450f0489b0534da24a56b7c2d0b33ef2ffb9d82b3d58b8a7bc873389ca945f2a

Analysis

max time kernel
147s
max time network
158s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Size

24.3MB
MD5

92d47fcd78dea1b6daba5634e38a031f
SHA1

0eaa3c9f7558934e427aa9fa546bddc85e187be1
SHA256

450f0489b0534da24a56b7c2d0b33ef2ffb9d82b3d58b8a7bc873389ca945f2a
SHA512

65d10fdcd5ba313423b254fb388d6da7a193083edb8b82ba2e82848b73947a1c29d892a4ac53a1e6ae9b9c165e8f8f05f98d9cd401b7085bcb9550acecf828c3
SSDEEP

196608:cP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018l17:cPboGX8a/jWWu3cI2D/cWcls1a

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
3064	alg.exe
2436	aspnet_state.exe
2612	mscorsvw.exe
2032	mscorsvw.exe
1120	mscorsvw.exe
1360	mscorsvw.exe
1620	dllhost.exe
2180	ehRecvr.exe
2788	ehsched.exe
792	elevation_service.exe
1148	IEEtwCollector.exe
2116	GROOVE.EXE
1716	maintenanceservice.exe
2884	msdtc.exe
636	msiexec.exe
1992	mscorsvw.exe
592	OSE.EXE
1428	OSPPSVC.EXE
1052	perfhost.exe
1172	mscorsvw.exe
1180	locator.exe
2356	mscorsvw.exe
2452	snmptrap.exe
788	vds.exe
2876	vssvc.exe
1696	wbengine.exe
2888	mscorsvw.exe
1040	mscorsvw.exe
2024	WmiApSrv.exe
552	wmpnetwk.exe
1248	SearchIndexer.exe
548	mscorsvw.exe
1648	mscorsvw.exe
2040	mscorsvw.exe
2208	mscorsvw.exe
620	mscorsvw.exe
1304	mscorsvw.exe
2940	mscorsvw.exe
1484	mscorsvw.exe
1384	mscorsvw.exe
1496	mscorsvw.exe
1992	mscorsvw.exe
1320	mscorsvw.exe
3028	mscorsvw.exe
2208	mscorsvw.exe
2008	mscorsvw.exe
3016	mscorsvw.exe
2352	mscorsvw.exe
2344	mscorsvw.exe
1724	mscorsvw.exe
2056	mscorsvw.exe
1148	mscorsvw.exe
1472	mscorsvw.exe
2316	mscorsvw.exe
964	mscorsvw.exe
2072	mscorsvw.exe
2504	mscorsvw.exe
2256	mscorsvw.exe
1680	mscorsvw.exe
2152	mscorsvw.exe
3044	mscorsvw.exe
2520	mscorsvw.exe
2504	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
636	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
764	Process not Found
2072	mscorsvw.exe
2072	mscorsvw.exe
2256	mscorsvw.exe
2256	mscorsvw.exe
2152	mscorsvw.exe
2152	mscorsvw.exe
2520	mscorsvw.exe
2520	mscorsvw.exe
2104	mscorsvw.exe
2104	mscorsvw.exe
2416	mscorsvw.exe
2416	mscorsvw.exe
1020	mscorsvw.exe
1020	mscorsvw.exe
2856	mscorsvw.exe
2856	mscorsvw.exe
2380	mscorsvw.exe
2380	mscorsvw.exe
2296	mscorsvw.exe
2296	mscorsvw.exe
1492	mscorsvw.exe
1492	mscorsvw.exe
1704	mscorsvw.exe
1704	mscorsvw.exe
944	mscorsvw.exe
944	mscorsvw.exe
2152	mscorsvw.exe
2152	mscorsvw.exe
2428	mscorsvw.exe
2428	mscorsvw.exe
1524	mscorsvw.exe
1524	mscorsvw.exe
2400	mscorsvw.exe
2400	mscorsvw.exe
3004	mscorsvw.exe
3004	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b0fe65cbae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8B3F.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5F5F.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7CDD.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6F18.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP643F.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7677.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4F68.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2208	ehRec.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: 33	1548	EhTray.exe
Token: SeIncBasePriorityPrivilege	1548	EhTray.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeDebugPrivilege	2208	ehRec.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeSecurityPrivilege	636	msiexec.exe
Token: 33	1548	EhTray.exe
Token: SeIncBasePriorityPrivilege	1548	EhTray.exe
Token: SeBackupPrivilege	2876	vssvc.exe
Token: SeRestorePrivilege	2876	vssvc.exe
Token: SeAuditPrivilege	2876	vssvc.exe
Token: SeBackupPrivilege	1696	wbengine.exe
Token: SeRestorePrivilege	1696	wbengine.exe
Token: SeSecurityPrivilege	1696	wbengine.exe
Token: SeManageVolumePrivilege	1248	SearchIndexer.exe
Token: 33	552	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	552	wmpnetwk.exe
Token: 33	1248	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1248	SearchIndexer.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeDebugPrivilege	2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2656	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeDebugPrivilege	3064	alg.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1120	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1548	EhTray.exe
