469ff5ae5353e63209189db38af910b3b43456b418caae6be39fdc2d4e5eff04

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
Size

24.3MB
MD5

23f4803820fc80766483d790a73f3651
SHA1

ef7fbf615f96cfa247ff2c1a86c13a496442ef01
SHA256

469ff5ae5353e63209189db38af910b3b43456b418caae6be39fdc2d4e5eff04
SHA512

ac85192006d0abe86917a45d3905f51c14b2edbc35d2a64ea323076a7b5c06651792b9f5be390098c857d416a1563d4597a0c781526461c5996f19656de83c6f
SSDEEP

196608:LP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op1H2SAmGcWqnlv018O:LPboGX8a/jWWu3cq2D/cWcls1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2608	alg.exe
2552	aspnet_state.exe
2424	mscorsvw.exe
1028	mscorsvw.exe
2760	mscorsvw.exe
1524	mscorsvw.exe
1564	ehRecvr.exe
1556	ehsched.exe
1852	mscorsvw.exe
1104	elevation_service.exe
1200	IEEtwCollector.exe
1068	GROOVE.EXE
2224	mscorsvw.exe
2836	maintenanceservice.exe
2204	msdtc.exe
2724	msiexec.exe
2892	OSE.EXE
1884	OSPPSVC.EXE
2820	perfhost.exe
488	locator.exe
3032	snmptrap.exe
1708	mscorsvw.exe
904	vds.exe
2940	vssvc.exe
2748	wbengine.exe
2868	WmiApSrv.exe
2236	wmpnetwk.exe
1660	SearchIndexer.exe
320	mscorsvw.exe
1028	mscorsvw.exe
2564	mscorsvw.exe
1368	mscorsvw.exe
1556	mscorsvw.exe
320	mscorsvw.exe
2344	mscorsvw.exe
1040	mscorsvw.exe
1612	mscorsvw.exe
1928	mscorsvw.exe
2712	dllhost.exe
1724	mscorsvw.exe
2344	mscorsvw.exe
572	mscorsvw.exe
2564	mscorsvw.exe
2388	mscorsvw.exe
868	mscorsvw.exe
576	mscorsvw.exe
884	mscorsvw.exe
1528	mscorsvw.exe
1692	mscorsvw.exe
2220	mscorsvw.exe
1276	mscorsvw.exe
1756	mscorsvw.exe
2564	mscorsvw.exe
1040	mscorsvw.exe
2024	mscorsvw.exe
1704	mscorsvw.exe
544	mscorsvw.exe
780	mscorsvw.exe
2412	mscorsvw.exe
1652	mscorsvw.exe
2092	mscorsvw.exe
376	mscorsvw.exe
1468	mscorsvw.exe

Loads dropped DLL 31 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2724	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
756	Process not Found
480	Process not Found
1704	mscorsvw.exe
1704	mscorsvw.exe
780	mscorsvw.exe
780	mscorsvw.exe
1652	mscorsvw.exe
1652	mscorsvw.exe
376	mscorsvw.exe
376	mscorsvw.exe
1156	mscorsvw.exe
1156	mscorsvw.exe
324	mscorsvw.exe
324	mscorsvw.exe
1552	mscorsvw.exe
1552	mscorsvw.exe
1912	mscorsvw.exe
1912	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\29e68c1c2a37835d.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5409.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5F6CFC17-5656-4726-B407-B0D5BD9AB37A}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4089.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe

