0439a8f2751ae3b3a084ff8df14257c8337815670ba1d07931a2de2fd36cdfcd

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
Size

5.5MB
MD5

ae7b34e264e11f50cea8e45395ea6f02
SHA1

3f1aa1afb4573bba5e551dc082bd7292978c0096
SHA256

0439a8f2751ae3b3a084ff8df14257c8337815670ba1d07931a2de2fd36cdfcd
SHA512

e5c47e0a74552f69b3443afb501a36258b12293b503b09d3b0b5dd2a5545ed458ea99f1c80591fbba433cf9bf8c8426e15bc1af792570698e9e6f4abb62922e8
SSDEEP

98304:cpEEYEKdrL/LGgB32V/sosbjy79tJRPNXwY2heuDiD93YC:cpEPyS36/sXbjyDFWeuDIG

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exemscorsvw.exemscorsvw.exemscorsvw.exeelevation_service.exeIEEtwCollector.exemscorsvw.exeGROOVE.EXEmscorsvw.exemaintenanceservice.exemsdtc.exemsiexec.exemscorsvw.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exemscorsvw.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
480
2068	alg.exe
2740	aspnet_state.exe
2916	mscorsvw.exe
2544	mscorsvw.exe
2720	mscorsvw.exe
2828	mscorsvw.exe
2864	ehRecvr.exe
3040	ehsched.exe
2772	mscorsvw.exe
1584	mscorsvw.exe
2216	mscorsvw.exe
2276	elevation_service.exe
2504	IEEtwCollector.exe
2908	mscorsvw.exe
1352	GROOVE.EXE
2656	mscorsvw.exe
2496	maintenanceservice.exe
2204	msdtc.exe
2396	msiexec.exe
1228	mscorsvw.exe
3024	OSE.EXE
1524	OSPPSVC.EXE
2848	perfhost.exe
2920	locator.exe
2808	snmptrap.exe
2664	vds.exe
540	mscorsvw.exe
2660	vssvc.exe
2932	wbengine.exe
1960	WmiApSrv.exe
2432	wmpnetwk.exe
2612	SearchIndexer.exe
1384	mscorsvw.exe
548	mscorsvw.exe
1568	mscorsvw.exe
2724	mscorsvw.exe
2788	mscorsvw.exe
1748	mscorsvw.exe
3056	mscorsvw.exe
2884	mscorsvw.exe
1948	mscorsvw.exe
1172	mscorsvw.exe
2092	mscorsvw.exe
1752	mscorsvw.exe
1828	mscorsvw.exe
1948	mscorsvw.exe
1620	mscorsvw.exe
2156	mscorsvw.exe
2356	mscorsvw.exe
2184	mscorsvw.exe
2820	mscorsvw.exe
1952	mscorsvw.exe
2024	mscorsvw.exe
2468	mscorsvw.exe
2408	mscorsvw.exe
1080	mscorsvw.exe
1420	mscorsvw.exe
3036	mscorsvw.exe
2532	mscorsvw.exe
2076	mscorsvw.exe
868	mscorsvw.exe
2912	mscorsvw.exe
1252	mscorsvw.exe

Loads dropped DLL 44 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
480
480
480
480
480
480
480
2396	msiexec.exe
480
480
480
480
480
752
2408	mscorsvw.exe
2408	mscorsvw.exe
1420	mscorsvw.exe
1420	mscorsvw.exe
2532	mscorsvw.exe
2532	mscorsvw.exe
868	mscorsvw.exe
868	mscorsvw.exe
1252	mscorsvw.exe
1252	mscorsvw.exe
1768	mscorsvw.exe
1768	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
1208	mscorsvw.exe
1208	mscorsvw.exe
1612	mscorsvw.exe
1612	mscorsvw.exe
1504	mscorsvw.exe
1504	mscorsvw.exe
1596	mscorsvw.exe
1596	mscorsvw.exe
2244	mscorsvw.exe
2244	mscorsvw.exe
808	mscorsvw.exe
808	mscorsvw.exe
548	mscorsvw.exe
548	mscorsvw.exe
1928	mscorsvw.exe
1928	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 20 IoCs

Processes:

2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exeaspnet_state.exeGROOVE.EXEmsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1df312ef56fe8faa.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe

Drops file in Program Files directory 64 IoCs

Processes:

aspnet_state.exe2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF641.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD672.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFDB0.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25B9.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DCD.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1600.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe

Modifies data under HKEY_USERS 60 IoCs

Processes:

ehRec.exeSearchIndexer.exeSearchProtocolHost.exeehRecvr.exewmpnetwk.exeOSPPSVC.EXEGROOVE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000040d24b2fb54fda01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{84185F30-5AAB-428B-8795-8B9CB3F307AA}	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{84185F30-5AAB-428B-8795-8B9CB3F307AA}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

ehRec.exe2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exeaspnet_state.exe

pid	process
2756	ehRec.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
2740	aspnet_state.exe
2740	aspnet_state.exe
2740	aspnet_state.exe
2740	aspnet_state.exe
2740	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exeaspnet_state.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: 33	1520	EhTray.exe
Token: SeIncBasePriorityPrivilege	1520	EhTray.exe
Token: SeDebugPrivilege	2756	ehRec.exe
Token: SeRestorePrivilege	2396	msiexec.exe
Token: SeTakeOwnershipPrivilege	2396	msiexec.exe
Token: SeSecurityPrivilege	2396	msiexec.exe
Token: 33	1520	EhTray.exe
Token: SeIncBasePriorityPrivilege	1520	EhTray.exe
Token: SeBackupPrivilege	2660	vssvc.exe
Token: SeRestorePrivilege	2660	vssvc.exe
Token: SeAuditPrivilege	2660	vssvc.exe
Token: SeBackupPrivilege	2932	wbengine.exe
Token: SeRestorePrivilege	2932	wbengine.exe
Token: SeSecurityPrivilege	2932	wbengine.exe
Token: 33	2432	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2432	wmpnetwk.exe
Token: SeManageVolumePrivilege	2612	SearchIndexer.exe
Token: 33	2612	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2612	SearchIndexer.exe
Token: SeDebugPrivilege	944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
Token: SeDebugPrivilege	944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
Token: SeDebugPrivilege	944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
Token: SeDebugPrivilege	944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
Token: SeDebugPrivilege	944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeDebugPrivilege	2740	aspnet_state.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe
Token: SeShutdownPrivilege	2828	mscorsvw.exe
Token: SeShutdownPrivilege	2720	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1520 EhTray.exe
1520 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1520 EhTray.exe
1520 EhTray.exe

pid	process
1520	EhTray.exe
1520	EhTray.exe

pid	process
1520	EhTray.exe
1520	EhTray.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exeSearchProtocolHost.exeSearchProtocolHost.exe

pid	process
944	2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
1844	SearchProtocolHost.exe
1844	SearchProtocolHost.exe
1844	SearchProtocolHost.exe
1844	SearchProtocolHost.exe
1844	SearchProtocolHost.exe
1764	SearchProtocolHost.exe
1764	SearchProtocolHost.exe
1844	SearchProtocolHost.exe
1764	SearchProtocolHost.exe
1764	SearchProtocolHost.exe
1764	SearchProtocolHost.exe
1764	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exeSearchIndexer.exe

description	pid	process	target process
PID 2720 wrote to memory of 2772	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2772	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2772	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2772	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1584	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1584	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1584	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1584	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2216	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2216	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2216	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2216	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2908	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2908	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2908	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2908	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2656	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2656	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2656	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2656	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1228	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1228	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1228	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1228	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 540	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 540	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 540	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 540	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1384	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1384	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1384	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1384	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 548	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 548	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 548	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 548	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1568	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1568	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1568	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1568	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2724	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2724	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2724	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2724	2720	mscorsvw.exe	mscorsvw.exe
PID 2612 wrote to memory of 1844	2612	SearchIndexer.exe	SearchProtocolHost.exe
PID 2612 wrote to memory of 1844	2612	SearchIndexer.exe	SearchProtocolHost.exe
PID 2612 wrote to memory of 1844	2612	SearchIndexer.exe	SearchProtocolHost.exe
PID 2720 wrote to memory of 2788	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2788	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2788	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2788	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1748	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1748	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1748	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1748	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 3056	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 3056	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 3056	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 3056	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2884	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2884	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2884	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 2884	2720	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1948	2720	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ae7b34e264e11f50cea8e45395ea6f02_magniber.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:944

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2916

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 254 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f0 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 254 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 274 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 278 -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 280 -NGENProcess 278 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 260 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 284 -NGENProcess 278 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 250 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 284 -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 284 -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
2⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 284 -NGENProcess 260 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 270 -NGENProcess 248 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 270 -NGENProcess 284 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 270 -NGENProcess 2a4 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 2b0 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 280 -Pipe 1f8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1d4 -NGENProcess 288 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d4 -NGENProcess 290 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 298 -NGENProcess 21c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 298 -NGENProcess 258 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 258 -NGENProcess 1e8 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 258 -NGENProcess 23c -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 21c -NGENProcess 2b4 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 21c -NGENProcess 280 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 260 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 2a0 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 280 -NGENProcess 288 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1c4 -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
2⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 1c4 -NGENProcess 1e8 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 29c -NGENProcess 1e8 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 208 -NGENProcess 2bc -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 29c -NGENProcess 280 -Pipe 21c -Comment "NGen Worker Process"
2⤵
PID:1104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b4 -NGENProcess 260 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2bc -NGENProcess 2c0 -Pipe 20c -Comment "NGen Worker Process"
2⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2bc -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a0 -NGENProcess 2c8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 2a0 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2c4 -NGENProcess 2d0 -Pipe 208 -Comment "NGen Worker Process"
2⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c4 -NGENProcess 29c -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2cc -NGENProcess 2d8 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2cc -NGENProcess 280 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2d4 -NGENProcess 2e0 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2d4 -NGENProcess 2c0 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2bc -NGENProcess 2e8 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2bc -NGENProcess 2c8 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2a0 -NGENProcess 2f0 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2a0 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2ec -NGENProcess 2f8 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2ec -NGENProcess 2d8 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2d8 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:2320