1548	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1548	EhTray.exe
1548	EhTray.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2132	SearchProtocolHost.exe
2132	SearchProtocolHost.exe
2132	SearchProtocolHost.exe
2132	SearchProtocolHost.exe
2132	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
2132	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe
1652	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1992	1120	mscorsvw.exe	77
PID 1120 wrote to memory of 1992	1120	mscorsvw.exe	77
PID 1120 wrote to memory of 1992	1120	mscorsvw.exe	77
PID 1120 wrote to memory of 1992	1120	mscorsvw.exe	77
PID 1120 wrote to memory of 1172	1120	mscorsvw.exe	50
PID 1120 wrote to memory of 1172	1120	mscorsvw.exe	50
PID 1120 wrote to memory of 1172	1120	mscorsvw.exe	50
PID 1120 wrote to memory of 1172	1120	mscorsvw.exe	50
PID 1120 wrote to memory of 2356	1120	mscorsvw.exe	52
PID 1120 wrote to memory of 2356	1120	mscorsvw.exe	52
PID 1120 wrote to memory of 2356	1120	mscorsvw.exe	52
PID 1120 wrote to memory of 2356	1120	mscorsvw.exe	52
PID 1120 wrote to memory of 2888	1120	mscorsvw.exe	59
PID 1120 wrote to memory of 2888	1120	mscorsvw.exe	59
PID 1120 wrote to memory of 2888	1120	mscorsvw.exe	59
PID 1120 wrote to memory of 2888	1120	mscorsvw.exe	59
PID 1120 wrote to memory of 1040	1120	mscorsvw.exe	60
PID 1120 wrote to memory of 1040	1120	mscorsvw.exe	60
PID 1120 wrote to memory of 1040	1120	mscorsvw.exe	60
PID 1120 wrote to memory of 1040	1120	mscorsvw.exe	60
PID 1120 wrote to memory of 548	1120	mscorsvw.exe	64
PID 1120 wrote to memory of 548	1120	mscorsvw.exe	64
PID 1120 wrote to memory of 548	1120	mscorsvw.exe	64
PID 1120 wrote to memory of 548	1120	mscorsvw.exe	64
PID 1120 wrote to memory of 1648	1120	mscorsvw.exe	65
PID 1120 wrote to memory of 1648	1120	mscorsvw.exe	65
PID 1120 wrote to memory of 1648	1120	mscorsvw.exe	65
PID 1120 wrote to memory of 1648	1120	mscorsvw.exe	65
PID 1248 wrote to memory of 2132	1248	SearchIndexer.exe	66
PID 1248 wrote to memory of 2132	1248	SearchIndexer.exe	66
PID 1248 wrote to memory of 2132	1248	SearchIndexer.exe	66
PID 1248 wrote to memory of 1388	1248	SearchIndexer.exe	67
PID 1248 wrote to memory of 1388	1248	SearchIndexer.exe	67
PID 1248 wrote to memory of 1388	1248	SearchIndexer.exe	67
PID 1120 wrote to memory of 2040	1120	mscorsvw.exe	68
PID 1120 wrote to memory of 2040	1120	mscorsvw.exe	68
PID 1120 wrote to memory of 2040	1120	mscorsvw.exe	68
PID 1120 wrote to memory of 2040	1120	mscorsvw.exe	68
PID 1120 wrote to memory of 2208	1120	mscorsvw.exe	80
PID 1120 wrote to memory of 2208	1120	mscorsvw.exe	80
PID 1120 wrote to memory of 2208	1120	mscorsvw.exe	80
PID 1120 wrote to memory of 2208	1120	mscorsvw.exe	80
PID 1120 wrote to memory of 620	1120	mscorsvw.exe	70
PID 1120 wrote to memory of 620	1120	mscorsvw.exe	70
PID 1120 wrote to memory of 620	1120	mscorsvw.exe	70
PID 1120 wrote to memory of 620	1120	mscorsvw.exe	70
PID 1120 wrote to memory of 1304	1120	mscorsvw.exe	71
PID 1120 wrote to memory of 1304	1120	mscorsvw.exe	71
PID 1120 wrote to memory of 1304	1120	mscorsvw.exe	71
PID 1120 wrote to memory of 1304	1120	mscorsvw.exe	71
PID 1120 wrote to memory of 2940	1120	mscorsvw.exe	72
PID 1120 wrote to memory of 2940	1120	mscorsvw.exe	72
PID 1120 wrote to memory of 2940	1120	mscorsvw.exe	72
PID 1120 wrote to memory of 2940	1120	mscorsvw.exe	72
PID 1120 wrote to memory of 1484	1120	mscorsvw.exe	73
PID 1120 wrote to memory of 1484	1120	mscorsvw.exe	73
PID 1120 wrote to memory of 1484	1120	mscorsvw.exe	73
PID 1120 wrote to memory of 1484	1120	mscorsvw.exe	73
PID 1120 wrote to memory of 1384	1120	mscorsvw.exe	74
PID 1120 wrote to memory of 1384	1120	mscorsvw.exe	74
PID 1120 wrote to memory of 1384	1120	mscorsvw.exe	74
PID 1120 wrote to memory of 1384	1120	mscorsvw.exe	74
PID 1120 wrote to memory of 1496	1120	mscorsvw.exe	75
PID 1120 wrote to memory of 1496	1120	mscorsvw.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2612

