33fd9dd12696b8e1c4b37c71a1cbc9ba6a1c306a75072a2f05e

SHA512
89a4acc0ae3fa1de144c584c1c93b7628f15615d3b2577c542e778e2e9e992d03766e24f275ebf9d9275ca7172212755c00a666fc1f1d14ba55f3995bd1508ba

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
8336767d5f308cf9fc1c8e128728793c

SHA1
85228fcfd30b23eafce0d0ae60e0ff5716c21868

SHA256
24d391c03ca0cfa45e5986b783c42b504f5451f885b51459b47e8aa4aadddeb9

SHA512
0658982a828acde9cb7abcd2303b849d6766e5552d9fa05bdbe2cc2d369d8ce46fbe0f68d21db7874f93e9cbfbf6e0ceeaa0f8ed285a6cd0eab1bdd451f341fa

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
21aae6d80f226067b943c7c957d0f2ff

SHA1
9035c13f4f8c551d74f29b2d964756f6e1eeee90

SHA256
78e1ba76d1daac92f73a9476ccc1e01ea8e0ec4b3749aca553799e69b17ca956

SHA512
f042fa9af79dbdfab10bebcc4599c2010c4ac7b22fed8dfe6aa919775fed1bea9d080b3dd1d699f9bf362df79423fe3861f752ef0d668399189a2830d3dc2a10

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
69c766577e92fc6162371245b5889450

SHA1
f341cf225fce27895ddcbf446edb7527351b27ae

SHA256
0dcd26c0e4110bc1e7fcde0ae3522dda9d40c8ae7d1a17b962de4cf8849b2d29

SHA512
c1ef3322bad34a33a9debb0bd90baad2c544d7a50cf296fc0f7c4ac914426ff05dd8119ca5f519f6c3434e2108483402c0369fe8e19c4288f9ec37205753d965

Download Submit
\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
88c88f516de123564b7b5782282ddcc3

SHA1
1b797ea00be1dfb78aff2b9d54fb74fdf337b85e

SHA256
1bd5d4725a81317a7d5206fdfc76b15e84f85ddebdedf2748c04cfb961cf1617

SHA512
384b81096db995eeddc39023310fac3877067a6b9093530b0bf37ea05a2758ffc5584f1d6220c7c75225e2916b2b68a6b54f4bc4639e5c9be28c3979b2bfc618

Download Submit
\Windows\System32\alg.exe

Filesize
1.6MB

MD5
4926f7db7555bafbb33adcbba5047b30

SHA1
89e5059cc91514d5e06cf036f1130d63838a2f7a

SHA256
5e7e051ab407d55dfed9ea8c6b4c22a52c9d6ce68ee34345e71cf9371954dfa9

SHA512
b9f7e36d58ef8cacca193c3cd6ea54076ba9d982e382ca13d4d9db9c4c267f305e7cd830aeeb560e1ab95d7a3598e176448e3e517c6af58fa11053dcc859bda3

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.6MB

MD5
7400b40f0eb408ed074ae1f80f40eeda

SHA1
5df4dc44a187e09e937d5cf624c2240eaee1793d

SHA256
ee439a09dd94fe47c2dbbee6fa1fb3865b0c734732f57fedea90515a22cae3ec

SHA512
62313524e1bb8c3ff0247103b4de357fcf5e5994f22a98e9e4920ca04614258776904750f1250023d10abf9db6977e5651bcb10cb1e1cc5f9a40029852436ae1

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
bfd51349bad6bd2116261922cbb6e64f

SHA1
3c2becfd1d19e917707790609089d76edb3afdfd

SHA256
80e192ff2752c332b1a953ef785daab3bf791d74ec249455fd1c0c95be136ab3

SHA512
5afca0eea5116c1b1b967cbc7abc8c725fd1037c4ca2478a61adc448d3a79b92d6fb4e89cf0da2a879d2675b1c3d90f546fbd84e3b6bd51727eaa1710d93f021

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
a703306629010280e61fed628001dba0

SHA1
89ad48f784c1b9c76fd01f558e17786063622d57

SHA256
f1b8a673532e2526af4d76cd140e6b07866e22746f9fb5a924247dea239f3c85

SHA512
372eb65cdea407e9261bc30a01b0dbbc321055fc599226ed52b4c4bc36f6fd0714bd4827642927081d0494cd54aca90c52d9132850dcf487130e3c5174c09085

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
76b35da95e6c959480028a0d4964dbae

SHA1
3966df9e4d81856d019e2d509170dc9163a30193

SHA256
c6438f322f7b6785c06480d8d6fb9051c1c09b8127d38d6a4986fcdc032876ac

SHA512
4cc2deeacebd5d2e571beeb713cc95a16f43613b663a2e9ee13009c746089a3846bfe2ae533e4af50fe92e30254671c33b4e55184badfe4f937eb8982dad40b3

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
c652cd89bd40b7e61597a80b08dc42d5

SHA1
c7c382e17694b968c3a682d9108085cff8ba3fb0

SHA256
254e820367bd1bfaf630619b6da35deab26f52edfeb5b2eb66da76b9ea2e5990

SHA512
1bb32568a718b4c0a08bc62c2b13daaf8abab7151b5e59a3769872cb05ec07c832ec1a3d5591859746591a4efaa5096965d034e334fb7b7ff8519f779d80cdc9