Modifies data under HKEY_USERS 61 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{D22AF591-A743-465C-910D-A12216335B46}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{D22AF591-A743-465C-910D-A12216335B46}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1960	ehRec.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	2760	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	2760	mscorsvw.exe
Token: 33	1720	EhTray.exe
Token: SeIncBasePriorityPrivilege	1720	EhTray.exe
Token: SeShutdownPrivilege	2760	mscorsvw.exe
Token: SeShutdownPrivilege	2760	mscorsvw.exe
Token: SeDebugPrivilege	1960	ehRec.exe
Token: SeRestorePrivilege	2724	msiexec.exe
Token: SeTakeOwnershipPrivilege	2724	msiexec.exe
Token: SeSecurityPrivilege	2724	msiexec.exe
Token: 33	1720	EhTray.exe
Token: SeIncBasePriorityPrivilege	1720	EhTray.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeBackupPrivilege	2940	vssvc.exe
Token: SeRestorePrivilege	2940	vssvc.exe
Token: SeAuditPrivilege	2940	vssvc.exe
Token: SeBackupPrivilege	2748	wbengine.exe
Token: SeRestorePrivilege	2748	wbengine.exe
Token: SeSecurityPrivilege	2748	wbengine.exe
Token: SeManageVolumePrivilege	1660	SearchIndexer.exe
Token: 33	1660	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1660	SearchIndexer.exe
Token: 33	2236	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2236	wmpnetwk.exe
Token: SeDebugPrivilege	2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2036	2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeDebugPrivilege	2608	alg.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	2760	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1720	EhTray.exe
1720	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1720	EhTray.exe
1720	EhTray.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1568	SearchProtocolHost.exe
1568	SearchProtocolHost.exe
1568	SearchProtocolHost.exe
1568	SearchProtocolHost.exe
1568	SearchProtocolHost.exe
1568	SearchProtocolHost.exe
1568	SearchProtocolHost.exe
1568	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1852	1524	mscorsvw.exe	37
PID 1524 wrote to memory of 1852	1524	mscorsvw.exe	37
PID 1524 wrote to memory of 1852	1524	mscorsvw.exe	37
PID 1524 wrote to memory of 2224	1524	mscorsvw.exe	43
PID 1524 wrote to memory of 2224	1524	mscorsvw.exe	43
PID 1524 wrote to memory of 2224	1524	mscorsvw.exe	43
PID 2760 wrote to memory of 1708	2760	mscorsvw.exe	52
PID 2760 wrote to memory of 1708	2760	mscorsvw.exe	52
PID 2760 wrote to memory of 1708	2760	mscorsvw.exe	52
PID 2760 wrote to memory of 1708	2760	mscorsvw.exe	52
PID 1660 wrote to memory of 1568	1660	SearchIndexer.exe	60
PID 1660 wrote to memory of 1568	1660	SearchIndexer.exe	60
PID 1660 wrote to memory of 1568	1660	SearchIndexer.exe	60
PID 2760 wrote to memory of 320	2760	mscorsvw.exe	61
PID 2760 wrote to memory of 320	2760	mscorsvw.exe	61
PID 2760 wrote to memory of 320	2760	mscorsvw.exe	61
PID 2760 wrote to memory of 320	2760	mscorsvw.exe	61
PID 1660 wrote to memory of 2556	1660	SearchIndexer.exe	62
PID 1660 wrote to memory of 2556	1660	SearchIndexer.exe	62
PID 1660 wrote to memory of 2556	1660	SearchIndexer.exe	62
PID 2760 wrote to memory of 1028	2760	mscorsvw.exe	64
PID 2760 wrote to memory of 1028	2760	mscorsvw.exe	64
PID 2760 wrote to memory of 1028	2760	mscorsvw.exe	64
PID 2760 wrote to memory of 1028	2760	mscorsvw.exe	64
PID 2760 wrote to memory of 2564	2760	mscorsvw.exe	65
PID 2760 wrote to memory of 2564	2760	mscorsvw.exe	65
PID 2760 wrote to memory of 2564	2760	mscorsvw.exe	65
PID 2760 wrote to memory of 2564	2760	mscorsvw.exe	65
PID 2760 wrote to memory of 1368	2760	mscorsvw.exe	66
PID 2760 wrote to memory of 1368	2760	mscorsvw.exe	66
PID 2760 wrote to memory of 1368	2760	mscorsvw.exe	66
PID 2760 wrote to memory of 1368	2760	mscorsvw.exe	66
PID 2760 wrote to memory of 1556	2760	mscorsvw.exe	67
PID 2760 wrote to memory of 1556	2760	mscorsvw.exe	67
PID 2760 wrote to memory of 1556	2760	mscorsvw.exe	67
PID 2760 wrote to memory of 1556	2760	mscorsvw.exe	67
PID 2760 wrote to memory of 320	2760	mscorsvw.exe	68
PID 2760 wrote to memory of 320	2760	mscorsvw.exe	68
PID 2760 wrote to memory of 320	2760	mscorsvw.exe	68
PID 2760 wrote to memory of 320	2760	mscorsvw.exe	68
PID 2760 wrote to memory of 2344	2760	mscorsvw.exe	69
PID 2760 wrote to memory of 2344	2760	mscorsvw.exe	69
PID 2760 wrote to memory of 2344	2760	mscorsvw.exe	69
PID 2760 wrote to memory of 2344	2760	mscorsvw.exe	69
PID 2760 wrote to memory of 1040	2760	mscorsvw.exe	70
PID 2760 wrote to memory of 1040	2760	mscorsvw.exe	70
PID 2760 wrote to memory of 1040	2760	mscorsvw.exe	70
PID 2760 wrote to memory of 1040	2760	mscorsvw.exe	70
PID 2760 wrote to memory of 1612	2760	mscorsvw.exe	71
PID 2760 wrote to memory of 1612	2760	mscorsvw.exe	71
PID 2760 wrote to memory of 1612	2760	mscorsvw.exe	71
PID 2760 wrote to memory of 1612	2760	mscorsvw.exe	71
PID 2760 wrote to memory of 1928	2760	mscorsvw.exe	72
PID 2760 wrote to memory of 1928	2760	mscorsvw.exe	72
PID 2760 wrote to memory of 1928	2760	mscorsvw.exe	72
PID 2760 wrote to memory of 1928	2760	mscorsvw.exe	72
PID 2760 wrote to memory of 1724	2760	mscorsvw.exe	74
PID 2760 wrote to memory of 1724	2760	mscorsvw.exe	74
PID 2760 wrote to memory of 1724	2760	mscorsvw.exe	74
PID 2760 wrote to memory of 1724	2760	mscorsvw.exe	74
PID 2760 wrote to memory of 2344	2760	mscorsvw.exe	75
PID 2760 wrote to memory of 2344	2760	mscorsvw.exe	75
PID 2760 wrote to memory of 2344	2760	mscorsvw.exe	75
PID 2760 wrote to memory of 2344	2760	mscorsvw.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_23f4803820fc80766483d790a73f3651_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 23c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 240 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 238 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 24c -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 248 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 24c -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 27c -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 280 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 28c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 26c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 258 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 29c -NGENProcess 2a4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 29c -NGENProcess 284 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 288 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1fc -NGENProcess 1b8 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 258 -NGENProcess 1bc -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1fc -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 26c -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 244 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 244 -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 284 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 27c -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 27c -NGENProcess 260 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 270 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 288 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 23c -NGENProcess 290 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 294 -NGENProcess 278 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 264 -NGENProcess 29c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 264 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 280 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 19c -InterruptEvent 260 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 264 -NGENProcess 2a4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1864