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2184

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2864

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1520

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1352

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3024

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1524

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2496

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
2⤵
PID:2540

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
58KB

MD5
44189008aeb71a40d254ba8a4aa231e6

SHA1
d2197a06f26b19c2739ce070c8aa939403d4f008

SHA256
d788b6429b58dc375ad989b5b1d88e9ec59a4e6423e43d180ff7f083a7743700

SHA512
9d344c200b37d93dc371b85f5bdfdc9fe282ee70fab3c119ddf33e6522a6b8ac1d3a6fd729320f55ce292ec11b69c2aebc18d15a9513be85d597071fd9c37c37

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
53KB

MD5
1125d2265816bfbb38150963bf5e97d5

SHA1
1a584ebee12e77e9d00db353ac5c15a136bc1f9a

SHA256
80cf415d227bca8192090f47f4a5dec992645866c7c3b63b22b7bc7ebab5d0b3

SHA512
d23e91206ff74e5535af9728dcdd89d6b05bd0edc2c7562933b56673d5fa0f916f38110b726e4828ece5347772712dfcb060a39c2fd76dd7cee9fb36bd98d1df

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
379KB

MD5
d8d04ce85c6748cced9b4aae9e1ac2e1

SHA1
298f6fada3911c2dac229e7d358b1ae867d611e6

SHA256
c71d81026228ce0d3709036090e69509e457edad90ecc3ee6322bca353d7dd8f

SHA512
c628e703c511f59976df0979d7fd0a4d786950d5289ae341edab25b765495b09f1016a14f4bc7410a551bee8ed52eb211b33478c87a65789ce759bc399d45e61

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
273KB

MD5
d568ad46ac2393fdf70ed0952ec45652

SHA1
92d0633d6af5e71a836ad551b45a7477a9c8f064

SHA256
aaa2c410f603d9a5aefea7f3825eb85be07e4dcddf40190fec2c17bb2aa75a58

SHA512
80d1df1b51fc7772b4968568600533fb21b2675ff1cc2e79060d5ea216b39802111219da3975a7e88338da6278e88677a128f8f61385a57157990efd44984950

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
518KB

MD5
da127847de5f52289fb523715fe02787

SHA1
439590248019ee71cf0c5968aa40243f324b0948

SHA256
93b582c02be32898ed2fac460a639caa198183f5e55b908890170992ea0fbf65

SHA512
c52c46c297ae24ca3c0740eef62a546eeb9db2ae9ee798472ab332c7b6c896286d4cb5eed128d4c4e60ae2e24c5e3facf1ef0ca722d8bfaf96f9ff8af6ebea28

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1KB

MD5
97bd8967644fd7036fec8faf1541cb21

SHA1
4822e1d2a0d6b511a114a6dd028cbc72d0f62c48

SHA256
ec84acb1acf16c1c07a304607451078c13df8c6b99b684e92acf4cb90959f35f

SHA512
98d11531363b016a6a344ec0e198472a487acfa2a0f43fcbb2ccc175556bc4391aeb08d7715b0f54db85ed15ab5b740d6253ff98e37c197dc4e46a6f6f4a14e8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
62KB

MD5
f15b4f1ca1b5b7446f7ef0db19053c5c

SHA1
023e34b497a19e74f4a082027ca6662c76238bb1

SHA256
dbf19ea19fe91b6bff862feb987298dc62b999fb92a8a3a29179fc62bbb11277

SHA512
c51c675252a93c9ad877ff88929fec4e220b72c2cf44eeef4b9fb0a7af0736e2dea087d11b2f0d4a7b6091ca64c2395d3085ab80593f9268c7e32e2f3d4d9044

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00b29fcf943e5245376ea82055cb336e

SHA1
c717ba4539fd82f9e7f7f993753b1451bd726679

SHA256
72f2ba7bc4f99bd49522befd27d421e969693e731a7c2c3589700dd7dcef386f

SHA512
98b560622077b081d069b6065138782a3aa2b9f97fff2d44910a02db0a41f98f39a5016f2117f10d485a2e63ae00ff0c7584c30a4f2d03c7d2d622f1efbabddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef8e084012ccdad2477268a061df7beb

