1098e942f01af9fc6f3affe46d001a06d486442d845a26c2aa719bd5e1e3109a

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Size

24.3MB
MD5

15b092caa7e5870d1f51c95009423b43
SHA1

769d6107495dabe29142c8eb19e51460007532ee
SHA256

1098e942f01af9fc6f3affe46d001a06d486442d845a26c2aa719bd5e1e3109a
SHA512

9e6083d0bd4934d603efb265ef7cdd6f216008735bdb08a839c0b48b652f04bea8c3e7b6a4ce42e5f94bd574f778e08c4b2f108cdedcd0c2fc6d95ae88bd12ed
SSDEEP

196608:eP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018j:ePboGX8a/jWWu3cI2D/cWcls1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 42 IoCs

pid	Process
468	Process not Found
2632	alg.exe
2688	aspnet_state.exe
2500	mscorsvw.exe
592	mscorsvw.exe
2724	mscorsvw.exe
1572	mscorsvw.exe
1844	dllhost.exe
2084	ehRecvr.exe
2288	ehsched.exe
1652	elevation_service.exe
2320	IEEtwCollector.exe
2236	GROOVE.EXE
2828	mscorsvw.exe
2696	maintenanceservice.exe
772	msdtc.exe
1924	mscorsvw.exe
2368	msiexec.exe
2104	OSE.EXE
1624	mscorsvw.exe
1124	OSPPSVC.EXE
1736	perfhost.exe
1400	locator.exe
840	snmptrap.exe
1200	vds.exe
1132	mscorsvw.exe
2760	vssvc.exe
2612	mscorsvw.exe
1848	wbengine.exe
2256	WmiApSrv.exe
2512	wmpnetwk.exe
1916	SearchIndexer.exe
2508	mscorsvw.exe
2016	mscorsvw.exe
1164	mscorsvw.exe
1136	mscorsvw.exe
2376	mscorsvw.exe
2704	mscorsvw.exe
1852	mscorsvw.exe
2816	mscorsvw.exe
2208	mscorsvw.exe
2420	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2368	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
764	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1e0fd2d05465f8f4.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B262F552-36A4-4AFD-A8FD-D1AE5D349D55}\chrome_installer.exe	alg.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3F8DA80F-2536-4DEE-98B3-9B63CDAD69C6}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3F8DA80F-2536-4DEE-98B3-9B63CDAD69C6}.crmlog	dllhost.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{E99CF083-6866-49C6-9A6A-50C6F9EB5320}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
760	ehRec.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: 33	1568	EhTray.exe
Token: SeIncBasePriorityPrivilege	1568	EhTray.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeDebugPrivilege	760	ehRec.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: 33	1568	EhTray.exe
Token: SeIncBasePriorityPrivilege	1568	EhTray.exe
Token: SeRestorePrivilege	2368	msiexec.exe
Token: SeTakeOwnershipPrivilege	2368	msiexec.exe
Token: SeSecurityPrivilege	2368	msiexec.exe
Token: SeBackupPrivilege	2760	vssvc.exe
Token: SeRestorePrivilege	2760	vssvc.exe
Token: SeAuditPrivilege	2760	vssvc.exe
Token: SeBackupPrivilege	1848	wbengine.exe
Token: SeRestorePrivilege	1848	wbengine.exe
Token: SeSecurityPrivilege	1848	wbengine.exe
Token: 33	2512	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2512	wmpnetwk.exe
Token: SeManageVolumePrivilege	1916	SearchIndexer.exe
Token: 33	1916	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1916	SearchIndexer.exe
Token: SeDebugPrivilege	2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2212	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2632	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1568	EhTray.exe
1568	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1568	EhTray.exe
1568	EhTray.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
2544	SearchProtocolHost.exe
2544	SearchProtocolHost.exe
2544	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
2544	SearchProtocolHost.exe
2544	SearchProtocolHost.exe
2544	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2828	2724	mscorsvw.exe	43