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 23c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 1d8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d4 -NGENProcess 240 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 268 -NGENProcess 1d8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 274 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 278 -NGENProcess 1d8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 254 -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 23c -NGENProcess 1d8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 23c -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 274 -NGENProcess 1d8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 288 -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 23c -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 284 -NGENProcess 254 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 240 -NGENProcess 290 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 298 -NGENProcess 28c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 2a0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 294 -NGENProcess 28c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 29c -NGENProcess 2a8 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 288 -NGENProcess 298 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 26c -NGENProcess 1f8 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 260 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1f0 -NGENProcess 1d4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 248 -NGENProcess 1f8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e8 -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1f8 -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 1d0 -NGENProcess 21c -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 21c -NGENProcess 1e8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2a8 -NGENProcess 264 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 264 -NGENProcess 1d0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 290 -NGENProcess 1e8 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1e8 -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 298 -NGENProcess 1d0 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1d0 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2ac -NGENProcess 2a8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1d0 -NGENProcess 2a4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1f0 -NGENProcess 294 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 294 -NGENProcess 2ac -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a4 -NGENProcess 1f0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2bc -NGENProcess 2ac -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2ac -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2c4 -NGENProcess 1f0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 1f0 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2a0 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2a0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2a0 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e4 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 11c -NGENProcess 2e4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 1d0 -NGENProcess 314 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 308 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 2e4 -Pipe 118 -Comment "NGen Worker Process"
  2⤵
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2e4 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 314 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2e4 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 314 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 304 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2e4 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 314 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 304 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2e4 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 314 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 304 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2e4 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 314 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 304 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 358 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 314 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 304 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 358 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 358 -NGENProcess 370 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 378 -NGENProcess 304 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 314 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 370 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 304 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 314 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 370 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 304 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 314 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 314 -NGENProcess 38c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 39c -NGENProcess 304 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1548

