e65a3146e49fc221f505163a4e9857754b476d2849d8604d1b892df5838ec099

Analysis

max time kernel
148s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Size

24.3MB
MD5

a054b67857f5084b885bdab0e8df5353
SHA1

c3ae4d817ad876198cf37c6600698c921d077bf0
SHA256

e65a3146e49fc221f505163a4e9857754b476d2849d8604d1b892df5838ec099
SHA512

0ae63f4d410813f5fa1c8151e89f1a3df51614f79f2a83e131fc0acbad08f822f22e9ac176e11c83390053969f06e1c71de59cd513cc9bf652a0ed4a69bf4055
SSDEEP

196608:8P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018:8PboGX8a/jWWu3cI2D/cWcls1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEmscorsvw.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2640	alg.exe
2564	aspnet_state.exe
2572	mscorsvw.exe
2860	mscorsvw.exe
2304	mscorsvw.exe
840	mscorsvw.exe
1264	dllhost.exe
1740	ehRecvr.exe
660	ehsched.exe
600	elevation_service.exe
1128	IEEtwCollector.exe
948	GROOVE.EXE
1484	maintenanceservice.exe
1584	msdtc.exe
1696	msiexec.exe
1248	OSE.EXE
1480	OSPPSVC.EXE
2576	mscorsvw.exe
1048	perfhost.exe
1980	locator.exe
1332	snmptrap.exe
2240	vds.exe
528	vssvc.exe
1352	wbengine.exe
2300	WmiApSrv.exe
2908	wmpnetwk.exe
2944	SearchIndexer.exe
1016	mscorsvw.exe
1520	mscorsvw.exe
2988	mscorsvw.exe
2848	mscorsvw.exe
1316	mscorsvw.exe
2420	mscorsvw.exe
2524	mscorsvw.exe
676	mscorsvw.exe
1636	mscorsvw.exe
2384	mscorsvw.exe
2352	mscorsvw.exe
2988	mscorsvw.exe
1992	mscorsvw.exe
1736	mscorsvw.exe
2508	mscorsvw.exe
1016	mscorsvw.exe
2624	mscorsvw.exe
992	mscorsvw.exe
2004	mscorsvw.exe
2036	mscorsvw.exe
1608	mscorsvw.exe
2624	mscorsvw.exe
1840	mscorsvw.exe
992	mscorsvw.exe
1740	mscorsvw.exe
1548	mscorsvw.exe
1500	mscorsvw.exe
372	mscorsvw.exe
1112	mscorsvw.exe
800	mscorsvw.exe
1556	mscorsvw.exe
2364	mscorsvw.exe
1548	mscorsvw.exe
968	mscorsvw.exe
2520	mscorsvw.exe
3044	mscorsvw.exe

Loads dropped DLL 51 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
468
468
468
468
468
468
468
1696	msiexec.exe
468
468
468
468
468
756
1112	mscorsvw.exe
1112	mscorsvw.exe
1556	mscorsvw.exe
1556	mscorsvw.exe
1548	mscorsvw.exe
1548	mscorsvw.exe
2520	mscorsvw.exe
2520	mscorsvw.exe
1948	mscorsvw.exe
1948	mscorsvw.exe
2148	mscorsvw.exe
2148	mscorsvw.exe
1952	mscorsvw.exe
1952	mscorsvw.exe
1992	mscorsvw.exe
1992	mscorsvw.exe
428	mscorsvw.exe
428	mscorsvw.exe
1640	mscorsvw.exe
1640	mscorsvw.exe
1672	mscorsvw.exe
1672	mscorsvw.exe
1432	mscorsvw.exe
1432	mscorsvw.exe
1756	mscorsvw.exe
1756	mscorsvw.exe
2244	mscorsvw.exe
2244	mscorsvw.exe
944	mscorsvw.exe
944	mscorsvw.exe
2460	mscorsvw.exe
2460	mscorsvw.exe
1520	mscorsvw.exe
1520	mscorsvw.exe
824	mscorsvw.exe
824	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

Processes:

2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exeSearchProtocolHost.exemsdtc.exeaspnet_state.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e7c0757ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

aspnet_state.exe2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe

Drops file in Windows directory 64 IoCs

Processes:

2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP74E2.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7723.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6B31.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7926.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9DC5.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP844D.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8D32.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exemscorsvw.exeehRecvr.exemscorsvw.exemscorsvw.exewmpnetwk.exemscorsvw.exeehRec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchIndexer.exemscorsvw.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

ehRec.exe2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exeaspnet_state.exe

pid	process
2328	ehRec.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
2564	aspnet_state.exe
2564	aspnet_state.exe
2564	aspnet_state.exe
2564	aspnet_state.exe
2564	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exeaspnet_state.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: 33	1936	EhTray.exe
Token: SeIncBasePriorityPrivilege	1936	EhTray.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeDebugPrivilege	2328	ehRec.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeSecurityPrivilege	1696	msiexec.exe
Token: 33	1936	EhTray.exe
Token: SeIncBasePriorityPrivilege	1936	EhTray.exe
Token: SeBackupPrivilege	528	vssvc.exe
Token: SeRestorePrivilege	528	vssvc.exe
Token: SeAuditPrivilege	528	vssvc.exe
Token: SeBackupPrivilege	1352	wbengine.exe
Token: SeRestorePrivilege	1352	wbengine.exe
Token: SeSecurityPrivilege	1352	wbengine.exe
Token: 33	2908	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2908	wmpnetwk.exe
Token: SeManageVolumePrivilege	2944	SearchIndexer.exe
Token: 33	2944	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2944	SearchIndexer.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeDebugPrivilege	2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2772	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeDebugPrivilege	2564	aspnet_state.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1936 EhTray.exe
1936 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1936 EhTray.exe
1936 EhTray.exe

pid	process
1936	EhTray.exe
1936	EhTray.exe

pid	process
1936	EhTray.exe
1936	EhTray.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
800	SearchProtocolHost.exe
800	SearchProtocolHost.exe
800	SearchProtocolHost.exe
800	SearchProtocolHost.exe
800	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
800	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe
1504	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exeSearchIndexer.exe

description	pid	process	target process
PID 2304 wrote to memory of 2576	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2576	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2576	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2576	2304	mscorsvw.exe	mscorsvw.exe
PID 2944 wrote to memory of 800	2944	SearchIndexer.exe	SearchProtocolHost.exe
PID 2944 wrote to memory of 800	2944	SearchIndexer.exe	SearchProtocolHost.exe
PID 2944 wrote to memory of 800	2944	SearchIndexer.exe	SearchProtocolHost.exe
PID 2304 wrote to memory of 1016	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1016	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1016	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1016	2304	mscorsvw.exe	mscorsvw.exe
PID 2944 wrote to memory of 2368	2944	SearchIndexer.exe	SearchFilterHost.exe
PID 2944 wrote to memory of 2368	2944	SearchIndexer.exe	SearchFilterHost.exe
PID 2944 wrote to memory of 2368	2944	SearchIndexer.exe	SearchFilterHost.exe
PID 2304 wrote to memory of 1520	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1520	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1520	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1520	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2988	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2988	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2988	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2988	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2848	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2848	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2848	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2848	2304	mscorsvw.exe	mscorsvw.exe
PID 2944 wrote to memory of 1504	2944	SearchIndexer.exe	SearchProtocolHost.exe
PID 2944 wrote to memory of 1504	2944	SearchIndexer.exe	SearchProtocolHost.exe
PID 2944 wrote to memory of 1504	2944	SearchIndexer.exe	SearchProtocolHost.exe
PID 2304 wrote to memory of 1316	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1316	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1316	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1316	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2420	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2420	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2420	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2420	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2524	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2524	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2524	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2524	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 676	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 676	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 676	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 676	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1636	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1636	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1636	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1636	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2384	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2384	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2384	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2384	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2352	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2352	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2352	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2352	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2988	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2988	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2988	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 2988	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1992	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1992	2304	mscorsvw.exe	mscorsvw.exe
PID 2304 wrote to memory of 1992	2304	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 23c -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 26c -NGENProcess 240 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 240 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 1d8 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 274 -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 1d8 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 290 -NGENProcess 244 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 280 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 1d8 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 250 -NGENProcess 290 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 284 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 1d8 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 294 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2ac -NGENProcess 284 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 288 -NGENProcess 2b4 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 22c -NGENProcess 2a8 -Pipe 230 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 254 -NGENProcess 270 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f0 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d4 -NGENProcess 2a8 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 1f0 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 1f0 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1c4 -NGENProcess 220 -Pipe 224 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 220 -NGENProcess 1d4 -Pipe 1f8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 288 -NGENProcess 1f0 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1f0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 29c -NGENProcess 254 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 254 -NGENProcess 1d4 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 1c4 -Pipe 220 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1c4 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
2⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2b4 -NGENProcess 1d4 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 1d4 -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
2⤵
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2ac -NGENProcess 29c -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 29c -NGENProcess 2b4 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1d8 -NGENProcess 274 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 2ac -Pipe 268 -Comment "NGen Worker Process"
2⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2c0 -NGENProcess 2b4 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2b4 -NGENProcess 1d8 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c8 -NGENProcess 2ac -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2ac -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2d0 -NGENProcess 1d8 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 1d8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 278 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2f0 -NGENProcess 2e0 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
PID:2540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2f8 -NGENProcess 278 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 278 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 300 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2d8 -Pipe 22c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2d8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f8 -NGENProcess 30c -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:2904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 300 -NGENProcess 318 -Pipe 308 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 320 -NGENProcess 2d8 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2f8 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 278 -NGENProcess 328 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 330 -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 318 -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 328 -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 30c -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 318 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:2540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 328 -Pipe 278 -Comment "NGen Worker Process"
2⤵
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 30c -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 318 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:1036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 328 -Pipe 338 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 30c -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 34c -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 340 -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 360 -NGENProcess 350 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 34c -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 340 -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 318 -NGENProcess 34c -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 370 -NGENProcess 364 -Pipe 328 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 36c -Pipe 358 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 34c -Pipe 30c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 364 -Pipe 368 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 364 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 384 -NGENProcess 34c -Pipe 318 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 340 -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:2192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 34c -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 364 -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 37c -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 34c -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:1948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:992