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1564

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1720

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1068

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2204

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2892

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:488

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1568
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:2556

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2712

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /D /T
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
f5b2153b64ff6e2e6f5cab1db2abfc62

SHA1
d7a378b42ce986773340fa28a7a2ac61be94c5ae

SHA256
3272971d4fe3d58ec3d5a53789b01a0136aa20da5e3b911fe162aea8fe32a5b6

SHA512
ab47de09ddef26b37245a4ad2c4b15c69c0e12279bf0ccea56d9045384ec0c922a91eeac60b4992a82a5a1a0358c6c10e32566b13c45db53d4a302cde8f29111

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
76c1a9854e496f1d2bcc3525da9acef8

SHA1
331ba7d6cf37919aa2d75240be8b3f3752591283

SHA256
55e8d6f158b0ae038b9eada5576c415c56858e1e96d69df98d96454ec4455733

SHA512
9fadb2407a232628354c07feed0d26a547b1a5a1dad80180e03010c0cd33b0ddd6db96a8fbfa46e3e95d079a96c335a3dfb03d6f4e7e8f9d4c86595aa7b0cc1c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
c45916edffef1166e219bd3f3d40836e

SHA1
c5b0cb8dd86a8f6f0c52b6ebb706f695cd3ccf42

SHA256
5c564da3fa59a4cb5da858123c17b183cb2fee3a608aa64195aa4401435db099

SHA512
66777f9bc86a9c536180e45a934027b00bef55cd00ee70d3090440adc71b2908e576cc31b7d6283dafdc99cff27c6579307dfc9463fcd0be539c95068f49d5b1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
25566d8bdaa75132dee5405ed8c29b91

SHA1
fa75b4fed43fb100dfe9a06cd87af0e7388bcfc4

SHA256
042ae1d8764ebca8e2875a130facecbe6a8ebbfe9c517d2178a324f30d05b211

SHA512
fe816cf52b813e4b496e9590ff52268905179dc7bb7a7b02a47c725a98818e24c47e7e0bf11f8b71ac327dca0c2ddafa66976e1f7a2297b48683748ceb33724d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a00d5f7e30f02fbe960f3aac351b6d33

