07900d5f2d0849447e2aa7eb2b167c5b84b14911c71445b8208a66b4b142c033

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Size

24.3MB
MD5

6d7b3f63550b6bd7b39ebee21cb15ef7
SHA1

8250d96cb2808118eadc6baae9a89e1193a4c863
SHA256

07900d5f2d0849447e2aa7eb2b167c5b84b14911c71445b8208a66b4b142c033
SHA512

72561b92f9d01358b68a77136e2bdf2ef94a2207e9b4eb7b45c9f437b612226b7a6eb4a7620bce97e6c12c8afaa17c26af7c44929f8e2bf7c378809e5b570bc5
SSDEEP

196608:RP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpZH2SAmGcWqnlv018:RPboGX8a/jWWu3cy2D/cWcls1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
484	Process not Found
2612	alg.exe
2448	aspnet_state.exe
2528	mscorsvw.exe
2444	mscorsvw.exe
2976	mscorsvw.exe
2752	mscorsvw.exe
1488	ehRecvr.exe
804	ehsched.exe
2020	elevation_service.exe
2392	IEEtwCollector.exe
1672	GROOVE.EXE
1332	maintenanceservice.exe
784	msdtc.exe
2256	msiexec.exe
2212	OSE.EXE
2024	OSPPSVC.EXE
1556	perfhost.exe
1540	locator.exe
2656	snmptrap.exe
2092	vds.exe
2732	vssvc.exe
452	wbengine.exe
2852	WmiApSrv.exe
2308	wmpnetwk.exe
1132	mscorsvw.exe
2672	SearchIndexer.exe
840	mscorsvw.exe
2476	mscorsvw.exe
588	mscorsvw.exe
1784	mscorsvw.exe
1212	mscorsvw.exe
1748	mscorsvw.exe
2964	mscorsvw.exe
2076	mscorsvw.exe
2504	mscorsvw.exe
600	mscorsvw.exe
2528	mscorsvw.exe
2440	mscorsvw.exe
2468	mscorsvw.exe
2552	mscorsvw.exe
1208	mscorsvw.exe
1496	mscorsvw.exe
1996	mscorsvw.exe
624	mscorsvw.exe
1908	mscorsvw.exe
2116	mscorsvw.exe
2796	mscorsvw.exe
2756	mscorsvw.exe
2468	mscorsvw.exe
1992	mscorsvw.exe
3016	dllhost.exe
960	mscorsvw.exe
2992	mscorsvw.exe
2804	mscorsvw.exe
2768	mscorsvw.exe
2252	mscorsvw.exe
1072	mscorsvw.exe
1976	mscorsvw.exe
1684	mscorsvw.exe
3032	mscorsvw.exe
836	mscorsvw.exe
3012	mscorsvw.exe
1380	mscorsvw.exe