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1740

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:660

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1936

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:600

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:948

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1584

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1248

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:800

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 596 600 608 65536 604
2⤵
- Modifies data under HKEY_USERS
PID:2368

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
88e3478da8b1adaa955ec37a5cf0f50f

SHA1
efc79f1a90c9a1d63e378bdfec6bed4a4d778e52

SHA256
ed61a9be37d92bc176918b1b475ec94b62491ca021ca4a7c4e09aa498e706023

SHA512
5122f61904b8d28103f242177c4df31bf94ed4dcca26aa1f58d13457f8690cc6b10656ff0c203b7c0cbb7f0b112654a4fd8c591dca294310a86a182b9b97ab5c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
b5b33a3d4249ef17e0e95ddfdb50dc47

SHA1
8b0d73c41203f487c8014986a5656f3d4a85260f

SHA256
143db5de5d04d96c8759a61bfbfa3e91968c475a61e5162fcc157359537cf2b2

SHA512
db857a770ef1c073b5d8aaed2f38ddccbd742473f23c8799d74b3c055f27c8926ae71a2bd5bf711e64d89ef9664e9f7ea853a90d6cd38e2e4ea0050cffd5c76e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
ab07ef90b6448151e4501a71a89b06f7

SHA1
c2eeebeb7e05a4ecc9dea146fc4b6b2018844359

SHA256
2a540acefa1945314ea74d714d4b363fa90abbb3170adba3222c610d31c781e4

SHA512
f1933d3de7e6f7477913736fc4d156f7f1aff5f857be1c6c24e864c608c237fd2e734eceac101992e39915b01a377ac942adf3cb60da373c08a9bd5ea7585918

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
208843ed1f0909877e030b2a4bedcee5

SHA1
2dfc134dd60db2bb770916c741d0f9a086d168ab

SHA256
e8e5f8a652555b0553ffc5d5513527360ec71592f1ecf4c7b710ac47c42b1e4d

SHA512
70a782e12b630e5034b17fcfb67da096613910bad5188b26a86a91d92a5aa7cff3f83399fd01ca2c558d629f100809d4a68762ef592661fe5ad39c86dfaca941

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
cd5556d94c84011c8b9603df3ff2a478