PID 2724 wrote to memory of 2828	2724	mscorsvw.exe	43
PID 2724 wrote to memory of 2828	2724	mscorsvw.exe	43
PID 2724 wrote to memory of 2828	2724	mscorsvw.exe	43
PID 2724 wrote to memory of 1924	2724	mscorsvw.exe	47
PID 2724 wrote to memory of 1924	2724	mscorsvw.exe	47
PID 2724 wrote to memory of 1924	2724	mscorsvw.exe	47
PID 2724 wrote to memory of 1924	2724	mscorsvw.exe	47
PID 2724 wrote to memory of 1624	2724	mscorsvw.exe	49
PID 2724 wrote to memory of 1624	2724	mscorsvw.exe	49
PID 2724 wrote to memory of 1624	2724	mscorsvw.exe	49
PID 2724 wrote to memory of 1624	2724	mscorsvw.exe	49
PID 2724 wrote to memory of 1132	2724	mscorsvw.exe	57
PID 2724 wrote to memory of 1132	2724	mscorsvw.exe	57
PID 2724 wrote to memory of 1132	2724	mscorsvw.exe	57
PID 2724 wrote to memory of 1132	2724	mscorsvw.exe	57
PID 2724 wrote to memory of 2612	2724	mscorsvw.exe	59
PID 2724 wrote to memory of 2612	2724	mscorsvw.exe	59
PID 2724 wrote to memory of 2612	2724	mscorsvw.exe	59
PID 2724 wrote to memory of 2612	2724	mscorsvw.exe	59
PID 2724 wrote to memory of 2508	2724	mscorsvw.exe	64
PID 2724 wrote to memory of 2508	2724	mscorsvw.exe	64
PID 2724 wrote to memory of 2508	2724	mscorsvw.exe	64
PID 2724 wrote to memory of 2508	2724	mscorsvw.exe	64
PID 1916 wrote to memory of 1624	1916	SearchIndexer.exe	65
PID 1916 wrote to memory of 1624	1916	SearchIndexer.exe	65
PID 1916 wrote to memory of 1624	1916	SearchIndexer.exe	65
PID 2724 wrote to memory of 2016	2724	mscorsvw.exe	66
PID 2724 wrote to memory of 2016	2724	mscorsvw.exe	66
PID 2724 wrote to memory of 2016	2724	mscorsvw.exe	66
PID 2724 wrote to memory of 2016	2724	mscorsvw.exe	66
PID 1916 wrote to memory of 2232	1916	SearchIndexer.exe	67
PID 1916 wrote to memory of 2232	1916	SearchIndexer.exe	67
PID 1916 wrote to memory of 2232	1916	SearchIndexer.exe	67
PID 2724 wrote to memory of 1164	2724	mscorsvw.exe	68
PID 2724 wrote to memory of 1164	2724	mscorsvw.exe	68
PID 2724 wrote to memory of 1164	2724	mscorsvw.exe	68
PID 2724 wrote to memory of 1164	2724	mscorsvw.exe	68
PID 2724 wrote to memory of 1136	2724	mscorsvw.exe	69
PID 2724 wrote to memory of 1136	2724	mscorsvw.exe	69
PID 2724 wrote to memory of 1136	2724	mscorsvw.exe	69
PID 2724 wrote to memory of 1136	2724	mscorsvw.exe	69
PID 1916 wrote to memory of 2544	1916	SearchIndexer.exe	70
PID 1916 wrote to memory of 2544	1916	SearchIndexer.exe	70
PID 1916 wrote to memory of 2544	1916	SearchIndexer.exe	70
PID 2724 wrote to memory of 2376	2724	mscorsvw.exe	71
PID 2724 wrote to memory of 2376	2724	mscorsvw.exe	71
PID 2724 wrote to memory of 2376	2724	mscorsvw.exe	71
PID 2724 wrote to memory of 2376	2724	mscorsvw.exe	71
PID 2724 wrote to memory of 2704	2724	mscorsvw.exe	72
PID 2724 wrote to memory of 2704	2724	mscorsvw.exe	72
PID 2724 wrote to memory of 2704	2724	mscorsvw.exe	72
PID 2724 wrote to memory of 2704	2724	mscorsvw.exe	72
PID 2724 wrote to memory of 1852	2724	mscorsvw.exe	73
PID 2724 wrote to memory of 1852	2724	mscorsvw.exe	73
PID 2724 wrote to memory of 1852	2724	mscorsvw.exe	73
PID 2724 wrote to memory of 1852	2724	mscorsvw.exe	73
PID 2724 wrote to memory of 2816	2724	mscorsvw.exe	74
PID 2724 wrote to memory of 2816	2724	mscorsvw.exe	74
PID 2724 wrote to memory of 2816	2724	mscorsvw.exe	74
PID 2724 wrote to memory of 2816	2724	mscorsvw.exe	74
PID 2724 wrote to memory of 2208	2724	mscorsvw.exe	75
PID 2724 wrote to memory of 2208	2724	mscorsvw.exe	75
PID 2724 wrote to memory of 2208	2724	mscorsvw.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2500

