89be0975fde23e929437668dabd3e160a2aab4a619bb9bb5ad2ff6409c170a7d

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
Size

24.3MB
MD5

0601137b05a0b33aaeb22914b19b1800
SHA1

499cbf1618d202af191c0cb39be7fb58084a5a32
SHA256

89be0975fde23e929437668dabd3e160a2aab4a619bb9bb5ad2ff6409c170a7d
SHA512

6fdf0c80ac47074c75fb9ce21054f31361043be3b7b63b1957436a267ff840f49cd6a303326e84dc848f112e2370096540ca3ab10058274be7f28e798501124c
SSDEEP

196608:kP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op1H2SAmGcWqnlv018TUoiPBx:kPboGX8a/jWWu3cq2D/cWcls1a

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 41 IoCs

pid	Process
480	Process not Found
2372	alg.exe
2660	aspnet_state.exe
2476	mscorsvw.exe
2876	mscorsvw.exe
2556	mscorsvw.exe
2248	mscorsvw.exe
2100	ehRecvr.exe
2028	ehsched.exe
688	elevation_service.exe
3016	mscorsvw.exe
1708	mscorsvw.exe
1724	mscorsvw.exe
2568	IEEtwCollector.exe
2436	GROOVE.EXE
3036	maintenanceservice.exe
2092	msdtc.exe
1240	msiexec.exe
240	mscorsvw.exe
2184	OSE.EXE
1304	mscorsvw.exe
2108	OSPPSVC.EXE
1512	perfhost.exe
2068	locator.exe
1904	snmptrap.exe
3008	vds.exe
2692	vssvc.exe
2628	wbengine.exe
1528	WmiApSrv.exe
1016	wmpnetwk.exe
3036	SearchIndexer.exe
1064	mscorsvw.exe
336	mscorsvw.exe
292	mscorsvw.exe
1392	mscorsvw.exe
1668	mscorsvw.exe
2360	dllhost.exe
2712	mscorsvw.exe
404	mscorsvw.exe
940	mscorsvw.exe
1792	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1240	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
764	Process not Found
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\3ebaf0bd78a61a12.bin	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CB336142-D27E-4E94-96E9-794DAA529C9F}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CB336142-D27E-4E94-96E9-794DAA529C9F}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe

Modifies data under HKEY_USERS 59 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000090ebe4dd9991da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{4942E4CD-3BB7-467E-8B34-0CED4E72D1F5}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{4942E4CD-3BB7-467E-8B34-0CED4E72D1F5}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1420	ehRec.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2556	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2556	mscorsvw.exe
Token: 33	2080	EhTray.exe
Token: SeIncBasePriorityPrivilege	2080	EhTray.exe
Token: SeDebugPrivilege	1420	ehRec.exe
Token: 33	2080	EhTray.exe
Token: SeIncBasePriorityPrivilege	2080	EhTray.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2556	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2556	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeRestorePrivilege	1240	msiexec.exe
Token: SeTakeOwnershipPrivilege	1240	msiexec.exe
Token: SeSecurityPrivilege	1240	msiexec.exe
Token: SeBackupPrivilege	2628	wbengine.exe
Token: SeRestorePrivilege	2628	wbengine.exe
Token: SeSecurityPrivilege	2628	wbengine.exe
Token: 33	1016	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1016	wmpnetwk.exe
Token: SeDebugPrivilege	2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2860	2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
Token: SeManageVolumePrivilege	3036	SearchIndexer.exe
Token: 33	3036	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3036	SearchIndexer.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeDebugPrivilege	2556	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2080	EhTray.exe
2080	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2080	EhTray.exe
2080	EhTray.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3016	2248	mscorsvw.exe	40
PID 2248 wrote to memory of 3016	2248	mscorsvw.exe	40
PID 2248 wrote to memory of 3016	2248	mscorsvw.exe	40
PID 2248 wrote to memory of 1708	2248	mscorsvw.exe	41
PID 2248 wrote to memory of 1708	2248	mscorsvw.exe	41
PID 2248 wrote to memory of 1708	2248	mscorsvw.exe	41
PID 2556 wrote to memory of 1724	2556	mscorsvw.exe	42
PID 2556 wrote to memory of 1724	2556	mscorsvw.exe	42
PID 2556 wrote to memory of 1724	2556	mscorsvw.exe	42
PID 2556 wrote to memory of 1724	2556	mscorsvw.exe	42
PID 2556 wrote to memory of 240	2556	mscorsvw.exe	48
PID 2556 wrote to memory of 240	2556	mscorsvw.exe	48
PID 2556 wrote to memory of 240	2556	mscorsvw.exe	48
PID 2556 wrote to memory of 240	2556	mscorsvw.exe	48
PID 2556 wrote to memory of 1304	2556	mscorsvw.exe	50
PID 2556 wrote to memory of 1304	2556	mscorsvw.exe	50
PID 2556 wrote to memory of 1304	2556	mscorsvw.exe	50
PID 2556 wrote to memory of 1304	2556	mscorsvw.exe	50
PID 2556 wrote to memory of 1064	2556	mscorsvw.exe	63
PID 2556 wrote to memory of 1064	2556	mscorsvw.exe	63
PID 2556 wrote to memory of 1064	2556	mscorsvw.exe	63
PID 2556 wrote to memory of 1064	2556	mscorsvw.exe	63
PID 3036 wrote to memory of 2932	3036	SearchIndexer.exe	64
PID 3036 wrote to memory of 2932	3036	SearchIndexer.exe	64
PID 3036 wrote to memory of 2932	3036	SearchIndexer.exe	64
PID 2556 wrote to memory of 336	2556	mscorsvw.exe	65
PID 2556 wrote to memory of 336	2556	mscorsvw.exe	65
PID 2556 wrote to memory of 336	2556	mscorsvw.exe	65
PID 2556 wrote to memory of 336	2556	mscorsvw.exe	65
PID 3036 wrote to memory of 1596	3036	SearchIndexer.exe	66
PID 3036 wrote to memory of 1596	3036	SearchIndexer.exe	66
PID 3036 wrote to memory of 1596	3036	SearchIndexer.exe	66
PID 2556 wrote to memory of 292	2556	mscorsvw.exe	67
PID 2556 wrote to memory of 292	2556	mscorsvw.exe	67
PID 2556 wrote to memory of 292	2556	mscorsvw.exe	67
PID 2556 wrote to memory of 292	2556	mscorsvw.exe	67
PID 2556 wrote to memory of 1392	2556	mscorsvw.exe	68
PID 2556 wrote to memory of 1392	2556	mscorsvw.exe	68
PID 2556 wrote to memory of 1392	2556	mscorsvw.exe	68
PID 2556 wrote to memory of 1392	2556	mscorsvw.exe	68
PID 2556 wrote to memory of 1668	2556	mscorsvw.exe	69
PID 2556 wrote to memory of 1668	2556	mscorsvw.exe	69
PID 2556 wrote to memory of 1668	2556	mscorsvw.exe	69
PID 2556 wrote to memory of 1668	2556	mscorsvw.exe	69
PID 2556 wrote to memory of 2712	2556	mscorsvw.exe	71
PID 2556 wrote to memory of 2712	2556	mscorsvw.exe	71
PID 2556 wrote to memory of 2712	2556	mscorsvw.exe	71
PID 2556 wrote to memory of 2712	2556	mscorsvw.exe	71
PID 2556 wrote to memory of 404	2556	mscorsvw.exe	72
PID 2556 wrote to memory of 404	2556	mscorsvw.exe	72
PID 2556 wrote to memory of 404	2556	mscorsvw.exe	72
PID 2556 wrote to memory of 404	2556	mscorsvw.exe	72
PID 2556 wrote to memory of 940	2556	mscorsvw.exe	73
PID 2556 wrote to memory of 940	2556	mscorsvw.exe	73
PID 2556 wrote to memory of 940	2556	mscorsvw.exe	73
PID 2556 wrote to memory of 940	2556	mscorsvw.exe	73
PID 2556 wrote to memory of 1792	2556	mscorsvw.exe	75
PID 2556 wrote to memory of 1792	2556	mscorsvw.exe	75
PID 2556 wrote to memory of 1792	2556	mscorsvw.exe	75
PID 2556 wrote to memory of 1792	2556	mscorsvw.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_0601137b05a0b33aaeb22914b19b1800_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2476

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 254 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 254 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2dc -NGENProcess 2cc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e4 -NGENProcess 2bc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2dc -NGENProcess 2d0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 238 -NGENProcess 230 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 238 -NGENProcess 230 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 33c -NGENProcess 338 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 354 -NGENProcess 340 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 35c -NGENProcess 348 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 33c -NGENProcess 364 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2100

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2080

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:688

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2568

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2436

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2092

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2184

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2108

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1904

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2932
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:1596