SHA1
9adeb803a9381b8db826274012c7b4eecca790cd

SHA256
1d93583af549bd264caf9cf69bc2df7a2ce0a104656d1d7efec9b74b73cb7cbf

SHA512
83a77a5449885481561588f0dd8937bdec3f8edb2496710c929e2d15ab3344ab7e5584d89ba6af10596a31f18692ab9f50401d07261eb3c630a5c39e398189b3

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
6981ecfd697e640771247b6fccf8e87c

SHA1
a90c65819e4d380f04baff231754c906c5d72c1d

SHA256
1a98ae8e728e5be2c30b9ea3d90107360dee9a2f5b7f8f1d9b5dc402ca2b11ac

SHA512
e7e4360395fe59c52f35ab38cd775644eef37724a62dd4eb7088ade6037409b67f090f6f14046560c011d311597aa9aae226905b8b12337ed8bd7435a91dbfab

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
e99050a9906e38cff600ebf69b2df230

SHA1
5653b4772b4c056480909bdf7b90f40dbd7c890f

SHA256
31ac1ef780f83343821daff38ef6a5b935c2ba3f92b6724cfda8369032e01e87

SHA512
a9a32a1d903b668fdec512e711ef7d23394338c8d9060da5c4078f1c1d7c8a9e9ed5955299005961ddb7d8f286276219f06b7c15be1da05cfedcc2f2f305b3e8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
f6bb06cf69d2a315ad71501ece59817e

SHA1
1d4e4c6318baa10b7ad0b318c5b3549f8d14404b

SHA256
35ee14cdad216ab3ebd5208556970114dd699ccc48a5d2c62ccaf936d0f7a817

SHA512
8884a219efbb32885d0f0b161fa3ed2d14db9df60c5fe535b99ea11bc3d223c08bf3ed96a67e205a973e4632f26f0b97b3c1fff8a276837c593d37e8f21f6827

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
a1affc9d689f9fd4575eba080db07b0c

SHA1
c2e70be1bad9d2a3dc627f0c22bfa2af5a187689

SHA256
945aea6fb373138aab35fb2c0cbb14a771504ca68dbeca95c1f55847a12c9a15

SHA512
b0392cc9420d68a577d792ddec7138f9f79ddb082f4bc15bbcb222ccd64cf2a7a129d42543ccc0e7cbb6f70e9c274d29b4cd31f087b672b653ae1f9ebb07a2c8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
46a54bd65ad36b7b029645de483086cb

SHA1
12049abb07e6b359ceaec3b48186143ce29e7571

SHA256
415421fa75fd06e437342e55502c660e5c55f56b19c41c36d17ebf3674ed9291

SHA512
51a2d1604ca3739c7abc19586408767a1738ee7143d6365673a51083bcb0b983a89fa1296d6f22dc7c1b70fb0b6fbff19c234de6927991e0a380124451ff5562

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
3e712c7a33ea5bea6799284a379489ac

SHA1
1b7ad22c676b6368fa5b94e96a0f9242e5975efa

SHA256
7cdd194926d9025e8f13a2db8dca97bc6bd936ab87c54d33c5cb90e5116009db

SHA512
729c23ddc2fea5461e4e3608a93271db5d92eaa6ff8fa02291c04d00dfdddf1f7a1547575e42957a5de349819ba8f47b720243e8d9e777381a57023ff6e9a0df

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
73c9097de0cf5e018f8c7a7f987adc67

SHA1
f16d03d9abd882d78499f0568ee547dd43694493

SHA256
d05d86d919b8e6c0374f911a4e5765a17828e58593f3086c6c7fd468fc972457

SHA512
1d56a9c02478d3f1877e79db2ff6652af70525b85ea82f2a2a0de045db94ed9db9706e3dc80f4533b9f6a2abcd8857809ae02cacaf6768dc55ff8ee242aceda0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
3e515bdb08c83dabb034ad121daff909

SHA1
5da0afc83015f9d6bf52166b810d68d537c9c9ec

SHA256
c82a75d397a2a7e71595079e8792d6650cd65dbe10ffd731f7bba2515c71f4ad

SHA512
ec0f0b2f233a3259b119f82ea1af385035f62fc269c3221855af36ac52d7d8561c1858ab42b0c0928b6195641fb00fd030a4347c93a7cba4f6ef7c446b1dc07c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
17fa6aa4e002d4776c2ba5081e837cb0