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 1d4 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 1ec -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 250 -NGENProcess 264 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 1ec -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 180 -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 238 -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 288 -NGENProcess 264 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 260 -NGENProcess 290 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 294 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 274 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 29c -NGENProcess 294 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a8 -NGENProcess 274 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1844

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2084

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1568

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2320

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2236

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2696

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2104

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1124

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:840

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2256

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-778096762-2241304387-192235952-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-778096762-2241304387-192235952-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1624
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2232
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
7c49cc7a269fab380e6b0895843859c8

SHA1
7146e9468d90377bd563b024ae8bc10a56c2f430

SHA256
d1a015e42d072338c61a400f4d5508667a4791ff7f36bf0dfeffdb0466dfa0a0

SHA512
259c96b2035ee4b6d61fcfed3ae316c5c17a902f599ddb45c7842ec49cfe96fcd12d9e3e0051932de7af4c524dca7eeb95fca3fe16b5edee6a59f364e1e771c6

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
89a546d11bc32ba7e65e79d08899c50e

SHA1
2503514567ad76185e12b5494519d43d4db469a4

SHA256
25d893ba85185770f409ec83213956850310a406ac6cedb1e8a85f6be6135ee3

SHA512
60b7ad55ec6fabd30c0b5c19ec3d210f2257858f96b6d69598e4279c9eea6b7b04773248daf9d3faa94894a586807ed8d281076e9ae3a92302894f1d37753165

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
5bab915e79656380475172e8311e44e2

SHA1
d381120145fea45e40da3274507c57ec16ac8075

SHA256
c09a940c7a4f1233736e6414bc6e55847ea1cd742d382a13c94313dac75595ac

SHA512
56dabfbf80436d33617cd786fd61a51337cd2661287eaa8bffa04517140c7a1c71819be27d6defa90dfc61cdaf6e26f848cd8d2d431c7e1d4daa31a11199edfa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
631f47a87cd81a72ec4ef49b10c89596

SHA1
553d9037971699d7d01a9c823a1e7742eb61d576

SHA256
bcdd64553d7a7c4acdd1699e16e8894a40300a158f80b9835ced35181441408c

SHA512
fcb3a1069269ce3f630b2ecd9717e3bb4ab60cafcb923526eea47b44de91d994738d44dd96bcde1745cb318c0a4cd5acf281aece70f39e8c8e0a0a6c8319f943

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
12c9c08f3a7fd47344475243887bdea0

SHA1
054e6fa130a4ed527c477739867759a47a881b92

SHA256
df2027ffb7e4b0e85d2ed3badf091f56038fa04cae66605b3ff5be6cc8484f0e

SHA512
0b179b79bf6d1c6614f1b96c21fd5718ec53561de8b5129ab60b464a61c661fe8b9883b0eb681cfe189c1eb1a4f35fb330634adce99368b63148f5e5149c440a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c3b115250bd98e32a910f775b4a344b9

SHA1
423c417e1bbc9d68f973b0165e1a0120a6a0976f

SHA256
9d5b7222b5ef963bf3087b950067410f43f1c763383d69197a171b3f7f756cbf

SHA512
5898845b3bcced417d33c7cae1fcf065540a14725ecf0b222c929d9768ec482cfe499b4a4c38d2844ce247a6805a342d867b589bdbafd527f6c0b3b78e50ffc4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
78f6ab05aa42bc50c028277906644d59

SHA1
08d5b6a1f426e8743e31bd6d151fadbe25afd7a5

SHA256
32239360596441aa48a6307dbb1a84248ebd76afcf82eef135fd0b858d50d3a3

SHA512
56401f3af3d690f72d615db460d47c7d221371a3c886ae9052036b0b0bf9f8a783fea00697f7b95fbcdca15f882f6b095697ed051b11e4dca15804740dda4421

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c6c09716cabf2a8492f03b877b2d2a07

SHA1
cb6e3ddb0ff946d8fa0345fa5381ead2b3eccadb

SHA256
80d1e6033351021783f6284a4abb80913d1e82c09d19ede91e9ae4f367dce84e

SHA512
a6f2c0c70820957de373e6546ceca809c8997cff233434b28cfaf80352a81628b7f6c6ea18f7dc5c0729b071507bcf92d6843a54c0d29c609a28525152d825fd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a940e5a25434c1d247f11639618b2efb