SHA1
2a49d7bae0bd1566c822d2cf1c345de5f91c6723

SHA256
871c72831ee4345c2616edaff178c4f8ca4c816a2f9600a1417fc13ed4f79ab2

SHA512
6f72bacf8a9ee514c828ab785de19d6f3bbd109c53a06c1dbd18f601819e68466c33e26c22727c71a563b786cdf94cfdf5114a04f9812c74c6bf3bbb12fc00e5

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
3886477f9b87d1adf9a8694947c8b748

SHA1
0f0ec75f7c1821744329e85610f262fc6a28e0eb

SHA256
e28159494a7b4a3edf2ec0647c3e6d231f277cac5436c1ccb43a3dacb34b6ff3

SHA512
0ba65fbc8ba351be71659ebd42b0b3b60a54ed096e15da279ed0e2aac42649369a28bf9338eed7bb444dcbc35436f9100fdbec18f5ec34dc700fe75ee24fb2bb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
e387ba17bb99b8c96c45f88ab50817a9

SHA1
753b469548dbe3dfbff8f1111119b3957e0fa3e4

SHA256
4f0f9572bc9f5a3b1909cea6590059ec1d60971d628207d7a46418a471587f44

SHA512
dde2b5ee784310b610c1af65d5a80e4b70ea2289b068e798e56093b31984b3a2a2e43af6aed30c96e6ee9e1d2487dea3d1c3665b324a7b854242b38682812470

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
da7c40fbb87c790dd5f98c672a5e99df

SHA1
16bfe604ad3d2858d5b57e00ebeb89cc38e3be6c

SHA256
aa242157a55283269776b233a4b65452e765a7793019cdc4521e989999a9b869

SHA512
41692ae09b50a88749e29948147f96185b2ad10560f95cbfcb3ac24bda3b2007411575030a1fbd4988427e07569d9cd43f68ecbb0036011036580873793d5254

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
329d7c544da20cc2087727df1ab93339

SHA1
013b8ffd861ca9a08ea3a65d0d6410ff7ec5e4bc

SHA256
dc39c5116fa855d0303af04f7f5437bc52c5db4d1a768ddb873375cc7d6d29c9

SHA512
81547609ace47b82df9b30a544aff749461dbce2fbe38e83058a807255b0a18e0914e86bf465d547fe122c8a836599e5caaac8945b737bed72f1bd908ca434f9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
cfc966a59c254c7704ac4f097ad09f51

SHA1
f097e023a24a017fa86bb30bd222b5d2badd7f1c

SHA256
7ea83c639ce3c9f8fb8679f9c33364c308ebfa253c138b7dc7adf17a90ff9d56

SHA512
552e2e685cad87d7b48ce2eec716eedfcc93b4807f00344e971ebda8f7fd276dad6253611b3643c5242366f935b3c6347891fb662d042531b2d38538af8bd3c8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
2d3191e91015fc6781e8e7d0f3cbac13

SHA1
925a170662b4422d8d553cb14626876f4e790ba8

SHA256
53313d10564bc16bd3131b29916d564032645f317e0e4bb86b947f6bbd8df6ee

SHA512
23f4ba356ea964ae499175eaaf333a6f1e6a3a0ef4c65eda6bf9650ca6d5204af247ba65e93e5bfc3683f83e404503bf969e8ab167deba43c49ad3354a3cce92

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
414d195ee8bd21f3db2245c1ac850030

SHA1
931afd580c9010e081e1bb5324db722082cb90d6

SHA256
d3c41995592bb8f4bfc70f4fae58af27c7d622fea60bb91f042c9e404bc4ceeb

SHA512
925586ec956efa39b875c8116009fe96ba82356d47f93f398bae153558e6ec2867f412b3207ca0463b917072eb2a768977328a13697ff83e130b91a6364c6752

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
64f0a53b9df1b3c360bc8bb059c2b8ad

SHA1
b9e89da3d1d52bf347c17d120d130d11edb917bc

SHA256
62e7ff27964ce8be48810e0cae3eaacb497f17556d1efaa7f47c80ba23625882

SHA512
2cc5c476fe75386227634f3abb023ac833d2b1e6096c8e089a1441b3deb964438dc6e5176cc6edcc78e903c36aae82591f365a1d21fe73ab8032af4913d56a9e