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
4c6e598b3804103f10877a24c795f22e

SHA1
427f115fc3f57d95f83c860de4d51026e4f3a5fc

SHA256
23c661f284beb90d969360bb56a23fb01359d67530baca7e17a069f6aeab798b

SHA512
801022b4d6953e1b7028bd1cbe816698c030859b5840843636cde2792407405d12dc6f334d92a30237b43a70f5addcbf1e39465173cb0da271d9acfaf35e8e72

Download Submit
memory/580-272-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/580-285-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/580-284-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/616-80-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/616-213-0x0000000140000000-0x0000000140293000-memory.dmp

Filesize
2.6MB

Download
memory/616-72-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/616-75-0x0000000140000000-0x0000000140293000-memory.dmp

Filesize
2.6MB

Download
memory/856-73-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/856-0-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/856-1-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/856-7-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/884-290-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/884-281-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/884-286-0x0000000140000000-0x0000000140293000-memory.dmp

Filesize
2.6MB

Download
memory/884-219-0x0000000140000000-0x0000000140293000-memory.dmp

Filesize
2.6MB

Download
memory/884-289-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/884-209-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/884-207-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1044-46-0x0000000010000000-0x000000001028C000-memory.dmp

Filesize
2.5MB

Download
memory/1044-88-0x0000000010000000-0x000000001028C000-memory.dmp

Filesize
2.5MB

Download
memory/1056-109-0x0000000140000000-0x0000000140297000-memory.dmp

Filesize
2.6MB

Download
memory/1056-105-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1056-236-0x0000000140000000-0x0000000140297000-memory.dmp

Filesize
2.6MB

Download
memory/1056-116-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1480-256-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/1480-162-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/1480-277-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/1480-280-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/1480-157-0x000007FEF3E10000-0x000007FEF47AD000-memory.dmp

Filesize
9.6MB

Download
memory/1480-268-0x000007FEF3E10000-0x000007FEF47AD000-memory.dmp

Filesize
9.6MB

Download
memory/1480-283-0x000007FEF3E10000-0x000007FEF47AD000-memory.dmp

Filesize
9.6MB

Download
memory/1480-205-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/1480-211-0x000007FEF3E10000-0x000007FEF47AD000-memory.dmp

Filesize
9.6MB

Download
memory/1644-200-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1644-166-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1644-164-0x0000000140000000-0x0000000140293000-memory.dmp

Filesize
2.6MB

Download
memory/1644-190-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1644-191-0x0000000140000000-0x0000000140293000-memory.dmp

Filesize
2.6MB

Download
memory/1648-216-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/1648-204-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1672-215-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1672-140-0x0000000140000000-0x0000000140293000-memory.dmp

Filesize
2.6MB

Download
memory/1672-275-0x0000000140000000-0x0000000140293000-memory.dmp

Filesize
2.6MB

Download
memory/1768-294-0x0000000001000000-0x000000000127B000-memory.dmp

Filesize
2.5MB

Download
memory/2040-92-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2040-111-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2040-93-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2040-100-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2040-108-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2040-118-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2040-223-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2180-245-0x000000002E000000-0x000000002E29A000-memory.dmp

Filesize
2.6MB

Download
memory/2180-252-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2224-197-0x0000000001020000-0x0000000001080000-memory.dmp

Filesize
384KB

Download
memory/2224-196-0x0000000140000000-0x00000001402AF000-memory.dmp

Filesize
2.7MB

Download
memory/2300-14-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2300-13-0x0000000100000000-0x0000000100289000-memory.dmp

Filesize
2.5MB

Download
memory/2300-20-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2300-91-0x0000000100000000-0x0000000100289000-memory.dmp

Filesize
2.5MB

Download
memory/2324-122-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2324-125-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2324-255-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2324-129-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2716-225-0x0000000100000000-0x0000000100297000-memory.dmp

Filesize
2.6MB

Download
memory/2716-229-0x0000000000530000-0x00000000007C7000-memory.dmp

Filesize
2.6MB

Download
memory/2716-237-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download
memory/2720-106-0x0000000140000000-0x0000000140282000-memory.dmp

Filesize
2.5MB

Download
memory/2720-26-0x0000000140000000-0x0000000140282000-memory.dmp

Filesize
2.5MB

Download
memory/2780-64-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2780-59-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2780-58-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2780-131-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2944-218-0x0000000140000000-0x000000014029B000-memory.dmp

Filesize
2.6MB

Download
memory/2944-220-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/3016-54-0x0000000010000000-0x0000000010284000-memory.dmp

Filesize
2.5MB

Download
memory/3016-36-0x0000000000440000-0x00000000004A7000-memory.dmp

Filesize
412KB

Download
memory/3016-30-0x0000000000440000-0x00000000004A7000-memory.dmp

Filesize
412KB

Download
memory/3016-29-0x0000000010000000-0x0000000010284000-memory.dmp

Filesize
2.5MB

Download