SHA1
57d2bc2b67134989a931863c5e7899d562e7c696

SHA256
614ded630015523031c12d02c784dbd6a4914e5139781aa06c40ec2c727a3799

SHA512
045742f83360cb43ea50d6b634537fcbeadc1d2558337825f38fee547b94baf4e0d18e3e40b63e758cad849905f8e6dca79cc3dddabd6e62ccdf5df2555f762e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e39c4c0c4af0186fbeda9374b8e69dea

SHA1
c70b04da840b32f3cd49cb048a77b696ca333061

SHA256
4cb381dcf6b1d4ef85368cbaaabdef29d825c8bd88c12c54ed6a09e646db8561

SHA512
f83953c8b46818c57d7a70503e61b19ec5c74f23ab473814765316701062b86b292640db14c9d322be5b83fce01a2742bead2ed67e7b0d680ab2582a6029657b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
69c0c502527d3c224d8fbf55a1d2c15d

SHA1
c5648be3c0fa42d51c433e4c5e6815df7418f46b

SHA256
171ba6829fd74dd616003accd62d11fb7ef22ba4e51076b92b66be84775f68e6

SHA512
634f3559798b8484deb0a73e2a36a4d8683f91ca84ff7fd01e9779448fe3b1a04fa11fab42a7d88be5b2eb9971a21ae4b9017f1d815bd5c4ac448b77d78283fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFFICE~1\v32.cab

Filesize
11KB

MD5
a620a25286339c928ebd242985905a8c

SHA1
d8223505a0716ce68e0e7984c0192277352991d5

SHA256
8337a932bf3a4483b43be6bbaaa30554d3ee9e1a041be70451bd59f08182fbee

SHA512
5d3b301432dea5122f11137e1071bcf4931b8de55d35bafe6a9393a005fee2737bbda3ad5c2f5fb5d486b8dc1bf28637ca12d9dee3ef0a339e35619df747e26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFFICE~2\v32_16.0.12527.22286.cab

Filesize
10KB

MD5
91ecadfeaf460441dad9118a5b3cc60f

SHA1
eabc73224a5e3b4bb185f3ed65138840d168e954

SHA256
e1f57d838559920bec185d3e6d5eee10d9b3e2b53f14b16d6236ad2604750b57

SHA512
a57265e121794646a70f39d47f1f97c34cfadc56955c91854320e4632e2098e14a7c7c797c7a91c9349aba4394d298d4ef6c4489fbb94159e1f20ded158b762f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OfficeC2R5158CC7E-314B-4A61-86F5-6412E2C5E8F7\VersionDescriptor.xml

Filesize
20KB

MD5
adbb2c3f044c3ed52474e01515211c13

SHA1
cf2e1bc2d32247884dea1891f93bd911264a6c4e

SHA256
bee79df988b8c342d79abf57b77dcc301c5da616d6019c60c70b8c2f52365dcf

SHA512
abff080680f14f95a8780eddb4bef9a79d118f94e1236310e7985d6877675ae576801c59aee62e89e755b830ad2e72c7833723d3b2e1f70f487dc0e9f9aad689

Download Submit
C:\Users\Admin\AppData\Local\Temp\OfficeC2RA9544A50-D6DD-46BC-9383-02CFE28B7AEA\VersionDescriptor.xml

Filesize
6KB

MD5
bb60324022802923266b3568f5e34752

SHA1
f5e5416cdd8c467a87516c5fa15680644885526b

SHA256
1e5da48ff5ac445abab7ceea569f91b1c7e0e0e89a99120f41b687715f5bb219

SHA512
4f2f0689d913f46cda2a3075d9571414c945db5270ff6e32dbbb1939e7cb46b09d89f1d4b739dd233ba1cd392a88e6f21a83024fd3ae05abba221fba9cb8d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar177C.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
261KB

MD5
4b4143adb7c2d872195efd14f6bf1a6e

SHA1
aa3e7af8bf4d005ed877136bd955274c24294cbe

SHA256
4efe6ce271eea333babe331ca75a57e96186f2dc58f5e72d08f645a66027ee4e

SHA512
02494ee0cd835a60478477857c5e0b96d621c390d1f362e311ff009518885324403fcf313a038b0709b2b8c72eba3b1ae712484d50e459b596df559065c0eb62

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
90KB

MD5
85139d5804b7915e4413348c08ca988f

SHA1
0b272bfef702c6ab59b6ff80eded9d882e922920

SHA256
e8fdc38492d53ed1ef660ef733739c9b2041af53c823656660c29b138703cddc

SHA512
05c6ba8e232b7fde303dd2c109583c9f112b01732b7212bdb96a821a442ab31de817f860c8e0d138b3e07ac7e28f1e7d28218491c9266b3a76729aa2b15cb906