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
2cc5010f9012e20cf940a38f4d52534f

SHA1
6683fcd9ceed96cc64e6994725ebd77cdbd9f97d

SHA256
c62218d5c9f883fbebe785e7233e6f4c12221955082b4b05bd011158e244e36d

SHA512
85ff388413ab99bb5e9496745b6e6dd3a126e422cb5d924ed87ed89f3a301d9a31f48374102e8e56fc2600dca6eae59239b5c76fd40bd1a8abf5a5250eb4147b

Download Submit
C:\Windows\System32\alg.exe
Filesize
644KB

MD5
8b2697d66a39d3259a4bb4dc87c0e122

SHA1
8ec3d69738c7cb087e5c4996fb4e6fb4c34e3dc6

SHA256
130cc4eb69a3e36e41ceecc426727a74e61ca410641d841e2839d20d007f0349

SHA512
9e4bf8698a090d15ca7717204cd5b78900303c198602ee326eca4d6cb1db1072549d8559e842a227961ae965baffa871ffdf74400e81f57e50c665455f6568a7

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
705KB

MD5
66db64478a65ed753248efc10f45ff13

SHA1
1830cb6820d72cac6927892a463da4e6853fce91

SHA256
d0c8e169fd859501e60a99ad4f54baf19a47d0f67940548879b44fa75c51f19f

SHA512
8332f5fab9988821c6445397cbeda2a3db2f8d31e1d47df45e7e172f14989a1c6a3633aabc3a516c1942b88c4882e3bb2a608260b818e67bd762018faa749cbb

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
2b8569e7ee394f4a9bc5500d4a31f8e1

SHA1
7d3c8b8e88e1532b1e23bbf9b26f19d64eef34b9

SHA256
eb9b4afe2b5e47ab4f766896e8891a784887e89af105aa3e1229bd6f0269a596

SHA512
d0d65fe006ec78ed8a05ff11805243b4fc3f1f5254bb103daaee99a16b7d4610e1a3263eeb870cb5b19b95c82fbfd9967f5d3d814613c08c180b091cfcd00bdb

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.1MB

MD5
4edd4d0de1f2e7538863aa21874a2a9d

SHA1
b8b993e27fbfeab4a6633794ea48a848cd2068f2

SHA256
f5b8b3a0c3c702d614b842802262fa9ad354669ab607bca4d8b1b69c1ec46587

SHA512
03cef29ea8953d1dacadc7a1fe34e425784af6e34891fc2895f69eae5623b0dca79e1f9ec55e52546e77909f0df33eef39419015ad2d19deb7cfa225bdcac5c9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\64012b860fd14480d8ae746de3d47035\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
bf429a8189477c549cbe2618fc5ba642

SHA1
887abbab533690128761898b6cab24188b230d5e

SHA256
ae43629e34f3ac6de4a5e7e1a588ff63982a9f10cba07c3c1d03a1c00e3fa930

SHA512
3d6af099300f9315051a6f1981387c4c8c0c6a6fe7277bc23437e056d42585544b03bccbb0dcdd7d8113009fb044188c90870fab83e5c6648d6c3dce15db3e70

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\6c64853915f8af6fc521ddd12c1673f9\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
17714d439a7e5d4e3691495aa8777374

SHA1
f2f30f9f933576ac1ef8598724fa49faa103a8a4

SHA256
1643589d4a8b887af2763859aafad150c09800171f13ef1fb629fd29af034fb4

SHA512
88c4f6bb08b952bdc99f5d43a1aebac3b175d2ca5aeea3a2f40c6895d001009791df6f7a2aee587369c4fe85d429615e32e9bb8a037f52be97487075df379698

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
1eff63517430e183b5389ba579ed93e2

SHA1
5891927b05adc6db5464fb02469c113a975ebbf0

SHA256
b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856

SHA512
2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d1918f4305213fc0da0bceacc4c013e6\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
f3a7a58b389574ec9e36bb7c795d727c

SHA1
95832c5ee4322160bd61f9a9f21d7493a78d0fcb

SHA256
63cae5bbae0460b3fd1212084c12b75b202db941aabfe51188fb069990f09187

SHA512
8b3dceeb6e17a020988b4d1272d0964282457cb6c025ce12b728c14a37b53c248a5773498d898fedb44d09e38bcd798e9654b4753d0ad208a15ab866d08d7842