SHA1
cd163fc1cad4bf02c0801951d7e525345e4a6df7

SHA256
c9d9d611e9697be9880d2bf69351fdf0bdb67226ed8b2075a21b04db85ed73bd

SHA512
4816fd6fbc99b7c81bc091a1d11b9d5febc4f23c51a9630eb640d5d39d8f52e242351a0306623895f575f096eb348a631c049b629701be22b07c772feae39c7a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
81391483e204e0a9f8b04538855ecd6e

SHA1
b84efa570487ecafe27a6b59622a08394ceefa7b

SHA256
b12dc3078937fb59b5378b7795255f6283c27f54101e157a5cba2418b7d9441f

SHA512
002fd4f7b585e510830e33deab4ec9dffcbf26965a7be7f168febc6ae6de68f6e7128925229f7d5ac8095a8fe887fff40b9274a9f262edd8b7250c99eaa04c90

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
4e092a484139f8c3485b351eefc0b3d9

SHA1
a68567134ce1946be6a97284a3f89a4e3c173d3e

SHA256
2c60ede2df4e4b8354748adf4199e6ee918c2b3c23b54b1447ee173cea8a05ad

SHA512
5781e6b136f2c4a0264060806d2e35ae264d5e9019f1f6f5dedcb14439ac2ab9cf7d654743298f14624e5ae764dabbb727115096f8c90da4eaa1673342f908d3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
d3305aca2e59bea9184049e659223244

SHA1
c7cdb6a87b937a888361065644f893b0a4db00e9

SHA256
90f54f5a4a17642db1d4375926ac59ee57c5ffe8f6b0fd847665c3dfc018eafe

SHA512
d7c9d8e5a45f513e01824bd6b0833b9fc0b327975d9d9b3c791204c720a4c1f728f16b45dd58887745fae4a22c9aedd6351bd56db222327fbb9739569f2a20d6

Download Submit
C:\Windows\System32\vds.exe

Filesize
2.0MB

MD5
66e16e712e92b10315af124033f5d378

SHA1
31851c6476a5e9fd8cb6cafe706fb16c2f690195

SHA256
596b589db63ec153a0e6c0c97b6e7de57ff8d4d7f5431ea4ac9c7bfe6cd3931b

SHA512
0ce57638d2ad03f6e278a05d1733f2706742b56a782f66d2e85b1e6a8ef42cfc9507f801bea08419d56e2221f202a0770ecbd00c86899bb2c2c3482d5abb628e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
c699917464958d7fd09905810a6178ff

SHA1
eb033bea7a0435b46933cd9e9179047839d8b26d

SHA256
1623df85b06691b10c2f0cd903445f0831a0fef2e3eb14202ee1868ea17915dc

SHA512
f4982ef2e2fac01ac842cbaac1769a1d0853f1a7adbf06a7246c6ae5cff0f3d7139ad5bd2e3d42c901d5a0fc9ff1087c8b6ea6b1af49aee2c055d7b764cf3932

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
0b58bd0f19979c56936caa2aa9cb4031

SHA1
ba0181df2347a53d043258990f565a046edf94df

SHA256
84d04b85da69ce15d0da265a252389ff138bb4983ec088c5ee8c217410185f93

SHA512
79b1a283da1ce0e97e4d8512039807b7fa2cec43e0358f29e5fab496b6537a3a7910cb0098996a616b248c53da9bcf82ccb7ba5a115985056d80208fbda3468b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.6MB

MD5
2df5ee050acc71f65c7926820b9bf6f1

SHA1
7d073204813f604dfe264e3dec4adb28042c2684

SHA256
a0cf49c1a433f7081fcea310d9eea10f846799af14362867911edec280357ae1

SHA512
93bee4cb7b173adf4828c6287ced46f360f26537473b23f562986c0165836f035bc596327ac090c66893213e374244d4feddb4a6d839b099c9415ba82900e7e5

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
a38dc6baa1fb5e6bac84650428ff12f2

SHA1
58fc2c9fe1614e3a3b7e0c8f4c45f7152a09f1e1

SHA256
f09ad5785628d4d9f3b9f14ccd061bc22579cf1f280091de7308903f80d2027d

SHA512
45df22a5acf781cd259184ce4a788bc1d5715e216dd04323a93ef2d5ba2b224e90af526fca39065842c54fd19c5b3d418029dddf9006e0bb48ebdf9ebc4e3e18