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:792

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2116

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1716

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2884

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:592

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1428

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2024

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2132
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1388
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
b2a9e7312a345961408879ea9aa58152

SHA1
32e2872f5320bb3f2951fa8756581808e8cd978c

SHA256
e3c4341cecad7e756d50f6b0f5a214d1480214cd85a4d55430e55d96bae3eda3

SHA512
00ad78814ce181733cbf6cebd9e0e93cf85f035384d15216866adb2bab0dffd33044b6efe678178cd3dc7a55db3bad72a89e482e42b0d3caf6b37789b915cfa1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
c822d2615bacc5afa0cc86e3c72720ab

SHA1
64efe1f64d82946a9823ee2bb186549b5adb4afc

SHA256
2e26942a17dcd03a345b6544804933fc3a6a8f1677a9983eb60013fa0422ecaf

SHA512
c74dbced8af2864850b7117cfb7056e951d76cb1239826e8860d83af0826e642b69d9b760cf3bbf8211d6e02f0f58701e0e74ecd34547656873bfec60547f9dc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8bcc187ab667e8df80ac75369b3a112b

SHA1
5a5b371eb26ac6e0bb0767b7344524e54c682116

SHA256
928f9fbd451b4a045c998bd757f64d65135ed2e186120f3fec1abb6cc658ed25

SHA512
f29bde6f88e12d42ea9d3a139f17b853ce935b7c2a55274f4c5353417f28f82a20db3e3b0ecd55e74b635787bd312436362682557ef4e9fab51bdacb1bf1fc85

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
d8732d6b0d4c556624454c21a86ecf58

SHA1
7ecda2efbe090fe464ddd34c06b13af9a86eb9fd

SHA256
d46d52215cbba248bdeba2b6c346a8fa0742fa410933bfe423b34fa3699ecc03

SHA512
c8c8ef0fe24727aff5de48790617871094109424f6869ccb0802685963e659eb8cfcbd85d53006e3f315d1f19c25192548f3a304574016f8c462ec4895223627

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
604ae41fb345021dbacd1eff98e24425

SHA1
202d7ef739db572bc8413d0a39d12f9da3bea251

SHA256
199330f0779d90fa59ec845cc596b4aec5619d9975b5d6f180bdf3c62af5c050

SHA512
cc899b17d058d5288f106b44d0a633fb950046e8f5a27d6e99c5f9e856575bb495cc6613a5567a637cdfa8cea3ab1b51f87be7f3809350f00a90ecdbf0592354

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
cbc713e4781f99015464bdce894fc497

SHA1
f8e611e06bff73e1806dccaf8d1758e5021a6886

SHA256
743f8b2f5e126f76dbcda35973b92cf791c625adf2caf87c774351e4f19ca5e5

SHA512
55c2c3674747e0c5ad15c3d5c880e62a8886b2817a44a59a85f598a9c2c52b4c7efd25e94deceef473dc01a6bbf714c40ef6dddfc337cb43797c0d8949fac925

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
2a18a78d9321d5e7f76fcc0c9a4ecf36

SHA1
381b90ca85c311644fcec2f95a96b4aa98f67706

SHA256
5434e7bd776bf8eb5ddb9207bd827893461890da8aaddc4a491f8485c5253af1

SHA512
46a07277a2a71c2d884524066fb1461214a701d0178edbbaf13f0f3d4e9151e49e9ea3d722eb320e12e04a7683497a4abc3c5ef7f4d8755b2d3e1d43a972dea1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
061fb30fb708a6ca7fb19c540cae470a

SHA1
b2a20420443121b50e4834b067f88f30f0e01891

SHA256
d17935922db3ccf5b459e3f3a9006ec8dca758fd93f9d3dc20083c4b32bf3ebf

SHA512
415a2422a1bac041b595df0478cddb6c27d68d325960738e18ad5b2ed6706a02643b9e4919f3cd729968068e329e475f5d89f29944639dcd81b2e8f1fc94a35a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cd14635ef90c17f1ab73c95eb8ea7a9