Loads dropped DLL 45 IoCs

pid	Process
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
2256	msiexec.exe
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
764	Process not Found
484	Process not Found
2252	mscorsvw.exe
2252	mscorsvw.exe
1976	mscorsvw.exe
1976	mscorsvw.exe
3032	mscorsvw.exe
3032	mscorsvw.exe
3012	mscorsvw.exe
3012	mscorsvw.exe
356	mscorsvw.exe
356	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
1956	mscorsvw.exe
1956	mscorsvw.exe
2416	mscorsvw.exe
2416	mscorsvw.exe
1972	mscorsvw.exe
1972	mscorsvw.exe
576	mscorsvw.exe
576	mscorsvw.exe
772	mscorsvw.exe
772	mscorsvw.exe
380	mscorsvw.exe
380	mscorsvw.exe
2244	mscorsvw.exe
2244	mscorsvw.exe
2296	mscorsvw.exe
2296	mscorsvw.exe
1256	mscorsvw.exe
1256	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fd162e3678a61a12.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC8CB.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3054.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP55DD.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP39F4.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAFDF.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFFD2.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{A4A3F150-FC5F-4EE8-A90E-9FFC4FE17FCC}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000c0a0ca1f4296da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{A4A3F150-FC5F-4EE8-A90E-9FFC4FE17FCC}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
600	ehRec.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: 33	2072	EhTray.exe
Token: SeIncBasePriorityPrivilege	2072	EhTray.exe
Token: SeDebugPrivilege	600	ehRec.exe
Token: 33	2072	EhTray.exe
Token: SeIncBasePriorityPrivilege	2072	EhTray.exe
Token: SeRestorePrivilege	2256	msiexec.exe
Token: SeTakeOwnershipPrivilege	2256	msiexec.exe
Token: SeSecurityPrivilege	2256	msiexec.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeBackupPrivilege	2732	vssvc.exe
Token: SeRestorePrivilege	2732	vssvc.exe
Token: SeAuditPrivilege	2732	vssvc.exe
Token: SeBackupPrivilege	452	wbengine.exe
Token: SeRestorePrivilege	452	wbengine.exe
Token: SeSecurityPrivilege	452	wbengine.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: 33	2308	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2308	wmpnetwk.exe
Token: SeManageVolumePrivilege	2672	SearchIndexer.exe
Token: 33	2672	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2672	SearchIndexer.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeDebugPrivilege	2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2188	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeDebugPrivilege	2612	alg.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe
Token: SeShutdownPrivilege	2976	mscorsvw.exe
Token: SeShutdownPrivilege	2752	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2072	EhTray.exe
2072	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2072	EhTray.exe
2072	EhTray.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
352	SearchProtocolHost.exe
352	SearchProtocolHost.exe
352	SearchProtocolHost.exe
352	SearchProtocolHost.exe
352	SearchProtocolHost.exe
352	SearchProtocolHost.exe
352	SearchProtocolHost.exe
352	SearchProtocolHost.exe
352	SearchProtocolHost.exe
352	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 1132	2752	mscorsvw.exe	56
PID 2752 wrote to memory of 1132	2752	mscorsvw.exe	56
PID 2752 wrote to memory of 1132	2752	mscorsvw.exe	56
PID 2752 wrote to memory of 840	2752	mscorsvw.exe	58
PID 2752 wrote to memory of 840	2752	mscorsvw.exe	58
PID 2752 wrote to memory of 840	2752	mscorsvw.exe	58
PID 2672 wrote to memory of 352	2672	SearchIndexer.exe	59
PID 2672 wrote to memory of 352	2672	SearchIndexer.exe	59
PID 2672 wrote to memory of 352	2672	SearchIndexer.exe	59
PID 2976 wrote to memory of 2476	2976	mscorsvw.exe	60
PID 2976 wrote to memory of 2476	2976	mscorsvw.exe	60
PID 2976 wrote to memory of 2476	2976	mscorsvw.exe	60
PID 2976 wrote to memory of 2476	2976	mscorsvw.exe	60
PID 2672 wrote to memory of 2356	2672	SearchIndexer.exe	61
PID 2672 wrote to memory of 2356	2672	SearchIndexer.exe	61
PID 2672 wrote to memory of 2356	2672	SearchIndexer.exe	61
PID 2976 wrote to memory of 588	2976	mscorsvw.exe	62
PID 2976 wrote to memory of 588	2976	mscorsvw.exe	62
PID 2976 wrote to memory of 588	2976	mscorsvw.exe	62
PID 2976 wrote to memory of 588	2976	mscorsvw.exe	62
PID 2976 wrote to memory of 1784	2976	mscorsvw.exe	63
PID 2976 wrote to memory of 1784	2976	mscorsvw.exe	63
PID 2976 wrote to memory of 1784	2976	mscorsvw.exe	63
PID 2976 wrote to memory of 1784	2976	mscorsvw.exe	63
PID 2976 wrote to memory of 1212	2976	mscorsvw.exe	64
PID 2976 wrote to memory of 1212	2976	mscorsvw.exe	64
PID 2976 wrote to memory of 1212	2976	mscorsvw.exe	64
PID 2976 wrote to memory of 1212	2976	mscorsvw.exe	64
PID 2976 wrote to memory of 1748	2976	mscorsvw.exe	65
PID 2976 wrote to memory of 1748	2976	mscorsvw.exe	65
PID 2976 wrote to memory of 1748	2976	mscorsvw.exe	65
PID 2976 wrote to memory of 1748	2976	mscorsvw.exe	65
PID 2976 wrote to memory of 2964	2976	mscorsvw.exe	66
PID 2976 wrote to memory of 2964	2976	mscorsvw.exe	66
PID 2976 wrote to memory of 2964	2976	mscorsvw.exe	66
PID 2976 wrote to memory of 2964	2976	mscorsvw.exe	66
PID 2976 wrote to memory of 2076	2976	mscorsvw.exe	67
PID 2976 wrote to memory of 2076	2976	mscorsvw.exe	67
PID 2976 wrote to memory of 2076	2976	mscorsvw.exe	67
PID 2976 wrote to memory of 2076	2976	mscorsvw.exe	67
PID 2976 wrote to memory of 2504	2976	mscorsvw.exe	68
PID 2976 wrote to memory of 2504	2976	mscorsvw.exe	68
PID 2976 wrote to memory of 2504	2976	mscorsvw.exe	68
PID 2976 wrote to memory of 2504	2976	mscorsvw.exe	68
PID 2976 wrote to memory of 600	2976	mscorsvw.exe	69
PID 2976 wrote to memory of 600	2976	mscorsvw.exe	69
PID 2976 wrote to memory of 600	2976	mscorsvw.exe	69
PID 2976 wrote to memory of 600	2976	mscorsvw.exe	69
PID 2976 wrote to memory of 2528	2976	mscorsvw.exe	70
PID 2976 wrote to memory of 2528	2976	mscorsvw.exe	70
PID 2976 wrote to memory of 2528	2976	mscorsvw.exe	70
PID 2976 wrote to memory of 2528	2976	mscorsvw.exe	70
PID 2976 wrote to memory of 2440	2976	mscorsvw.exe	71
PID 2976 wrote to memory of 2440	2976	mscorsvw.exe	71
PID 2976 wrote to memory of 2440	2976	mscorsvw.exe	71
PID 2976 wrote to memory of 2440	2976	mscorsvw.exe	71
PID 2976 wrote to memory of 2468	2976	mscorsvw.exe	72
PID 2976 wrote to memory of 2468	2976	mscorsvw.exe	72
PID 2976 wrote to memory of 2468	2976	mscorsvw.exe	72
PID 2976 wrote to memory of 2468	2976	mscorsvw.exe	72
PID 2976 wrote to memory of 2552	2976	mscorsvw.exe	73
PID 2976 wrote to memory of 2552	2976	mscorsvw.exe	73
PID 2976 wrote to memory of 2552	2976	mscorsvw.exe	73
PID 2976 wrote to memory of 2552	2976	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2528