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
724d7dcfb26606122930a8cc5d602aa8

SHA1
e221e75d14ffde543912e2ba3aa677bef394377a

SHA256
30bffb4236f52bb27a96ffdd53bf0659a5dc3356cdd1a4b9f2757f6cea37f1e4

SHA512
4ea85305d55a63bfd388322bf22c6c8d7dbbcf84f6e69eaefab81dd0f5e9ba199089765d76b89f01301c9d4548c25211ef4cbae7d0f337420e6c9ecc4ed65e91

Download Submit
\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
9ba7f53993340c976f632b0299860b88

SHA1
38ad687b131db5936a20636ad9afb175593d5445

SHA256
401d7e90e6357d1f7f7b81120a8eb66af4d7fca7a8defeff806ae59a81179f72

SHA512
e4fb1f97d7a3d713ffa49d7b4a6d76afae49e9e1caed3606ba90d2a6a319f34145446b9ecd9c701eac823940c1f69c548d2adf600e8ca86ae74181fad9971ddb

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.5MB

MD5
502c2d285032a82cf9b9575f1e8b61a3

SHA1
0b92d0c56a0460e0c7af5d07c804ebfdc2985fb3

SHA256
0e041d384146d777d76c6e709841db328199d1ebacf6d18a673432110397a1cd

SHA512
730e07b9a2769f4ad41bbd170fc30e439a46455da411fcefe6218389ca55e7cb0584a3bcc0ad0b4d2307124107c56cf3dce5eb3a0cba60893245c1742ebc2f3c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.6MB

MD5
f079c3ed00e8dba12f11f82cf9710f50

SHA1
fc520d05aa7ae8e14a47cec5e71451f51ece226b

SHA256
f5f107cef8f2586fb93f905154b66db832441968dda3c8561da3bc02cfb766d3

SHA512
5a5637d042aff1079b9c138e2fbbb2ad4eb2011756220e69741725592fe69f9cda93d905a16470883a685db71b6654f0a834eea0fad99d704006e00347ab1144

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
95425fc3b1281a72faad210da54db0de

SHA1
c0f176950fd18829d3944f5887c566cee32f593b

SHA256
a7e51206240abf8ed338e33b60bb4d173360d3970c8d880f4eb9fde72ccdd2e2

SHA512
4ada51a9cd702c0f89f688064381b1002a93bb1edf7be141294570fc2a5bb088a44ff67afdf282f108b1f03784b8a4aa821d5ec3ba8482521ba968d4b029a689

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
bcff6389ed790132a42796d7f81265ab

SHA1
64269fbeb077771026d36443886f2ebb4f538513

SHA256
166d66682cc04ee9a1afaa126629afa22e305d1ee902507c907d65569c22dd22

SHA512
b2ec637327474fc5140e956b0214d72d7d81a4da6fc4303db12ae5e654aaa5819fed89818563261b5e09caaa8f56dbb6e9fde4eac59b35fe986fb32c4a84f12c

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
60659e0f19b0a681be5e9145048df7a2

SHA1
da457d9b98f0bf29074f077264162cfaa1620584

SHA256
9730c68817899259313688e62ed31198f58a94daa134e5052717f9a2ba5ef423

SHA512
344e820dce53d9411e1b76d184d25191fd273d64d1aac0a75387d5957959fd7c99a94d77c935d84c140f61eb11834b49e152aa5268a570fe7a38e6bb6f2d9979

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
95acec50389b9433789c8d01af8ad724

SHA1
ca5df03eef6ec10ddbe374d3917b9b81b28f1f28

SHA256
b98864e65f9b1937f18e6d7c522ad7c82ca325c5722ce6064d3930d66b2a4d04

SHA512
9bcd48a00e167b0ca2d7038a98d8faf0430be495f952f44037e309eb7d1bfc6d718a2d1f11eee8d14860958ef4d9d41d6c9f2bca471716fb9b6abc0d349ff90b

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
6a88e3f7fc7d33ce163204d4e4e4ddfb