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
b678f3ef34895c91d9f22ae8d52b97d2

SHA1
5c0c3aeb340bb7019193cd4ef4f859b2acd3113a

SHA256
e73d63889bb1393473a540f124e6dd7481639ef1ffc206dd7d47f1b7c3d0973f

SHA512
02b25966428f88a928b4dccc80115bca493acc8f3849813055910555a0f5b592060ba8daca48ebb516e2945ef52adb964f8e4b7970025f55e688c480e5a79912

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
46c4c44c9ac51cc12011f0361a8cf0ab

SHA1
276e88553549a17b44e5bff9ea190fbde4663247

SHA256
3ea4b09e1afa96ec9be53693a933d8061602491a579d7b4a9da0aaa4f6b7e083

SHA512
b15efead042e016e4e301e0202cbfe9a8346dff7dfaa166ebd9acafefb14bbd565072ff5660d17722d11d1336e85d1b48e65a1bc58e1ff4dc15974c3b0555f77

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
8daeb2d069dcc90f6a4595a0f81d675c

SHA1
c17f97bd3c848238ca1e00c547643915c23c67f6

SHA256
2fb4afba45fc7912634d8493c2506cc09ba9713e44742b7455b352654fc8e66b

SHA512
b095e79d4d7bfe8d1c0ce54634166c9176069621216b4ea2b528f3f20d59b660676d5806fb73ac6b84174cc57af135247fd5aa197dec654879fa0b06ceca0db3

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
21d0e7aaf01c0afe880ab92aaf52813f

SHA1
94d21ecafbd3c1f68ef0b7fd481a1beaa2a88d35

SHA256
b6c58ce124dd085d35cd8543b3f3296db9981863984563a34fe2a1fc46ae1b62

SHA512
794c34eebf6891eeb6fa686e449c078ee17fbdccb21ebaa8bd28d7c2fcdcb16a7e8308af9a06277f712aacbf0452e535cb11f7adbdcfff0e01c47a2381b0081b

Download Submit
\Windows\System32\Locator.exe
Filesize
577KB

MD5
5ec5eca10d79b360212e7d6f637e4709

SHA1
85ceb8d7be8bed22e7d91fdb920a28ef41a8e82c

SHA256
798dc1f24d66ad8494a90f283ae2cd5d5df9f877f8f9779f3eb2c7efa15340f9

SHA512
634c274b34bc144020a683ac61aa44dfa0d64853e7ab96ebdfcd462848e5e383b51d1ca81eb43c14f9cd537565efc8109475362f9a79a9ebcbc62b75e1cd87cc

Download Submit
\Windows\System32\dllhost.exe
Filesize
577KB

MD5
1dc1b365ac16d05e4e6bcf5062da057b

SHA1
fadbb48860d8c507a70bae3432c75e3ee3441555

SHA256
7b8f7b4e3142f1d750ac6f5ce398c26c359aef864898b4f17cf2325a1b068e11

SHA512
2dba1441da3208c08e324b8639eca265af4aace38077dac5ed62da308c469dad92e563be7a18e9b882970f38bee839b237b45973090d05d1998814a6142ecec4

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
e36431d16761d3035fcf0ceac066bc45

SHA1
8967dbec14d05ffb25add0852d44c1d5aa8eb536

SHA256
b97dafc6068f7337d6b6b5d457f39d4fdd5bf6cc5aaaa34bad56fd3ffb51a340

SHA512
822d335411ce4387828fcb358328619b992404c2f803d3459515d3f15d4613f410fbd44b391cc03944a72a77a2a69b5d8ffdd87b80067d53f1a23215255d0566

Download Submit
\Windows\System32\msiexec.exe
Filesize
691KB

MD5
34d151f55270cea954f4458f22330553

SHA1
9454eab77b82a7d54d4fa18197bbb06d5aa57170

SHA256
81b481a5117547c3e9bfb9fffb8478d0841f668c04e2c317e93a4c05c7758d4e

SHA512
9088a643074b237a34aadf1aa3e1fd77c33489832a0a1f7134d20853c6be1c69996013f5c759054e90b478a3e776fda63664112ec6891eccc593f991e07a480c