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 240 -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 1e8 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 1d0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 254 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 25c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 260 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 260 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 260 -NGENProcess 234 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 1e8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1e8 -NGENProcess 234 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 1cc -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 258 -NGENProcess 1e8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 27c -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 288 -NGENProcess 1e8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 27c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 234 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 280 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 1e8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 164 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 164 -NGENProcess 168 -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1a8 -NGENProcess 188 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 1fc -NGENProcess 1e8 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 1fc -NGENProcess 1a8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1ac -NGENProcess 208 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 20c -NGENProcess 1a8 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 1a8 -NGENProcess 1f4 -Pipe 188 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 21c -NGENProcess 20c -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 210 -NGENProcess 224 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 208 -NGENProcess 228 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 210 -NGENProcess 214 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 1ec -NGENProcess 228 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 21c -NGENProcess 230 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 20c -NGENProcess 234 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 228 -NGENProcess 238 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 224 -NGENProcess 1f0 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1ac -NGENProcess 214 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:2864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent a8 -NGENProcess 1f0 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 214 -NGENProcess 21c -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 238 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 224 -NGENProcess 248 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 224 -NGENProcess 244 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 224 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 21c -NGENProcess 138 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent a4 -NGENProcess 240 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a8 -InterruptEvent 1ec -NGENProcess 254 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 254 -NGENProcess 138 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 21c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1ec -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:1424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 26c -NGENProcess 21c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent a8 -NGENProcess 264 -Pipe 138 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 258 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 20c -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 27c -NGENProcess a4 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 280 -NGENProcess 27c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2652

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1488

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:804

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2072

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2392

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1672

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:784

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2212

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2024

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:352
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:2356

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
ac7e33acb385cb6b6d67a39d00130894

SHA1
91dab12f4d5445ffd5200402a87dc09116928e42

SHA256
a495e8b22ae0e336e4f2fbc52f0dbd23b75e35d0140c17bb6c286383d7715e82

SHA512
c1cc032020685b6c2470412381ee96e717e6a00041de0f394a106e2f7ab0089f602168e8df2516b1c22f35e243fc91c065a383a8565f2dc6f266a19715f15cae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
c50fe1e31fd55daaf9b2698f5ebe8367