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
61KB

MD5
5619da14893bc98f620fd242291bb3ff

SHA1
8e90bc5e2d53b2e32b0b6383898d474e3bbb4b6d

SHA256
dbead2506abac6932b39b376f89d2736baa2f40348869c17b2d6dab03f8ca956

SHA512
57340ca3504d96a6ffbd9fed935282cf678853814991ea77660a1b20d7f7cb0aeb763fdf9122b86d733f8f4ef9445a5fad9d0c89946fd988d625e554d1c52fdc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
444KB

MD5
3889704c2ec28a06914de8ef29e52de7

SHA1
f5c6dd0237c100ed1cd542e957812347e48e1a12

SHA256
98674103d6f02346eaaee841a95fccb548bed2b9947585e31e50aaeb8bf92f9c

SHA512
59a7e3b5855b5dab4c998e206a637ad801aa5e44e38f71968ebf7eec9f2d5e99a720b3938355cc61a5bf595a283b5c5625a1878fdd834730451eee0c6e6e3c80

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
363KB

MD5
14cf18f5d64befff281636931d4b5598

SHA1
b117411161ff2025574729aa47231a946c25f28a

SHA256
66233565994384bba3e13c2cf48c66288d7a4e6648814d1e69ccd16e8a351da6

SHA512
c53ddcd5446ba5d736a58661436a321577b83a3b0418e172fdaf26d463a7555ae8e5d1ccab78f3c086e7e997d6cb0197a568a80f9ef99f9fc8da3bb8c756f9b1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
99KB

MD5
518c06b41f7796c007a1337ca93c44fc

SHA1
b9e8a9d9eb627a72873520943d8c3a7b610ad65d

SHA256
b8b73dc2becb2e2e30855473c7b1a2bb3b754032570f3197ff27bca81c6544cf

SHA512
ec3fa703352cafe98bf1414f46ec136cc869bc48fefa6733cbc5c59712d7269e476b4d908e4ea3bc15d3d0be30f8de792f8ba0dd7316c312c5e07847b020d414

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
282KB

MD5
0194083a6a5aadacb82de1a569178a63

SHA1
a1527381d9b2ed2abea1022bed89d28b9f80a86b

SHA256
ac36355be0fe2c120ca8672996d40c5a8883ff6f82faf755c96d0371ef14c620

SHA512
dbf9cab8d6b49c48d3b0b4579fdf751fbbbdfc38e1d38a66a61c1e6c30fb16737eb1917ea2cee29401c7dc58f42d29c0f64bfcf95b284c3d3c7b18e6803ef181

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
314KB

MD5
94cd1678af053733d80e9aedb7a18888

SHA1
4239a71b8c5d4df330cc750a0fbef162864c1a3e

SHA256
4688a7edc446818f8a837cbd11ab242b31ddf2da3834936cb1d5f3cb87009ffa

SHA512
3947a923bbd13504e4f4f123bdfa4f5f967ca7e56614e0e96fa4617b38e58574a39bff57c2d9f1f28b077580905db77a09ad632785f9a52a2a67cd77c72579fe

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
248KB

MD5
baf700c35038a06df9263aa3f76ef5b7

SHA1
cb3fb34de3f71a33074a1b085310ca60b96bce22

SHA256
3eb56d4d8fd6dec74f812407285cacb69a9a375126c096ad2f0504952d697b38

SHA512
e977dea3ec1067baccbeff4c29315e274eb246b351728615e9ba32d5e05fa131a89b245a573b9419d211fc8471274575a8f495eac6ecae70ee1d0a863fa2f881

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
81KB

MD5
78afaa2fc2e8c7c4ab37af9da95c0205

SHA1
e120c70eabed105c3583bf113c73f0fbd499f151

SHA256
0c2e93be839eb1a5c3f8179d90edd9daa3560247caf01ee8a82b455eb9c78f1c

SHA512
539472cdb25ad71092a3c6abb9ddb1b8bdbb0962058afe4bad4479bc528c4d4069da094e154e418a6aca6a067c1339d7e904ea348a8205139c4b715c7a16af62

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
46KB

MD5
488277ff0764f336cb3cca571ff519ca

SHA1
bdc5dd04a74deb10d586004bddcc7cfcee009ce9

SHA256
f94d0b7239e939237e6513013c3f06ff04f898d94ae9f954d6080fb16f9ca092

SHA512
a6f324d80c4c6e091db4ad536b744d1c9dd1c2fa810366aa52fdb474ea3d76e18c0dc53b5b2849554528f538b5a0e8b2a3383f51d0acacb56551a05e3a9cdc9f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
354KB