SHA1
e634bff77302625a2f1e1417aa355ac7bc6360c2

SHA256
9dafc4f4dd5474eaefef9d70679e223de9af1aa438262d7efc3f1ecfb46491c9

SHA512
29f525fbdd99e9709813ca722bd200fb5814719f81329168d728382a7eecda03c1c823f3e635a973e1976f0f44d701a13c91f9e0e5114296175bf2060e31505f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
04b8c5fb6e17cdf5516e1b510cb8f389

SHA1
d39b8b21b4e017fca0306cbe13eca810e5d454e0

SHA256
27a055b612e7ff01740e79d360c8c7018ce1311e53717f49ff2d397b95dd2d75

SHA512
cebb92ecc651003e1210ff3b71fb81a23be69940528d70d8208d8ddf19f022b6e093ebf649eca84068732084836fe2f67aaa1e57825c448b9dc6b0281c7868ad

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
22b308d0229d212c8b2694adad8d0aa6

SHA1
54a51b2120722ea0fcbfd3c0abc027572319a8ea

SHA256
8f7119f42ae855a403b353176f397143861ecb8075838dca305e445f1060a8ce

SHA512
b2ebcfb14983ef40db96a0c00817ef5fba568a90896a12a9d12986726399c04e7a4d0bee99e5a22054490bb4bd95c2c071490acfcb61137636de4f8d8d6cd732

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4b3ec97f95d74494133cf629dcf28010

SHA1
d6d06c6567dcfdcb9e6d44793b12ed3f217238fe

SHA256
dc25de9ec2c9327aeb06ade9944cfe89fac24ae9f8681a3874749e58a8abdd18

SHA512
e49821fc10ed1a8329c3a935896c972d3ac40040decac12fa506f0e7137b2f8b4465c1631afb055e3d5304f4371d4797fa37dae04709010293fa12c09ede93e1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
c1c6413785cf30dec448759ead9828c8

SHA1
6ee17419576873eee3aac9588ecf8d1bad502862

SHA256
c9b6665cbf109bbee0851a0600f755d5e6aed0bad14550056d5559e1a5d68f52

SHA512
9406a824feb2da04ad6660352858878079b3ea16fb106851292ffa497ea8329a215f92da24527a5820d8250446e95c50367ad097d7740fcbf940fa6589f3086d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a8197dcd0647d66360023954babc314c

SHA1
1a1f449b52d015843b39cd872c665bd6f1a9f62a

SHA256
f5b23580d2358859ef35c14c34b1f4b773ce9b08591559f76a75a78d1c12a54a

SHA512
63d9aab5c25fda10b59ba1316f35a11fcc9c06243a2ecc8501fbe4bb664716631b27a494a14e4cf1ed5e50d248a0fcac3cb89c23331f0b5cc26f1fd4423ff72e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
155eddd0109c75f948b3e7033edaee68

SHA1
2b21c9ca57d30345158b95529254caa3b442f417

SHA256
711ce57fcd7475e2c00ccdddf89073b549c6c9e0bb9b7fe26433113ff46fb76d

SHA512
f96040ba64106de33a3ea4657cedeb06c287d4d0f66732c99ed53ea71d0ce86b8cb24a624a77c10408f647d9c4465b87ba7d5cd9cfdfd20aa1b3db5c33de370d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
1586d8a1f4ec8de5bb8644be214b91a2

SHA1
30d3b087330972cc8251aabe6370c16e58d3c045

SHA256
1bddff68702d37d6efc001fd5e4b3521ae5166c6cfd7ea77f9b4ea2a34ba856c

SHA512
a8388d3a54a270847b3a054e646c012f0f28a47e0e41d2c12a35c938fb6bfa9760b1c4ab18c1cb393b6de8f9feb84976ac9046ed5c7f0d6b6c962c6d9f1ffd8a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
df6e20ffed6ae93ae53013fa067a1c9c