SHA1
309a813d5ad148e7dd8a859431c6b74807d0787a

SHA256
67c5eea2db924dfe154b698a339bd062bb92fbb0b958781ce6ae4833cbfa5064

SHA512
ba576caace40acdc7abaac5e69a32b4881bd80feb33a447e6bb562b94f1c897c55d0dfaf68ae74791d2e77cd5a549d36c3610d860cf968abd469a73c0f33ae7b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
21e855325ac6cd2aff9815359688ca69

SHA1
1454f9418e9fda53898ff3c775d7bba50d8dd907

SHA256
b0385532c76db50fb97fd24750916c366f95e0bb3bec015da257b8b96143edfb

SHA512
94fd69d7cc8ec0f25caf9c4eeff73eb445e4bcae40c5c03e2663f632c3fdef4d9f25a746fb83890d95dae42751a9dc3193fa990c3e3014fab5fc2dc76dfaf6de

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
b7bd315a91acf1464858d3430c287e8a

SHA1
812ceeeeb7204bb373e69756a8e68cd66861ed5d

SHA256
8e71c580a14669afe8beccae5454b27b4259634321377468d1d9ed14ec38fd4f

SHA512
3aa67838ba72c036dd50fb8743a214daca172204fec66c61a470aff7fd562af7ddccf399fa05869762626657847ba1cf595435c370e0f0e114b9e94e49190f3f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
60cda73c35c182a666ac954bed3cc81f

SHA1
e37e90e1fb5146bfbac969ae464a45fa57aa952e

SHA256
954c68579dd0af4260955ae94e03ab67e4b029b7399854f779283bb9ff43402f

SHA512
79757a1515e7acc0701ce701d0199b4c4ab26b20f66529551832c03886ff0ec3f4e46eae705b85205e2b391b7f54db1e8a169b11fe025bca5865c8dd304ebf53

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
f73b2ab79fd20b7e14a15eab786214d6

SHA1
ff9ad14787d5ba3e460ba0d076eb9686a538ad49

SHA256
b24e184abe31d44f8f34ebe548aee3dffe4c6b8738e3fad4d22b0af2c7e367a4

SHA512
5c3bf97fb9cae4e7f63989877c89071e18642b13c9f8f5fd1567673cefe7de09b8628745eccfae83b5cdbfbfa93c383fb9681c1368050a7f14441e5adf9f78ac

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
395b90b5d6e98603b7ffaddbc8383fb3

SHA1
0a6cbbddf032fbc48d9563957c84d12b3d5c2067

SHA256
b378a93abe22dd1b2c4f2bd3025f2141e4bf6b75519956d7f50815f372eb8dfd

SHA512
4ac46bb9d50f3fb2486b547ed590624d21ae72f4eccc65b92413cd0944585d2bb69af48832729d3640ca6054f31e45654ddd93b8d26eb449393298eb37834821

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
9417d610b07d622cb2fa1cd9cc1ab3e4

SHA1
5e23eb0646e71683ee04afaad967b066d2358048

SHA256
d9c08b85a1a21a7e1280d30e8007aa7444a41020a22047417b61373e97b79410

SHA512
fcf2634f73997fc0497505082618f91bccd9027587729242922e840fed9110630bc7945fd17a71dced48b81cd7a603f69f0240937ae5e67cfc9773f1bb480503

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e6d439270871fd2e10b6bea34fceaaf5

SHA1
0d17feb8399863085caa75a7fe4f1db2e60066c4

SHA256
8572b5f1b6039ef2357a287039a71150ba7fef5b041072cb09b517f2f8398a85

SHA512
3cc47feb14e8a56f82db0462c43813e3e23a084da026be79f66acdffc572255d0ae3022c1b40f4e5b7ae89d23b9790df4b180ac0bda0f8fd32fa68e521bf9cf4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
79bf966a5778b417d38b9842c62abe70

SHA1
47fc8ef6bfc204793529e446b46e7057e4002593

SHA256
95c1ecf7b1fd6ea22863cefdcf681a52aae8ffc2ecd0f3e53250dcd89dd17479

SHA512
93e475d4f291017aabdd8f317cc6260de0fc2684b799b1416f3c14c365ef2806ac03daad8143f0c6f16ea96c26dcdc5cb0ec0517809b70fa1509615242af6376

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
5f2f3191f6232edb566c4f0c857ade0e