SHA1
2d0768df69960219224d7f8c5a0ea663bfb562e2

SHA256
d977ac94ec1570295afdd92bc25c05bf2c08fcc9c78cb597c7c77cc906dd435a

SHA512
65ddaa284232c2c69b5624bd73a61e245acc1d0e7ff2271eba6ed79fb05fc110b107aa1cd487ebc955b23413d4dce601aa2c1b210a972d51ba1b5c052fe6fae2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
f0a904af01a964ec63d807a1b789ea45

SHA1
ee65467dedcade08b01db0639b4ea8aab1671f39

SHA256
07912002e45202d144f61c398ecbbc804d4672d344315cff099b5675d4fe2e58

SHA512
9272152553cfb28199f509464166ea708376d82634b67c849efad0f2376845a928e7e89189fec25e783e0f348e1d1ce4371836936b1ef2d5ef477dd99178c42a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
b589084aee13d48dd740f10508cff15b

SHA1
6e04cd5427d6e43915bf61b64a5d99b993ddd9eb

SHA256
bac339fdb680e3791b37acc88567e56468b2c39cbe4012be1a550a4f6181c6a2

SHA512
03fbe9b531185be4c92772cc9b0c96d5de893a41546f4e98963390233ddb1489669b928c134c1036e01f8e549e4c263737f9f9d3e5f345d226e24b72039af0a8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
629d9f4adf5d3586b5359cc4b8beab52

SHA1
272339065a8d5b2e079df091b36f1608262bea1c

SHA256
c68c3f52ca21316a5fefefce0794a9388f8c68ac475fc4a2ed60f442c4c083d9

SHA512
edcd9af31b125941cf4d838ea4cff992613ffb788823e96ea4358c641166e77a35dbe25de687471702279781de7d61f3fef3655ee486ae8f5492e952eb6a4c01

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
80b118b362ece92f1c172cfa6070121b

SHA1
7c6dea96be353ad749c62d7be78c4d8f05f65398

SHA256
b7af531d267abf4f41507b10344f4a67676394bafdff51a93326d48ad820ac37

SHA512
16d09ee7abd7eb24fa8fa51037dcc6895458787d8697543b929034f1179245501adff26e727fafac62200807f34f471f30ece9c970213cfeca910e0ed3687323

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
2a5bc47e46ce292ff56dd3b10fc2d486

SHA1
96559097fcbc8c739d2bf4c84c57983fd58db9ba

SHA256
2acd8ca32fa55fbb4d2a34bc81f4adaaf1ac0c04093681facf8e0302f85d59b0

SHA512
e75ba436685bb585b39132143c95569c9f3f2513eb69bf116451168e4e101fe69a616f3d0b8cff77c324d18d5d3cb83d348ab6c19343a55c3066de2f7dc668ef

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
127be2ba15f99572ff58ca3642ad3223

SHA1
00c4fc112495d4197af633023869883f26f2be1c

SHA256
2b5b1975fa4d42c231ed98a50264abc4560db3823ecd9ab049ab079764f3ad11

SHA512
0faaad965f63f1be6e5f4754caa047f620af9530c83d090d7a0186d1ac8a692ff7be858a85580c0804c961154b9be15a1e112f310dd54e479e9243b7cf16c6d3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
cabd38b5c102a381c9aa2493db7a9ba6

SHA1
d452505582e8d2a87b07e90ee7428c45999bedcb

SHA256
8f4cbedb411d3469fd9e737a295faf91e8e2b385ec236442b2fd671110abdde4

SHA512
90dc0123e82691b45cd09c79e10da9ec5367c23727f29e04ca7bc640942962cba4b533ae7ef8d6db5b19eeea6e83e5f3ad1e78ea84c35c3f17a30e78df770cc4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
0bc172888d909c96cc27d1ab25e4d2df

SHA1
4cc4c02f96be92331648e5e645b7643c8809acd9

SHA256
fe3af1c3065f7e49815ee1eba55f5e7bda0e5142e0b96bbbc8ce75f6cd1e1297

SHA512
040fef0a2f8602cf974dbddf152cca7c3f6eed88901b0ce53227b4b89fc834849c988acb333bc09dfcaf7e850058c1318af623c55872efb228456b2561adb784

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
9a447a2f9203035bb2f2e65e744d78bc

SHA1
68fa7906b94517ca3bad77e49ff9d3f4116df9bd

SHA256
11ee368f4537e53505d7cc436cd0155e147f491d85035ee9dc217d704bc65c5e

SHA512
524714a04aa3b1e0fb0dc1af1a9c3fa51bd1f2a0c8575f08e36b5f675345077382dfa1b94347ba9201596a0bec581ffbe80372ff6cb68158d5389928bc6055e4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
2ac0f550f64b25459a12b72d3b6b31fa