SHA1
6cb75f9b26e0e539e2f8cac979635d0cfe29b9e0

SHA256
2b9595dfc44b0d7b3765fd6e1217163f9f24b304cec2d8b5005c475f4719e73d

SHA512
ad22e634959d50dc959d1c661016bc91bde7de00a8e24e9abf78b3e42bd2a7ad0a706356b2025289f5b87cfce0c45dfa4baf7a7e496b2589331e3f02bc51fe83

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
542a76515cd1200a632912e5b2bf58d7

SHA1
1369321f2516926bb877c9c8e3bb1fc805e6f4a3

SHA256
89cf1f4c36b3ed33a8cc9ddb4e66e549296186dfd645438408fcbdeaf485dbcd

SHA512
d5ed946cc127443cb67cd7e20d6b4ee3aea9265a94fbec744d96b3e8ca243e50e2aac2518fe4edbb23569e6916f7f4a176eaffc724832d5f855ee713f2c564d0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
59615d21485383cdf4a7718318e60199

SHA1
6080b717dbaca670db5525839c509847f996a6d5

SHA256
82d3ccd738bd032d633b79df373f596a0fa3a7c6098bcc4f7e852c808311f9ec

SHA512
363fd95785e3189ba8823e0a0332e7775d1c40983d825dc52e8a1014ebea0ef7cc8f0afb56289004d73a0d282d03249231fd9ef4154d5898de045eeb372cdf07

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c375a5ea4a266a304fa0840c6cb413ca

SHA1
b02f211d594b4b095dbe2191c9a0b5dee61e69fb

SHA256
2dc2408e6989cc9240a238d59e286b4516465eac3dff1635818f8bc5a1d874d3

SHA512
aa9b166088ca37013e2d29758f8fee7aad4712f134fc94291e61ba6e7b0eb19179f4c32e4b60de324f3515ac67b537d9f1c44cc3092ec5ae4cfcbf93619cbd35

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3e37a52614785eaee4f43596076aa5bd\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
a5704eee627e297aa8c89298ba21b689

SHA1
1e48911830a3af529c9e0e67fb896ceece0b52f4

SHA256
4c815338e287fd6ecd20d7cf57db9bafab987428d244cda20951924e6ba50e5f

SHA512
d270d24bd18cb04e9373e9e4675bc3e5351fb6a6905c99c019a86779704d310ef3e1d748ec9a3e3115a613b38cb7897fbbaf8a8b4077723fd16944298e97896a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c67c74328b603c7dfecffa69961c6e51\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
3138ee3f21d2fb62c35cffcaaf7a9eef

SHA1
531e76645da17f46f5fe31c3843c85299d59a504

SHA256
4e70f8fbd6a6f7427a13b6ba8af52407bfea5e79cfd4027f24c2fc416d63fd8b

SHA512
a754f8fbf2b71bd60a73080417e2690cc7f3e66a8faae408c2053b04737f6002fc62f2ef9afc66015b1792d5b3bc4b4d672f83e7853a4433c4458f20d59b794b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c8c6c5112f12e3b81bbb8f2ec6c23f8c\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
3926c3a872af8cd1a9b54b34c29a7805

SHA1
3382ff102d97c1ad46a44f84d0a00ddab285e347

SHA256
1aad98da3c9b7f7c212a023161785c0ad35ef9122c8d8edfdc935902bf6748e3

SHA512
8d4f590d43e1494f33c0c173429f3d84f758a691ec1090fd44b2d83ee840c105d172086bde1403688ea394be407fc1de25b64647baf9209ba85b56341e3eab57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
a0344caeb334112d2325d4e58ddf005c

SHA1
b65066b0590b1843bf857067b9414404aac27063

SHA256
b4a425e8e044d4216dc74c0cdfb507dd5d2127c9f1a50c3291b96719f4fd6a32

SHA512
21804c0b09d96ea2711bc54de18f5a61eb0eedcc7e385e7c470ec004f8c1de7ff0222dfb759bc4020f1341246c47ddbfa78e9acdb0810307533080db5b540870

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
04ce570c8cff05260fe4e3b152e37e2f