SHA1
b010c88a913afe555107035d4fb9da28d9648be2

SHA256
b11fb49c48848fd26f5dfaac347b610feaf8eaaeb5cd85766ea26ef2d99642d9

SHA512
dfb77505578dd29d47483d03a219cf9490a48cf0469dd183055fc29d9e52b954b6fef492e09d2f9443a9b0dd526ab99bae62cd131b86322666608e76907342e6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
66b3610964207d3f5d4c8ac2aecd41a3

SHA1
1b83ce77491ec06640d92aeb439d989dc198d223

SHA256
82f592504fa04b3b74c77a667f4403e2faf7c762cc664534bb68af0284486742

SHA512
99ac3cc3a17eb9084f35d414d4d815df87c3ab784b9e4b041c69d75c2a66bd732ddec39aaa907e8a806c4a85730717d62f1d8c5a0d99bed147b5e62f6378a469

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b3cd196f5d6c89d811279f92084e463

SHA1
976f9aa8ecaadbf89285828ce4c37a997744e09a

SHA256
6ffdfded14313d3dbc5ac631ec259396953f6126d4a3efbff24c8309803df5f1

SHA512
5086cd4a6128f5cf5313f6c6fe266c795ca80dcc840ead5e64da69be421050b1baeeb61a7d046518e22c52a60475b5102c30e0f0c1d2135af7672be101cbcc26

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
502f4a3fec8d76eceadd932e7a6d452b

SHA1
b81682331f716446af887da35a534149a716029d

SHA256
40b0e8a10c697db8ca2bc70288d9416da3a773196665a10fba552887b0d767d3

SHA512
7ac5538cb186247a1be0ea139d0317546e71763275ccb43aaf2198b391c641db334f10a14c6ea8d27d1e4e8bbddb3c9931c469807bce52e6930461a3d3464d6d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
6fb9341534befb6c8213ef14c0acaee2

SHA1
e41b77d4a4a8b28c2be676d8dbb4bf39ad8d4ded

SHA256
3727a724c9c10d8794ec59b3d668a8810caf4230beb1722a14788cc6b5b031ee

SHA512
71b84921fd6b42c6e44e1fa5b15ceb28265afe91ce8e8bcb121ff6d29e1b923ecd9485b398dde3c8d02bb8396cb7ae95c16dd931b23602176d4eaf88f39b692b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
c96627ab0198636ad113ee8672d961bd

SHA1
21f3a695271f2f4ad601ed322bba7a75e512f841

SHA256
ed9159b29d4c1ae2f22aabf87bcaae7b3a8d9a4d3b39599b423013e83583baf0

SHA512
4413b1eb5207367aac5d164cef8e37749aface5927fd5ca367748d4c5afac9648eb96ad3c6c5b5fcdb9fb6ee08d7805ac6deb9102aaddcf80b85077a4e5a15b7

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
67e8492343144937b585db55e886c2ab

SHA1
85b30b8eb9d883246c40a3a7c34782b4890be2ac

SHA256
d258697fdc5f70a650b0faa1936980f3be4d422031ba6f4b1e84d8c6b29279f7

SHA512
ad0718f8ea769577042e4ce8b24ac529804bcc5e6f8fe1364dbf5ff13ab712039a431d612edd6d95f9917cb5dccb8863fa3dd8647821c6ce88ec935529d2cbe9

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
4b74dd94fa96e6abcb8051135b1ed4e0

SHA1
2c52a74c40106e899b24984e346e33a34bbff57f

SHA256
59a99632be26aa1d3cc6464f15a9e05ef5c4ebb49195a5f4f7e671194d9084e4

SHA512
26f0fe3e741414805c49eceb9eedade3b8f03ba749a23857ba61d5a08bc82b5ee0212e88604e96586f1f72087ed7443bb34c3443b1d5358c325f697ec314cdb9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
36fdb5aea82c62426068ae9474f52cc1

SHA1
935facf39372ff0d2303a487d32de78c43101a18

SHA256
272d34af0d5cbd4fde3ddeb0edb579fe5824f3e0c24cc4e6d6510f4601983e1c

SHA512
feada186bf68db316c459b055add9dc846d429effa188b7672a2cfc82eba875e05acc5e452fd1dec92d4e52ee76755a4d9daf9cc930e1e500abbece7256be327

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
c9547062a3f8419105ed1c20ada66bcf

SHA1
d989041c40088e287d58b974dc5158bb989999ac

SHA256
a538480f523fa462c92e93a96dd3a050c59c19e85b63ef2ae05c9efbb918c301

SHA512
3e8bd5cd24c379839e3f0e4f934edcb399ef576c149eefa0891f360cc9985a69442321ce40f1328dc2b02695cc50a09826e6d81408d6d7a87ee9d99076348085