SHA1
116425d395f039564f69a506c2cf677a05033a03

SHA256
e45d91d2249d27570656a3e058462aaa776ff3c05a44ca9d344dd6601eee323b

SHA512
03ae81b06ce409471b4ebef4ac5bb93d01ff0fefddecd1a548e7507aa18bc0e9e913a5fb55ed76c42b102b4236edc7eaae29d2ae39c9c1258c50695f263006ed

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
6e1f81d94e420264ecf412465c4e61b5

SHA1
f6a27cc30cfe4bf50f741951b0d75ca2087e45bf

SHA256
b1b09a2df5990a5946a96f70377b6939e29275f9fecc97d066233f1504577e3c

SHA512
3f9142ba027b0dc773c23cf37824f1b52e4f9bcb05d4d556b20438116349c4e10210de720a600eff6b9175e57f9d2dfc75bd20a8812e6b6f253c80e4c6c22a81

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
95fb4e0a7349d3255422ad5fa0361d5f

SHA1
7dd45bf0af0b28fee9132f88863eb3abc4158565

SHA256
8dd58e69b553f2eb6480416aba0cdad73604c6514eb5ccc202d066d2ffcd3597

SHA512
9e24dec63ac60e300100657187569f2082f2047a9e1bb29a44e41acd8b12fad382a887da26356be28c5070a45b7e0fb8fb5cf9990962cb4e6d6741247fcbe05c

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
d023741438c81a1413d4df22ce80a71c

SHA1
27097eaa8800ff5ad88b790249f8b8fdf9010afb

SHA256
6d441472f356cdcfcd7ccbd80ee17f5c4999a560fcd1f5d9e5aa3a88fcb344e0

SHA512
4516c7f33bbd9923113225279586e15899654a03be3183b2020477e77349231c9cd54a552ff29687f2220b894feb088cefa1116bb50334cce1db21577b6a110e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
6a21f58f14989aba77b72ddd3936c5f3

SHA1
6460e7f3b761bf0c932c8b5393ab1abd0e487f39

SHA256
04bbf8ea5fdb204649871fd9ca33b71e2faf7eb30bfac3c459e0583d32a3e905

SHA512
7a015211f1de79be4d9cdddf608916f71f50c1c117ada2ff4ac1adf098babad9ae22ffb087aeb40680deddf455f8f9f3830200a51239d612043a36b1ea0d95b0

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
062c2a299ef167fefe5476ad7ff0c0c2

SHA1
a0b349f111a2461ede8395a502895812f12f9f1b

SHA256
a6a5ae47eb0a9ba33fba10e1b3cf4b97bed80de8b9f1f1c75df9ea898acd91a3

SHA512
ec505926fba0d0b73edea84a924b943360ecbb98bf0fe75e4e96063f0ebf93729a2c320592a00b963a440ea38bd9f9f052bec3bd52ca2d1460023ffe3aeadbc7

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
37b2fa992ece266469b380d9905c26f0

SHA1
74b210575e9377a20640e0c67603c3afe166ee8f

SHA256
a35ef0b8f016c0ff705ab95e4e3c59d57ebcbc652241eb11a07422a2d0616827

SHA512
84c9abb2bb3fab8dfda59f960b6d97b4fd7624f983efff0b29248327462c7f608c81846d11e57ba772e28de66ec7f8d12279d14d5adad66d12127547653ee396

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
54156f4885b8fac2d309c6b26c3f3fde

SHA1
e3a99ad23b46bfa03ffae54dd189a981e67f9440

SHA256
8cadc99b5fa6eb56bd6bf6cae03b74810ac6347d22138837f1aacf66361e9951

SHA512
204470ccc7e440cf3212761b105795271c768dbb67441ff86b39dcdc3bfd68427d7d3d790899bd08c0c4503778f4efe69f44327eb1b62af1d14fe0990d0801e4

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
82286b305b6f7ad57fbc515feb8a31f0

SHA1
d3f66829ec9efca674f44aeb6ed1c4625aadc9aa

SHA256
76e5d5bc876299c1d299ba1ed94aab2e5ca1ab4a39fdb377a2950858ff27ab8a

SHA512
220060f4a9d9084f9942268c591cdbcdba89ec31a8f92a35b8a879e181439db4f9b8045c3529514a3624f2421d1c775c0bac2c29556d7014fc2fc62192615d49