MD5
763b888aaef9d8a1c099c13839aa5bd0

SHA1
39d6b8253e597eae2641c40e80fa11a04b5e9fa0

SHA256
53952956b7035dfa61cfe48b6f78aff539babc41a6be8ab6170f6429d6a9b040

SHA512
7c8e527250a5e6c9595ccff9a9522d11e2df640b36f8365e2dc5913551018bb790886e7c912709e6f2312ad673421010a79f2e43b1a3154d5f2d6af171919615

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
45KB

MD5
1cee6251bb37aae274324f195045968c

SHA1
db5747dc3e01c5dda9201cd64cb0c91ee8e6256e

SHA256
cbafe688a4ffe2983bf6864e8aa1eb5791aabdb7ed2b252ad139b6bb799f5428

SHA512
ae227ee47b0f8cd79450cc036f5ef77d0d0c5d5d85e1ab4c49fe6caed81288ade4ebabf8a7c9e8954d2cacb81952662f2bee457b898edbaa2c710f2f466e7a35

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
413KB

MD5
63e157842225f34886167e812693914a

SHA1
41ad971bd05f9bb9380b15da0bdb1837e134acc2

SHA256
d10e25751d090bceca9d14f817f90db2eb21352f738d30d936fafc9fc9e8a18a

SHA512
3354309467f8da132cf02c5611396e5b1ee2e0a6846484509671eb8a1018f8662706a7d6f584331b8ef572d20105c5ed052f13828548d44bc0ae78fb7d216ed0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
254KB

MD5
0d8876cabb6934797423fd1729ad89d1

SHA1
12f8d550a6ce574adb96140a4e838a491921d85a

SHA256
ac8837763b04a77bcb1697b4912298d4f115a8e6d940e20817860b1f939a0835

SHA512
8bf4dd64f3a18baed6d31053271638d6c72d98e9f73501fbff6e9efdbbc033f1565a08247cfcdf4cfdc8afcf3820bfe03bb5dab718540a33e98facd4f2e2b3e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
468KB

MD5
8c8ea6edfe196fee1ce091f6975159d6

SHA1
a226e50788e6446d4b68b3aeb0370fb3fe54be58

SHA256
64e55f6cbeefd28c5c47f0818a57b92f81a020879244def89e62d282c13c5fc3

SHA512
02a851cc7c8722233c45cc512291b74ebef23bd3899d159e73c32478f824169b7e10663acd87a026734dbb658e388ba68ff29e73950ceef2f5ca667f25e8393b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
0f1e9c48869ac4a3f4f36089a1ea6033

SHA1
b431d3152b2c0d3ab3b31e4d9f3de76079ef05dd

SHA256
353c5eb76d3503218443bdc04fc4f804d147f5ed0d3a421bf6bb2c4c69d558db

SHA512
05e582087bc69c0ecea180e1295e04d16a99094a59f2cf559397cfe7c4ebbfb851a225e16511e871a4ca7ba393cff4e6a1b5dfd6fe8ba197814323269c631286

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
243KB

MD5
109fc7db684f887882de37422bf6507f

SHA1
6888270c09caaec91d24e261234a9f325b7df606

SHA256
07a79c39db1001d10debd20679a6af64a867296e9a3fa342b700e55e10297831

SHA512
5acb3fff377cf1c522c928fdb174f3f445671437971b845b0ea19b15a14e1dde14202222936dbfae10da404c22bce105026c96944697f8e44d78166f1a303dd1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
290KB

MD5
b86b2e73802073d624a3228a11b7246e

SHA1
c1f18519f8cb53e80f6ecc4cdf348a50c10f87df

SHA256
7908083ad09c6633fc65e9e8ee8cf2abba969aca0a814fd8cec0e95f5bb49cb0

SHA512
e9b03033d1d1b4df661fcee743d19e3d0ce6c7b69049fc359175721d358ebeb11d26a2d094989d2809e712df03521ea9d8c2b88d78873bfe520672c898485cbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
126KB

MD5
1ff688d6b153f34f9467853009a3bc37

SHA1
be99199e2739cf053e518b264d860da938c7e7a4

SHA256
926eeefdc4e2f562e0383a89577b1f45d0987852653d7294437ffea36ecece3d

SHA512
53766934205f6bd2dfcdd39f34ab9f435ff5f412eb643aec353c2c5d9974e6b72e0cbb9999317aa40b19e30b303788073885071e88d14086aa4a2e5f647a3fac

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
164KB

MD5
fa3cac8d9c282e99e04bea8474a26251

SHA1
d91801a8ffd4d828d57137e886ad44ff261c1fef

SHA256
2cd27b0b6329a4719184c900f8b0f0ff9c46eb290cf6ba4822f38202f9910b74

SHA512
1680101c014d8a1ab429c61c75dd2409a2d435e3d9621e51d69b2e15a4fceb3186a4f00da8b572f39bd3250832bed6f3acd811d20cd5a2232689eaba18939ae5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
50KB