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
462830da7534e3c0786cd9484a7856c1

SHA1
640b4425f5aa9a48938d02cf496a3283a61b274d

SHA256
234595e485b202250453eaf642e116358518c3d9b4d0c987cc879672096581e7

SHA512
8809e8f2f0af1d1c189b98c70392aa302b72e1d3a416a672b827bbbabba63e4d0b5ab823cc75e01ef5891432ef1b65bc7dafe6ce882eeb6478e8095613159014

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
95c7692e58cfcb27b5a5a6f354fdc36f

SHA1
03357d40ef1f3d92992671097194f79053714afc

SHA256
f7f3ae891ce5aebb63cbf87482b8e6a0e71df8622b73a038daa5be3b3a87adca

SHA512
ff630be0e07a60d71630b5869dc1a887436c57e298106e3f5fb80e3d66fc1cd40614013fe91de33ff975e3372f62b874c89b8a6dbb7795774cca330c6a9f78ff

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2da0a9e91a57663861146dc1e227eed4\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
afaead56dd482bb0b0c9e9fae5c320a0

SHA1
30acf4e8a871a774c4a27c1e431d64dc4e5bd6ea

SHA256
24f6316b5f5f5fce4c7fd9feaa407251cf5388547ab8b36be5eb6298005fbf2f

SHA512
50c18d9ee0c60c435a6bc1aa506983f4fa1adb91cc1ff05962613400fae802c03a87e9efe5a5f0a5ac52ffa8c0884e6c7e169dfd702aa812f840fabe1ba858bc

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\8c6656360773e46e0ad81aa041fa7802\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
15c7d3af54ac153b50658a6e39077651

SHA1
2207cd79f7c397819cb07d60170b29c96b222292

SHA256
62597afc40a433cba964d98664619fd7519915636177d33469e9863872e55832

SHA512
ad1b3a1f850822046a9ca66b817f79a9bc7e0f9147fcc4825a4be7481606afd0b0cf9bc64cb6db69994652a491308a94a51691c0b486e7a5ba30c635af15e75b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\db747dd22ebfe01433f53a7dd96bc716\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
f2fe3e0284872871173acc472839777c

SHA1
3208af37e1b4f46dbe1d4d9ceba8b52e833ce57d

SHA256
c55acae8e3709ceed8eeec2d1d0856e8c3a1fd6f2c774ef1786e424c44463a46

SHA512
44e0d02d9ffcf435600c23b532ac52dd33f8a37b48f05b47a4d2b274e1b31499bfc3dadd009a241621c06bdf488d9133e207b23f5b4dd275ed77d9cc9af62fd9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5afba82c84258586e312ffc7a394e2de

SHA1
994a7b73c68250c112727dee68d4b9d868466522

SHA256
085eee8bb42cd0daf151c5a2f1413199117457663be28c608e20e5ffe0e862c3

SHA512
b620df068d4a56b7eddbb7ae0befb34443d7240cb2fc72478aa6fbee709e0eb259105bf143c8561728a22d179f3b4aa97b65a0769467a1e3bce48972bad5166a

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
c6c5f8b6f6a34bc486c8af0a0ef6c448

SHA1
24ec8e291c7b257b9524b52e88946469b7ab7e18

SHA256
d0065a97f94fa9485e9c519f6760f9caa0ddafc598930095f295351eda6f2782

SHA512
d526aea05025501ef90ca2484a04c75dce3a59a5765b9741aa86b2e2e0829fe1b18c3a2c9fdfacf64bd896264db60642c72ae681775dba5b0b39747b9946f3f1

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
9c94ef240a08c90d5237a8177ab3dabe

SHA1
4cc52632a5ac768e11afe68547d016a9d112391a

SHA256
47cdb866208c6c38e7421bd069be088196a3d1b1da545606d5a2079d183f2272

SHA512
2770ffa668ee811f6961bc4096b4df4c6e9d86b0433f122d21705e9c0730d1a3133ac7a81163830661a4b6f9ec382cbc426e9e166f8d70539fb2f8212d6d8022

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
0e8f625fde61bde663f6d3b540a3bc67