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
577b136329f630013294331fe346e03f

SHA1
b013ad1a996574ee557d291ef1b6904ce4c2212d

SHA256
94cbe514a40e9b013f642dbc0136ec8a45ba992deb2f0ebc0ece725b24643498

SHA512
4bf1fc4a64fac51cc1249791026b1aa0807440228c9681ae9d03fa7407ea7ef3e9a6c10ae03c0d66b4668b8e2e1e9791b7c029dea15f42175f213b5e2719296c

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
12d937361b80d8667459cd3d5df89c4c

SHA1
b4e8f1b96c35aa05b9b760669408faa54e47a460

SHA256
268293df3248cd2516a4c92ac53aaf7c556b6d07220e2c79b04a22168b941fd8

SHA512
22feaf26d5498c932b153741e48ce9dee962273679bc10d369557a5a1db3e44259e69c36586a811f98be4f94f0895b530c51a03e942d07e6b3f829cdc827d00c

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
2fa114f1932e1bedab017544c61ff08e

SHA1
ed5d9c035782f7a5938074833b6df803c921e333

SHA256
1d6b23868ac5ef00a8a88c2804361a9df5c21488442813a7aa668f7098ef052e

SHA512
48efb8b829be51c2d2d9bdcf9ce3471db63ce197e3f523d451c81f015ae898b41be9c1b8d9e9e559342b57c3d9c1aeeb9646073bd95490f3f1ffd2025a7f2275

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
a982de22dde370e32157ee325ece1dbd

SHA1
dfddc79108706bbf70ea2b161a14ad56a5a00cb1

SHA256
53174285011d75822514959e2fd608b2134869cda900282105bd65c1a813520d

SHA512
699c5075ca0fcd1983a27fadfbf54f27706004fbe13afc231e37af4185a1b5bd21d349ea9bd7fbda17ec30d06b12802b9b5fd5320858766c8711b514373b48d6

Download Submit
memory/592-61-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/592-55-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/592-109-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download
memory/592-54-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download
memory/760-282-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/760-233-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/760-284-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/760-252-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

Filesize
9.6MB

Download
memory/760-262-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

Filesize
9.6MB

Download
memory/760-181-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

Filesize
9.6MB

Download
memory/760-179-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/760-259-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/760-178-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

Filesize
9.6MB

Download
memory/772-235-0x0000000140000000-0x0000000140275000-memory.dmp

Filesize
2.5MB

Download
memory/772-289-0x0000000140000000-0x0000000140275000-memory.dmp

Filesize
2.5MB

Download
memory/772-243-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1572-90-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/1572-92-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/1572-167-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/1572-98-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/1652-159-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1652-242-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1652-164-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1844-121-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1844-115-0x0000000100000000-0x0000000100254000-memory.dmp

Filesize
2.3MB

Download
memory/1844-112-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1844-190-0x0000000100000000-0x0000000100254000-memory.dmp

Filesize
2.3MB

Download
memory/1924-254-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1924-263-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/1924-279-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-134-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2084-207-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2084-231-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2084-150-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2084-126-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2212-0-0x00000000021B0000-0x0000000002217000-memory.dmp

Filesize
412KB

Download
memory/2212-64-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2212-5-0x00000000021B0000-0x0000000002217000-memory.dmp

Filesize
412KB

Download
memory/2212-6-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2236-202-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2236-196-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2236-264-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2288-225-0x0000000140000000-0x0000000140271000-memory.dmp

Filesize
2.4MB

Download
memory/2288-149-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2288-139-0x0000000140000000-0x0000000140271000-memory.dmp

Filesize
2.4MB

Download
memory/2320-180-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2320-182-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/2368-257-0x0000000100000000-0x0000000100271000-memory.dmp

Filesize
2.4MB

Download
memory/2368-269-0x00000000006C0000-0x0000000000931000-memory.dmp

Filesize
2.4MB

Download
memory/2368-275-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2500-37-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/2500-44-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2500-38-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2500-85-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/2632-89-0x0000000100000000-0x0000000100263000-memory.dmp

Filesize
2.4MB

Download
memory/2632-12-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2632-13-0x0000000100000000-0x0000000100263000-memory.dmp

Filesize
2.4MB

Download
memory/2632-20-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2688-33-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2688-113-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/2688-26-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/2688-27-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2696-227-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/2696-226-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/2696-217-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/2696-213-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/2724-77-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2724-70-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2724-71-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2724-157-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-230-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-281-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-200-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-267-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-220-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download