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2360

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /D /T
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
80611b9191b2a7d3a10ea242c3530125

SHA1
5c0a41039e784eee7e6af908ca32ed151bac2b82

SHA256
521d96c9d1b9172b2d4c795123f0b22bbec7f88c684a9d454cfe53f0fd63fb89

SHA512
acec72e3a67114df4933b172d722c20943ea02e9b334846e79eb9f4fa2ecb1f21b8d165d2ee8579e9fa6898eac8d391eef8f0aeacb842a98ac21e6b486476b54

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
f70e579521ed5e963a5ab49f88cb4481

SHA1
2e99f6a6eafc864714d591593229ff774cad25f2

SHA256
60bfb77a8f80df5c2873b15c2f208b876092d925e04cefb279dcbffa8ac0e218

SHA512
79d18b031cef29d043d2566d69618059420d208cc5de362d5aa5ce5124c6e7c6bfbff2fcdb6723e8f7094bcc670681e3d4a2a398f4888e9d320af3d0d0085bf0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
f1f45bd18514b17aad1aa793008f2fc1

SHA1
a352a655f25b260d9c141059b1bea0a14d75c5d4

SHA256
0e3c7a1720e4621cc04283e444ee0aa09ce45ad70cca2b254e77fafbb56e36c5

SHA512
acfa9029c3005fae9abc34e73a986968004462294015c7735edc879d01871d65cf7ff8940d19559dab83e7797b62440bb9e0bece4a31c76fcfa43e6e3949ec37

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
618f22da1fd236d7a9a1fb70af37ead4

SHA1
c5148ffbf7853042304f006842689a98c4592aaf

SHA256
f0e245c740f714ac6a77d0f8b9bd65e018d72f01a12473f0986f7aa03f2488d9

SHA512
5acc8afe33966995155d3006f1af9650a6094f270abed5af6deead9331b4ea4501cc3991d65db57aebfb27d41686492745650ca1678e35642df0c36a204400fa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
29d41fb1460d42b4bb00f2c1bd5be755

SHA1
37072ac90a0dc2379f66ac61e8838c58bbc737f6

SHA256
dd41d1e9670383e9656014f2931385b7fa8ca2d54d2c9c2fa2bf0ac88169f52e

SHA512
6f463ce16c1a451d0307960846dadaf932eb608e152fad18f559e63b1470607fe9828d12b9bab8452ab7c9f6a6eb94e077337839dda3709df03443723155594d

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
395b90b5d6e98603b7ffaddbc8383fb3

SHA1
0a6cbbddf032fbc48d9563957c84d12b3d5c2067

SHA256
b378a93abe22dd1b2c4f2bd3025f2141e4bf6b75519956d7f50815f372eb8dfd

SHA512
4ac46bb9d50f3fb2486b547ed590624d21ae72f4eccc65b92413cd0944585d2bb69af48832729d3640ca6054f31e45654ddd93b8d26eb449393298eb37834821

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a60acc5e2b4310a198efac130d8c0615

SHA1
da8092b0e4ea931fe536d8dbed907976954e9bb7

SHA256
6fdd3c1d2d2598a27ffa2b7e61e58badfbefc167d953bf26cb215d16254ddcec

SHA512
34fe0d1e200ff9d5477301e6b4afd95789f00e03dd020a18b8a3968f76953c56a5b784ffa42fcbaee8337b84732e5242f67c7db5e1e758c13bdc0c79dfe6361e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
c4ac99e240e9da84b6cda57efe0a81d7

SHA1
2b3eb7b00b241e8805d1b9039dff7bc5bc1959aa

SHA256
aa729eb7ae56ce1f3484e744755c3d930f6acee683934c0dd9baebd21ea99426

SHA512
73e1042a0267c4cf5416018114c7c160dc0d085e56c4b08268cf53ba0762c0b62fcf5f985e8b25cb9905147a96fbd0dfdc91d2aef4b50c1331aee3a886d1583a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
5d7932a01c7189e5fea5f57ceab61d15

SHA1
ce147c22b6076a42111fea56d141c863f3580b25

SHA256
84c3b5051098ce533d0119a5297b6700e361f0e1b0faef0c2145fd38d7d40f5a

SHA512
7fd414b842f65ed18f465b34311f492d8ff16b3327426858f5fccca04f265797d0d5f82ca80921a92eb2ce380c9641be8a21078097dfeede21b98a0d60e43cad

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
c6f0160bcb25fec6b47683afae7e9da7