MD5
f83aefb6d1458dda97cdd5d9c7d77e8a

SHA1
8d377e909727a3bbb07c5a26c6c5be5274b0313f

SHA256
c20e2599cc5ca2fbb08916691594f7776a9a0df932314ee1e7cdffc7859928c5

SHA512
1dd0e3b19337a3fbe036ea7de2a59e04400b694ba14f82dcafbc59f858b1ce7d3ee18a43f5073c45c1bdab92ae11a247333ee1812d2d886ba38aab8d862c0b86

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
43KB

MD5
423377861a91b4a1fc9cb0589e746b9a

SHA1
93652379b30d92e05d072bb767e273c56ea6ef2d

SHA256
e3894bf4e7a3c107c92ec6b707fb983f0f4a1a28a407e636cc12dc1b80a67071

SHA512
9b17ceed1c8a432b3b37c33cf8d8dd9f847f1dec42449ac64001f44911ec9e0d711184d8dc9f66ad09d3c61c34049d9cea3b7246368557365014b4243e78866a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
49KB

MD5
ac33ef2ef40344d50681ff654fc046d0

SHA1
55e86bd637fdef78f64525c7a4674b6037c24d84

SHA256
39a4626334e0e4dea948c727bb5eb8c0f63479cdb88fcbc9b74d5baea2359d3c

SHA512
5aef66d3d755250bd9ffea696a153341326bfd047b0d68697f5585927bd3fc28fa5a5ead0d94dd65b3aac4b25b7d21359c37786a7b557bd1cdd5a3e2d01aad21

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
63KB

MD5
fd9f36993ed2de4827e9d46cef7ba9ed

SHA1
396788940965dbc74bdb385e2a30a6a8d6d9aeb9

SHA256
a9c2eaa0a3e9c2ec386943ef98d04188ef0875efd4414446b1231e96b7009153

SHA512
bee712c3efd5a596181f0e050d52d4780d93b31964cb344c609ff18ce8a8aa45f1df264407bed7ff707b1e96b6419af2f2149c0dd5ed2a21d6ccbb304f917c4c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
359KB

MD5
ee9d75f90f8414c67d041221d2fac98c

SHA1
749d5a48d9364c459500f3bc2836fb36eac5362d

SHA256
3dc44ca741d22f78fc042407ba3a5cc4235ff73b7efad5325d149399f3f64832

SHA512
22587d53a2389fa2d9f79c5081875c349fa27458e9f6e0dca9313b97b834e9afb86788953852f2fd68d1a7a7891054776b863200d8d5be039b20b6a0ac70bad2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
c90140d8d24ab9d191fff6ee10ac8324

SHA1
e047ee6a73e508c584c6b66f306573c82ed44ef0

SHA256
6746006210f3a8b215367e9669a0dfd34c46454bc083deff9569f2ad727c6f6c

SHA512
c707dad294390ea7b81be989c3d3f7353b6caf30d9fa51919b68ecda966360e9727e965f0dcb583ee5e940ac7119c6b8ae548569dcc9008ec6021f93c5df8d16

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
50KB

MD5
dae65c70d4c7375cca134f1ff25d3ae1

SHA1
f4d5c0e6958a488b4e50b7604ab29e12d57e0fc0

SHA256
f517f33b825e807d60ad54cd31eb6358c4f0addc68df650fbd89d5e33973e303

SHA512
987a42e34beacf4870a16754028b1f1ad117d0b56355bc2d40626bd95b2a085b3a1ee01f471a32545dad061b5e269fd9ca8eff5f033d3b4e5847073dc65499bb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
be5475106491ed8187bb8c4b9417a712

SHA1
46765cc3c45e5345c0bb8221b50349a2f6faa1c9

SHA256
14e3ead0d97d41d59f099a0edbbadb89434cf468f4cc7029eaedb87b1ba58f7d

SHA512
7abd37bad3f86f07df5208ffd5d7c3dac854654b3fac3ffc76f555166a726f191eb0f286b5157646a908fc143b47bdcc5b15767c1159d04fe25caa80c118b9db

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
65KB

MD5
3cf1861a2b73643c8bf6787ea2900349

SHA1
948ca9f4d594c4b8548ce422f3031b612a356493

SHA256
251a3f6f09a5652bf5e336decc723012bdc9933a71160d77af182a2cae6952c0

SHA512
83ac20de260d0a38bc4e916dfb10f70006f3cd237d8b94eaf09bb7401bbdef27d07416643c41f53cee28975de36bafc6146f516d3ae8bf9b1be280fe7bfe85a2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
138KB