SHA1
1bbaa5e41ad3fbeaac1d86f4cff0557321272e1e

SHA256
6d8b5678898863008fc97f775804aaffe161dd0e230fca207bc460561b9279cc

SHA512
4273536353dee6cb095895dea82641e6536b5d6394ca5e3c3d4c88273e3fc8da110b3ef71fa9d5bcf9821410df5c2fd6d316171db0db4631941908c4b5c99b9d

Download Submit
memory/1028-46-0x0000000010000000-0x0000000010290000-memory.dmp

Filesize
2.6MB

Download
memory/1068-238-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1068-177-0x00000000002F0000-0x0000000000356000-memory.dmp

Filesize
408KB

Download
memory/1068-164-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1104-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1104-153-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1104-160-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-156-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1200-155-0x0000000140000000-0x0000000140297000-memory.dmp

Filesize
2.6MB

Download
memory/1524-74-0x0000000140000000-0x0000000140297000-memory.dmp

Filesize
2.6MB

Download
memory/1524-186-0x0000000140000000-0x0000000140297000-memory.dmp

Filesize
2.6MB

Download
memory/1524-72-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1524-80-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1524-79-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1556-121-0x0000000140000000-0x000000014029B000-memory.dmp

Filesize
2.6MB

Download
memory/1556-128-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1556-205-0x0000000140000000-0x000000014029B000-memory.dmp

Filesize
2.6MB

Download
memory/1556-106-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1564-195-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1564-123-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1564-92-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/1564-105-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/1564-99-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/1564-108-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/1564-212-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1564-94-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1564-100-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/1852-152-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1852-125-0x0000000140000000-0x0000000140297000-memory.dmp

Filesize
2.6MB

Download
memory/1852-217-0x0000000140000000-0x0000000140297000-memory.dmp

Filesize
2.6MB

Download
memory/1852-219-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1852-113-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1852-119-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1852-228-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-260-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1884-270-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1884-272-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1960-176-0x000007FEF33A0000-0x000007FEF3D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1960-275-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/1960-277-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/1960-241-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/1960-167-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/1960-239-0x000007FEF33A0000-0x000007FEF3D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1960-245-0x000007FEF33A0000-0x000007FEF3D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1960-214-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/1960-173-0x000007FEF33A0000-0x000007FEF3D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-65-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2036-0-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2036-5-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2036-7-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2204-208-0x0000000140000000-0x000000014029F000-memory.dmp

Filesize
2.6MB

Download
memory/2204-271-0x0000000140000000-0x000000014029F000-memory.dmp

Filesize
2.6MB

Download
memory/2204-220-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2224-247-0x0000000140000000-0x0000000140297000-memory.dmp

Filesize
2.6MB

Download
memory/2224-183-0x0000000140000000-0x0000000140297000-memory.dmp

Filesize
2.6MB

Download
memory/2224-193-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2424-30-0x0000000010000000-0x0000000010288000-memory.dmp

Filesize
2.5MB

Download
memory/2424-36-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2424-31-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2424-71-0x0000000010000000-0x0000000010288000-memory.dmp

Filesize
2.5MB

Download
memory/2552-27-0x0000000140000000-0x0000000140286000-memory.dmp

Filesize
2.5MB

Download
memory/2552-107-0x0000000140000000-0x0000000140286000-memory.dmp

Filesize
2.5MB

Download
memory/2608-21-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2608-17-0x0000000100000000-0x000000010028D000-memory.dmp

Filesize
2.6MB

Download
memory/2608-13-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2608-91-0x0000000100000000-0x000000010028D000-memory.dmp

Filesize
2.6MB

Download
memory/2724-242-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2724-231-0x0000000100000000-0x000000010029B000-memory.dmp

Filesize
2.6MB

Download
memory/2724-233-0x00000000005F0000-0x000000000088B000-memory.dmp

Filesize
2.6MB

Download
memory/2760-59-0x00000000002A0000-0x0000000000306000-memory.dmp

Filesize
408KB

Download
memory/2760-53-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2760-54-0x00000000002A0000-0x0000000000306000-memory.dmp

Filesize
408KB

Download
memory/2760-158-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2820-279-0x0000000001000000-0x000000000127F000-memory.dmp

Filesize
2.5MB

Download
memory/2836-191-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/2836-265-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2836-198-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2836-253-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/2892-255-0x00000000003E0000-0x0000000000446000-memory.dmp

Filesize
408KB

Download
memory/2892-248-0x000000002E000000-0x000000002E29E000-memory.dmp

Filesize
2.6MB

Download