SHA1
88eaabfd6351402a2e2600cff690402722d58763

SHA256
70500095aa26e1ea2e954e127af9a9a0a4408d1052f38742a0abba55f1f54c90

SHA512
aa3fa4bb964d3db5872a58a43da4037f2ebb441fe6d610ea3ac4235ee646480231e5b7068a8c599e243aa73f9673d73c265b32a80ea8d74866e3ed6a8de29030

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
f6cb6b16be60cb6504d7d8d5c336acc8

SHA1
49e88682569a677413c69f6ec72a8869038ff10a

SHA256
a7a4186f4f2d6a08571c959ade3d12337b8e9791c8f9175d3631e1723365de31

SHA512
93eb6513f35cab461f4af4c2b5f2e5786d63426b87628ac7c59f9b0a456b90b829aff5321a325330eb4f4fc73618a525fa4162e05ac92027f69b10b3e4e17942

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
809c54773db0b40b0a65e1004f9f31df

SHA1
acddccb59a19d81be33e71033f9bd49e33aa39ed

SHA256
d064df6a6f47dee5827590a2716429b0ff96ee3a328ee5fe70bcdd067cb0b60a

SHA512
b45b4720180cbb9bf06fbc9326cb65f970f027b034448899caa4c293639881355439ff32fee2968512c72364a4e7d0470ab92d03d6c9a6117703c4a72ac4ca4e

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
9ab5427e3b4e5cdd58e552fed22640e0

SHA1
62d7dd4ebc1b196da89fbbaa48307a2115c4b1f5

SHA256
8a5f6520c4399dfb05baa728770d10bec6aa069af2ab271fbc640d84c2bb9163

SHA512
0db0885a4ce4d46b02ad4c9f174a75c5887770717e45e336f2bdc6ad1b0a83dc82d4b5a7523237df9c0dddffd7bca4be3302185e382f863a154a279d40ee2d5b

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0a2dd92946f14e4327db4117ea25a5de

SHA1
e6986047b450cde1cb933a3351d0c8bfcd4eef47

SHA256
6e8bcf14e16f7841fa3826192c5bafba76a1a5e9b4485a8b9684afbd57e0abfc

SHA512
724e6a86645cd4ce3b10516afa0f68112e94a2ca2efc3fd2f834b004084bf5703e674e7b498a6913354d45e54efc9d5d8bdbab5a2aaf09f032779829d9307770

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
0f6402b98ea69b7d147d1521c76da470

SHA1
abba69f3433aa679517c1c49f71ea877b7504581

SHA256
fd271a733a81a94ad729cfbe362657775196c716dee696d1fce93b26c19843d6

SHA512
9c78439095d2b2b2a432c08c25b0cf687777b99548effd3feb6c49685e7cee56211e94f507cdc0062827297e749e52b93d90ad4fe2d6c951b4421439a548c606

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
74513ff289d5a2759e5e1e38d4da399b

SHA1
9fd1eec47b9ee6ecd598c1acaf6e62c0d2fa0cf7

SHA256
462ddabfd8eeadecbb0cbeb92f7da20f9ebf809e8a6998b5804718d7e8424e28

SHA512
95e33c93167a34355aa3454641a31e4f511bcae156d1cec3dc338a701e26c2e9209e4aa133c08e0ea3987c10daae36ab217a3781025c033e7c3f40dd5cf11d59

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
0eda4121b50a14a2766ca130720a2935

SHA1
4608d3d438877e2efa62943a2e02411c8b7d8575

SHA256
e8a6afa4061438a39eed61fd3fd47fd79e0073d6b07921968e4937f5803a670b

SHA512
649d794f30e11d49929b1a8befa5605a7391d4375881e1e6cfc40cea3eb0756f8b1fa3ac2f4b4a14bef0638f8a4824e0a2e7dffdf4ad2d0a572d9e31c4e376ac

Download Submit
memory/592-358-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/592-239-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/636-337-0x0000000000510000-0x0000000000663000-memory.dmp