SHA1
b53c8ae2e133461cc97ddf4fe3a5082e6ea9aec8

SHA256
d00dd89a069f6cc877b70aa20618fa61aa39b705f2dee69345946a1a2cdae2f3

SHA512
cc76495cabd2e461426efe6a43f0ca958d2d8815a254f7247b0d1babb77bc3eb91e4649d00ddca63110cdfa0812d4f010a5e394e4005d7f6a1b4774b3a3e21c3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
6bcc442b38012eca409e347a95cba463

SHA1
f4e12fbddda623b57ea3063e90969c1b57128296

SHA256
0b7e8ebd7168e6679ec92d25c758ba398bb0beddfa9c47cf9a6e1f40ea51453f

SHA512
97946550be60f5c7a0f9c9112d30c1fb9be82174242c06c53dc4f665eabb19afac6ef5909a27a029bb450eb1f97134116a8aac40b449ffbbcd3fa0edcf65f634

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\3ebaf0bd78a61a12.bin

Filesize
12KB

MD5
c5b04fbde33c07ce2403247d45a935fa

SHA1
b74860a1f8fd68df9cf4bf5fc9e45844ccb9aea7

SHA256
dbe79706a4e8a5f46061290872174769516bfa581ed90c0af3f5a52bcfe02553

SHA512
fa48c2c662966f5019bbc3548fe1e0224052065d5a4397dd31f9a1ff12e64e3bed6c43e8f72c4440d66500b4b74349fbddf295eddd7355f6ad2b9a364fa01fb0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
cdbc8b11a206473e387c8b3d2f6c6eda

SHA1
4184092074aa454c686e4af52542f3517e0fde6c

SHA256
689dab17096f989ceb23e17240f6b6f933dd74e8a5c7f06ccad35c8565ebdcda

SHA512
cc67f15712402eea5e714352427f8fb33b693f429f8f5e3844b7081596121272301f30188abce1ce7530bccbfbea57b6be6d02b10aba2a91f2837934819ebf32

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
8de5a72314720d84d7497340a1b35462

SHA1
239cb3fe8abec44f79932b308bf35f02716f1e75

SHA256
37d29fea770775c571d13ff7e449315de1c06bd53a4879a3100d99511f81cf20

SHA512
def6fa88ca7fb1c0b73478764ce1adf3513b87c27b110367a544fcd8b1c4925a9a74c16d6377dce04c15d3ab6cc770d7b5d7723ed4ab1fe85ff8275e210a4837

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
c9c3eee1f5930c7dd72cde090344dc44

SHA1
0bbca134defebd74aae750f14519b70fe17ab3d2

SHA256
14c2a6ac8bb724fe4b6c921ac369eed75bc3e61040fb0f07f1c4978c07040d76

SHA512
3aa85f044bbb8d49ffaf2942c9ed3f58058afa34aea2290ddeecf8b11d0cd693b1edcdd04ad2eaab7579c4600f87abebbf7ca74167c3fc17e2fb2c9c80e2f4aa

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
b588aaffc1938f89fda26f50c4649d8a

SHA1
372b09356e28c75b4363760cc7b360655bb25051

SHA256
bd9d5fb90b2917ecf648f932bd74aace662d40631cc8889eef688b2eafd2a2a1

SHA512
594034a3b03418b4695e4e9338b0d25bc6eb6dbc96b888ba0c376264230a166eb646bdc0909617c34190511e60757f2c09c46f504cff7d546b4bcd6e0dac6f76

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
05f8a8a56e771d6a3c01d7fae0746ddb

SHA1
5f5461cb6ff4a9db5c5b4fbc32565d94421e70e9

SHA256
252ec01c86e3018d0fdf754c485f17e44f56eabd194099e825c86c66704b8b06

SHA512
57919ea36cef6fb35228e5ef56af6897ba4273a6883c49f1643f4b425b5ae9a534d1381f72e61391d8ed8938c882c2c33ecee8f03f7077c4b5a96a91922babd6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
902862b137c5d53b918ace0ebcf918dc

SHA1
cdfe023f930a97b5ec7e26b94a37526b9a901186

SHA256
eb63ac16cd43771ac12b7c7475412299b20beb8225c657425c3753daf1757b43

SHA512
6ec09bab4399b61d6b60bf12036612f6f2979b1c58315e0cce04defd1acc17aff3f549ddc43c0f56666e546efce8e9105ac6dbffa904a4603649e79fdd9055d6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
44e6b97ab2ef97a320597f7f73e6acc4