SHA1
498633b1e593b06557c0cb90dbf08303407a3d0b

SHA256
dc049806ab1c21c97c593d37e3d41436d420a31dc82cc7136b0dab26844f1eb1

SHA512
c91fa44ccbad5f7da7bce673c4236043187812e077bd86a806432e6dd06f5cad24e1ba6386435cc5e63776d38de741e1126b2c2f36e6b18c2987b201f483055b

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
95a21bf419e9ef93455cb7587c7ae5b0

SHA1
1603f04f07642386f1b60b4ad64e20b943b46c42

SHA256
b9350d9b5fd520da36f74beded73ba1c531ec1618e423112c1a455fe8ab2c699

SHA512
21d62af6ce5e8d58b65c00f87229aea42070ede51d45b082370e300cb076f49e95ba4a3d1f6594aae6a8ebb0aefb5c7e97656ca1e0e3d85934edd2d0aed8574e

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b5ee9610fd37f3451bd9ce355109551f

SHA1
0e7e4f072cf0dc6cb5c3cc94cab8245442dfd808

SHA256
5fcf972c69df24ad69d4c1563b1174103fdcc68a140074806b727499f1a6572b

SHA512
4ccd95d7fc17e0987da380dfe9cc0b798b852c24958bcb3abb19e562a267a5ace5117f279e254da20d3d6835744efc6cd5f805fb57e00e2627bd216d20e561ff

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b067c05086e69cbbe26c7f2fb5b0ffa5

SHA1
fe0a3d0ece40be425ae9d4ac830a091445100a56

SHA256
c5b0278920ea957484286021d42cb6a1199ddec97e8515d5eaa4e8bac95523c7

SHA512
9ab600d51153cb0dd3191a4d088e0a29fb6f9c2233f4aac56da443db5de754b7c552525d53a572dd90e6b66646cf1b4587b6b839a9a3c4b1fadee5514c58c5e9

Download Submit
memory/452-289-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/600-194-0x0000000000FF0000-0x0000000001070000-memory.dmp

Filesize
512KB

Download
memory/600-121-0x000007FEF4420000-0x000007FEF4DBD000-memory.dmp

Filesize
9.6MB

Download
memory/600-118-0x0000000000FF0000-0x0000000001070000-memory.dmp

Filesize
512KB

Download
memory/600-129-0x0000000000FF0000-0x0000000001070000-memory.dmp

Filesize
512KB

Download
memory/600-178-0x0000000000FF0000-0x0000000001070000-memory.dmp

Filesize
512KB

Download
memory/600-226-0x0000000000FF0000-0x0000000001070000-memory.dmp

Filesize
512KB

Download
memory/600-171-0x000007FEF4420000-0x000007FEF4DBD000-memory.dmp

Filesize
9.6MB

Download
memory/600-117-0x000007FEF4420000-0x000007FEF4DBD000-memory.dmp

Filesize
9.6MB

Download
memory/784-220-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/784-173-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/784-163-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/804-88-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/804-89-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/804-143-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/804-95-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1332-146-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1332-158-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/1332-161-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1332-142-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/1488-71-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1488-138-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1488-85-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1488-84-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/1488-82-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/1488-79-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1488-128-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1488-74-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1540-224-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1540-231-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1540-287-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1556-280-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/1556-215-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/1672-131-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/1672-205-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1672-137-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/1672-133-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2020-162-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2020-102-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2020-108-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2020-101-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2024-258-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2024-209-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2024-207-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2024-272-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2024-234-0x0000000073CF8000-0x0000000073D0D000-memory.dmp

Filesize
84KB

Download
memory/2024-213-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2024-267-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2092-260-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/2092-268-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2188-72-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2188-3-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2188-6-0x0000000001F00000-0x0000000001F67000-memory.dmp

Filesize
412KB

Download
memory/2188-0-0x0000000001F00000-0x0000000001F67000-memory.dmp

Filesize
412KB

Download
memory/2212-198-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2256-185-0x00000000005D0000-0x00000000007C1000-memory.dmp

Filesize
1.9MB

Download
memory/2256-183-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2256-196-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/2256-229-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2256-232-0x00000000005D0000-0x00000000007C1000-memory.dmp

Filesize
1.9MB

Download
memory/2392-123-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2392-181-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2392-124-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2392-114-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2444-35-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2448-97-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2448-25-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2528-61-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2528-28-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2612-80-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2612-12-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2612-19-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2612-18-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2656-246-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/2656-253-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/2732-281-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2732-274-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2752-62-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2976-45-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2976-46-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/2976-52-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/2976-111-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download