Download Submit
\Windows\System32\wbem\WmiApSrv.exe
Filesize
765KB

MD5
a7ff24af68ea7a349376f8c45cdb4ff4

SHA1
58b0460f068daecb8a07d6a008d3df0c9993b6f6

SHA256
953a7f4533f49eddf7dad28dfbf8e7b98948e4c0eb20319ad643adbb03c0bc29

SHA512
6a665b52825c17ba43f1908ab0e4b54d23deb2a31b1ecb78198d6e34c3a00c38dfea0cc8c4eea20b1609590a27120f7b80d2ea236b680f57cdc04fe668b52f4a

Download Submit
\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
3593aa9c3a0cc1293feb9fd8cb3bf712

SHA1
9061df3bb49c1bcb73ab600f6ba27ec68c2ceda7

SHA256
ba175304d8f4a7a559a11741b23e81dbf0ad5d95f959a65727f2b8abb1248358

SHA512
a76fe8bba9d61f9ef91811f8e6cfa59ccbee88b9897d71e1c265a234ee6c64f49b9b7527c37a57ebd31beff16c085dfe948b8fa93726193d4be4b50e98b72a5e

Download Submit
\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
294ef9743f888b251a1b2fd7c7908e93

SHA1
9bab6345b079a2a40607655a78d6397143f5e970

SHA256
f14b893d5348f6793b2b7f011189cfe8058f7d7f4e8e72d9625c2bd3d5c0cc03

SHA512
5721fb9f3a82fff74cfe50d00cf55ce7c743e210fa3379864d5109966574bd767a3f26f759b71930fb28b87542533f8e86ae8907d16474b4ca8c641edab17310

Download Submit
memory/528-248-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/528-521-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/600-148-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/600-243-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/660-126-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/660-789-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/660-239-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/676-549-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/676-554-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/840-80-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/840-95-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/840-86-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/948-236-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/948-172-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/992-730-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/992-711-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1016-690-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1016-422-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1016-684-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1016-397-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1048-455-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1048-227-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1128-151-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1128-803-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1248-207-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1264-204-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1264-105-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1264-98-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1264-104-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1316-498-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1316-522-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1332-238-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1332-457-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1352-259-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1352-535-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1480-454-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1480-212-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1484-173-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1484-183-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1520-426-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1520-469-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1584-180-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1636-592-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1696-189-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1696-394-0x00000000004B0000-0x0000000000562000-memory.dmp

Filesize
712KB

Download
memory/1696-191-0x00000000004B0000-0x0000000000562000-memory.dmp

Filesize
712KB

Download
memory/1696-279-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1736-654-0x0000000003C50000-0x0000000003D0A000-memory.dmp

Filesize
744KB

Download
memory/1736-668-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1736-649-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1740-112-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1740-118-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1740-111-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1740-853-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1740-208-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1980-241-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1992-652-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1992-640-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2004-743-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2004-728-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2240-244-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2240-496-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2300-548-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2300-263-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2304-898-0x0000000001C10000-0x0000000001C1A000-memory.dmp

Filesize
40KB

Download
memory/2304-62-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2304-68-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2304-63-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2304-899-0x0000000001C10000-0x0000000001C2E000-memory.dmp

Filesize
120KB

Download
memory/2304-188-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2352-605-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2352-628-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2384-588-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2384-609-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2420-520-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2420-525-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2508-686-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2508-666-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-534-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-550-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2564-17-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2564-24-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2564-18-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2564-146-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2572-34-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2572-29-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2572-37-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2576-406-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-240-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2624-714-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2624-698-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2640-125-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2640-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2772-6-0x0000000001F70000-0x0000000001FD7000-memory.dmp

Filesize
412KB

Download
memory/2772-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2772-12-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2772-91-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2772-0-0x0000000001F70000-0x0000000001FD7000-memory.dmp

Filesize
412KB

Download
memory/2848-509-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2848-481-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2860-77-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2860-49-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2860-43-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2860-50-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2908-556-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2908-275-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2944-587-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2944-288-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2988-458-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2988-479-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2988-625-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2988-632-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download