SHA1
e5d8bb1b83dc1c7c68464dc3ba6fae1f9a16aeb0

SHA256
65e124bd01a85e74fd59412fc039a9248ecd698ef3bd83adfc332a67a03c80dd

SHA512
e213e0877803c0a7d79106f031e8afcde990c798a8aff1ca60f2f83ee2eaea3af99dde06f424f1e0e9eb2388e2872d6bb7dd6fbba589ae509f07f4d2199023a9

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
6ac1d76d94f149ddb9c33bfb0b6227ca

SHA1
f4b2998e9a22aca109d19e14fabacb5d76355f3c

SHA256
8aba03f7cff2b6f19688007e2c216e06e4aba36c1e16be1db37627f19f5852dd

SHA512
2e4ad4643e48791dbb1ec318be43048dddabe4d79993cef3c8b718ef2168dee78add7dcf9170f09bb50aacb9d21f3f318acffc8059ad85f656ed15749a388eae

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
cb61889e365f8c0d8d890e930bf7578c

SHA1
3051949bcca7473bf02de695ae36bece56e81ca0

SHA256
f94129312dfb7f2decc3df07eca9c5ec7466e5bf69177eb9c6434a4892709c86

SHA512
95623f9c8f25502ce1f080170b2c20913701d645123385d99dd8648af2768fe3b9f291b7b82b120cb25043b2bfd6a2902a6283359064b7fcb22d17b9b0aa1a22

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
d3debeaa559a5a563ef2800d31e7ca14

SHA1
46212ee0f14710755fb65215508a66fb5f33c77c

SHA256
4f1c69f126af3e201f24984dba9071c06f4ceee85448c48f100d007e1628c088

SHA512
8880b81003b68c1468fb91b88ab83c789c0f52ef8847579ae100a45c1db8ffdcb1ac46e6aae1fa14c9a7d0437d309bb154cee653283cafc8f46389611ca37494

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
131d5d18e090cbbb559208f19860d570

SHA1
c3ffd62dbb25ac203d8e960c293bd83dfb3c5ff2

SHA256
6d39b2ecff544edd095853eb26078b92788566e7315cd46a67800839f0a02499

SHA512
8f0844c1b1b85329828b184f796090ab888273ccd73628ebe8a26e59c3417340f4056f578168303ad43fc967f0a30625fc87c02c98f3ad7803ea488769c19f6c

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
1538f15d4d92373bc0efba7eb8066605

SHA1
2018b18c3e35440c89acd452575fddece1b6230d

SHA256
0d9c94831c596e936f74be8aaf82e4bcfd21b51be301471332b57a15d059e5f4

SHA512
385ca35e2889911f5a8bcf423054bb6a2f841989a33542db5b0b872bf9cca5e8b590af66e2896c6b3f004efa63f339b44a6bf8bc22f53205df0c5d199d0dc7d5

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
870de59890e652629dae971217e38b34

SHA1
c247514679f7080c7330f0795585288ba8aa30f6

SHA256
75f738b2c2891043744612f8212344c507192706dd55cea39387afe3984a0874

SHA512
163ddd0882882bb90378fbfdd8f53bc8f72a5169c3451cf24373cfd2aefa7d3f928a43d1f1bb501c5b87b2f524d92b282fa798df1c317c55e08b2519f69a47bb

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
bd7d3202ecca33c9c23c9491f1a77016

SHA1
74aacd5a82a97a9cf8428ab084d8ee0c6f821a2b

SHA256
2cc8e431acb7cdc73f120326a2f350d36528c9f589cd1361e1eaf583da5d9675

SHA512
fcb56fa0262cead8cbc4575001d031a0ea8867337e76d75085b7fb74079082bae41cf711ac062b896c6cf10898bdb81e2807207f259f19d56c01dc5587e4504d

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
7ae6b06326b54930677d292a52165763

SHA1
657fdd2937dc0d82a6d4cb12ac50611d7543949a

SHA256
020af76d8088d74d19b5aaa07f38adc2ef7a50f6a6e2e81d5f718ec94eee4e7d

SHA512
8ffc60a945421ecbabcd522a3dace6787d04d64082e49300f66ac08d49173228facdcd04351ee5a1d23e4efaff6e42602f2146b6cb0a12bfba597c525e41598b

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
f9f3ff20f4435d3b0226d192ec2c1ffe