Filesize
1.3MB

Download
memory/636-231-0x0000000000510000-0x0000000000663000-memory.dmp

Filesize
1.3MB

Download
memory/636-320-0x0000000100000000-0x0000000100153000-memory.dmp

Filesize
1.3MB

Download
memory/636-213-0x0000000100000000-0x0000000100153000-memory.dmp

Filesize
1.3MB

Download
memory/788-849-0x0000000100000000-0x00000001001B5000-memory.dmp

Filesize
1.7MB

Download
memory/788-334-0x0000000100000000-0x00000001001B5000-memory.dmp

Filesize
1.7MB

Download
memory/792-262-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/792-156-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1052-263-0x0000000001000000-0x0000000001136000-memory.dmp

Filesize
1.2MB

Download
memory/1052-417-0x0000000001000000-0x0000000001136000-memory.dmp

Filesize
1.2MB

Download
memory/1120-922-0x0000000001F30000-0x00000000020CE000-memory.dmp

Filesize
1.6MB

Download
memory/1120-921-0x0000000001CB0000-0x0000000001D54000-memory.dmp

Filesize
656KB

Download
memory/1120-918-0x0000000001CB0000-0x0000000001CCE000-memory.dmp

Filesize
120KB

Download
memory/1120-72-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/1120-923-0x0000000001CB0000-0x0000000001D9C000-memory.dmp

Filesize
944KB

Download
memory/1120-919-0x0000000001CB0000-0x0000000001CCA000-memory.dmp

Filesize
104KB

Download
memory/1120-924-0x0000000001CB0000-0x0000000001CC0000-memory.dmp

Filesize
64KB

Download
memory/1120-926-0x0000000001CB0000-0x0000000001CD4000-memory.dmp

Filesize
144KB

Download
memory/1120-75-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1120-929-0x0000000001CB0000-0x0000000001D16000-memory.dmp

Filesize
408KB

Download
memory/1120-917-0x0000000001CB0000-0x0000000001CBA000-memory.dmp

Filesize
40KB

Download
memory/1120-925-0x0000000001CB0000-0x0000000001D38000-memory.dmp

Filesize
544KB

Download
memory/1120-928-0x0000000001CB0000-0x0000000001CDA000-memory.dmp

Filesize
168KB

Download
memory/1120-920-0x0000000001CB0000-0x0000000001D3C000-memory.dmp

Filesize
560KB

Download
memory/1120-927-0x0000000001CB0000-0x0000000001CB8000-memory.dmp

Filesize
32KB

Download
memory/1120-67-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/1148-845-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1148-168-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1148-272-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1172-309-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1172-282-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1180-701-0x0000000100000000-0x0000000100135000-memory.dmp

Filesize
1.2MB

Download
memory/1180-286-0x0000000100000000-0x0000000100135000-memory.dmp

Filesize
1.2MB

Download
memory/1360-95-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/1360-94-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1360-88-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/1360-215-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-363-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1428-260-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1496-670-0x0000000003CD0000-0x0000000003D8A000-memory.dmp

Filesize
744KB

Download
memory/1620-113-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1620-116-0x0000000100000000-0x0000000100135000-memory.dmp

Filesize
1.2MB

Download
memory/1620-107-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1696-359-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1696-854-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1716-189-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1716-207-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1992-288-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1992-223-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2032-51-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2032-101-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/2032-57-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/2032-58-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2116-188-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2116-281-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2180-886-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2180-238-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2180-129-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2356-306-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2356-380-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2436-27-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2436-155-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/2436-33-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2436-26-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/2452-321-0x0000000100000000-0x0000000100136000-memory.dmp

Filesize
1.2MB

Download
memory/2452-846-0x0000000100000000-0x0000000100136000-memory.dmp

Filesize
1.2MB

Download
memory/2612-39-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2612-43-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2612-37-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2612-83-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2656-0-0x0000000001FE0000-0x0000000002047000-memory.dmp

Filesize
412KB

Download
memory/2656-74-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2656-5-0x0000000001FE0000-0x0000000002047000-memory.dmp

Filesize
412KB

Download
memory/2656-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2788-250-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2788-133-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2788-677-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2876-338-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2876-851-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2884-202-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2888-395-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2888-372-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/3064-21-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/3064-18-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download
memory/3064-19-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/3064-12-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/3064-115-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download