SHA1
629b58dbd6c02c214a459f065609ff3a2b1cf428

SHA256
062097a786339c15c7e6815eb19e3cf7ca09ffce981e2bbb3bbb67f1001ac322

SHA512
147f306c2bdb53a570f7e5c53b8f5f9c64fd93d836a37747a1edcae441f9ab3123fb50754fc700e473bdf5d69556a9fa845e8cc746b57d64b1b912f83ad325d8

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
a24d3708d44d945a5913f71a0cde7a2d

SHA1
a01f9f0a1a671c4df42a0779aa7419b1423f9161

SHA256
18021987b05a319d7076066417d7c692b9c41a18d20f2cce9c0ecb7059a0837f

SHA512
114739a25aa3994eb1f2647c721339100040dd6ed27ac7346d1e13cd696bc98ec49134028ff9bb11b7c0bcbae1feeae84605686487c97e72eb196b1edd47b5fb

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
5af064b429be9e5cda504ed74faad658

SHA1
eea278eee1d9656632f8fd01a4855eafdfca6532

SHA256
ab2a4e2d40101f0351db46e3639cf1385dd09399c76e027a0b27f0b413c9abe9

SHA512
24116ff31299f3f0d8af2518f237f514427e80c831e141cecce8aafc012538f9cf9532a4efb0b8b436b661acb585e2685ee2691f97ff27a53f490b28a09e934d

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
805ec152fd5534b0f5169c203b3d40f5

SHA1
37f74338c2f00f4d3fa42070bf4dbcd98092f172

SHA256
df77eb784973d256599adc9eab2b6e6ade42130ada510a65cf4c1fd68e406ecd

SHA512
66d6ee923ae4cdf45ff30fd6a97df98124205ecaee2e60f1700230905bbc65e4d34795a40806e49c234892f406dfafc91dd7c8c102fbd049b6b2113aa3618b8a

Download Submit
memory/240-240-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/240-246-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/240-262-0x0000000073EA0000-0x000000007458E000-memory.dmp

Filesize
6.9MB

Download
memory/688-161-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/688-112-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/688-113-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1240-235-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1420-152-0x0000000000F80000-0x0000000001000000-memory.dmp

Filesize
512KB

Download
memory/1420-162-0x000007FEF4590000-0x000007FEF4F2D000-memory.dmp

Filesize
9.6MB

Download
memory/1420-167-0x000007FEF4590000-0x000007FEF4F2D000-memory.dmp

Filesize
9.6MB

Download
memory/1420-115-0x000007FEF4590000-0x000007FEF4F2D000-memory.dmp

Filesize
9.6MB

Download
memory/1420-116-0x0000000000F80000-0x0000000001000000-memory.dmp

Filesize
512KB

Download
memory/1420-164-0x000007FEF4590000-0x000007FEF4F2D000-memory.dmp

Filesize
9.6MB

Download
memory/1420-118-0x000007FEF4590000-0x000007FEF4F2D000-memory.dmp

Filesize
9.6MB

Download
memory/1420-120-0x0000000000F80000-0x0000000001000000-memory.dmp

Filesize
512KB

Download
memory/1420-163-0x0000000000F80000-0x0000000001000000-memory.dmp

Filesize
512KB

Download
memory/1708-165-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

Filesize
9.9MB

Download
memory/1708-151-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1708-172-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1708-174-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

Filesize
9.9MB

Download
memory/1708-139-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1708-173-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1708-144-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1724-210-0x0000000073EA0000-0x000000007458E000-memory.dmp

Filesize
6.9MB

Download
memory/1724-238-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1724-265-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1724-187-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1724-178-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2028-149-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2028-192-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2028-97-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2028-191-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2028-99-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2028-106-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2092-224-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2100-83-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2100-91-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/2100-136-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2100-98-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2100-101-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2100-108-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2100-84-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/2184-257-0x0000000000500000-0x0000000000567000-memory.dmp

Filesize
412KB

Download
memory/2184-252-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2248-64-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2248-72-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2248-127-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2248-73-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2248-68-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2372-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2436-201-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2436-260-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2476-59-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2476-20-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2476-21-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2476-26-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2556-48-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2556-53-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2556-117-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2556-47-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2568-195-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2568-255-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2660-17-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2660-96-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2860-66-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2860-5-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2860-7-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/2860-0-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/2876-35-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3016-177-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3016-186-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-184-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3016-129-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3016-126-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3016-141-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-134-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3036-213-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3036-227-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3036-228-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/3036-217-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download