MD5
863caeb08ad417a6ecc1924c65478738

SHA1
bb6a17436eb892ddddec4664f603533758f28405

SHA256
707c02041ee684c83dd8890756c4d3dc1b6cbeabc396bd165e6252b8de8e4734

SHA512
9c85192333352cb6634a495608021274ef7cc6e6d564dee834fce69047d7d2f534e8bb025794806877a8da6e7d85722cd9ad7719953a150d9e6a86339de01ff1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
46KB

MD5
a24c088d7d1f93e23d6b0c937b98d7bb

SHA1
07f26922bad8887d90824ae212855809e942475c

SHA256
9e85822e9928e6caafca7be65461872eeefb828e91be76c42754e4749d76d6a2

SHA512
51158bb503f9adaff989ca0eb5009bd054138e3e347c83b7cb730afe259550546893932bb9c71ea3d9e87c0e90ce1fed97b9d23c97647055f846599c241f233e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
41KB

MD5
19e2f38f5d8b478e25cc79cae1f05064

SHA1
4e7680bc74ee5a7c28da5a22b8ffddf7fb58b58c

SHA256
9198c37f395f7bb33da3590af37011924f9deda7dc40c30d994fd3c1b9378da3

SHA512
31180289324f0304b71454ca26c7c2ac2ef828c257edf4d4943e4e22af5543878c944c4d97f476f3a6164824b09c35c15e008932fe7fc5d5d71d890f2750fadc

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
258KB

MD5
5ae9926dfff08583dfc4b26a21b393f4

SHA1
06fef978088e14a997e7fe3077daec03fe6ffe58

SHA256
5985d7ef5b6db88f749ffdb3fae5047c9647e64e5456ae46f26a4cc8c48ee9e1

SHA512
a8cd64e47c85099d60dd326073a622ec5d02ed40b3f36d1e27a6a98895742a8876254fae147a16aaa33265cabc0e3ed32aa9c63ce83dadc5ea83e46e382ae388

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
103KB

MD5
32e57eed019e22fd69ce57713fccb5ba

SHA1
244d22706f0e5fce12dec1944b6e7df338d9bd1e

SHA256
224947acc5657fc0e936263ad5a5ea937c1a18e64be2ff4c57769860616348a1

SHA512
7eddee711afd329e9a6d485110893391f0e8d2efbf12b19aa5f17ed874d11a3fd0f6b61675ca656f06164376668bf5a71eeb2cd4b74aac954b28c4ad381669eb

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
152KB

MD5
20bf27594d91e20b1db9bd699a716ad5

SHA1
f4b1f89e8b9ea46b484ea4d5b789612e67420cb7

SHA256
662e755bb5f2f9acad11b354dfccaf4b00ade316b48ba8e54ead51c932761258

SHA512
67648cdcc0f5da55635c4ef85738e206a4b26ee05bbe327bbe3003e38dbb4aeff717b6380adeabdeda7f93ae4b47a1342ea5919553c67364f97b8d492059e502

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
117KB

MD5
6c33e0309297790323390da112dfa823

SHA1
99e4312998caecdf6b6bbd52fc42178d6b59795f

SHA256
0e2c42cb060fdba331e1e04407d37b2733185e83ec59243d8ae366d16374b0a5

SHA512
1698e7a084a061759614f75b152c41e6750717232d5113e3b6404547fe821f7f63eb70012e57fb6415b53cdb6d3173f044f3e53fdbec2a2727e36a244def428f

Download Submit
C:\Windows\System32\vds.exe

Filesize
103KB

MD5
8d11ed4c7b32cf45517b9f70f8369dc9

SHA1
00e627a654a3fd5a98839be0293cf3b5ee032b39

SHA256
7fe7a40baf88fc4b4164f641385ef22d86858e7dc28120a343a334eed806770e

SHA512
847eb46e12baac4cd79a01f74078242565b436b9121b166fa630b682683dfe02585b3dc13b1f30a933b2e97b66f29dfec845975626cc5fd1ee967a5ca3e92618

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1KB

MD5
19978333328ad1dbd707d2015ba17978

SHA1
91d8c1fa69c28c1d474caad1ea337b94140763f2

SHA256
991aa856623e1607926fe3f746809961197f580f080dacf184689a5e07b03736

SHA512
06294376473aa77368290309a32ce1100447046ce1a9f4fdc781af2e8be277214a14accb9c96d30f31b0807e04ff1cce7aa8dd8df014fe8ba1e2a2b4808e3a93

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1KB

MD5
7ba5ecbb0c328f23eb8234db79b39908

SHA1
948338d86f556fc1495df0e06cf4d4d0a9bafdf7

SHA256
8afa589cf9d3610193671e9eb1702961896aa6cc5fbb198289d15baa2bf3015c

SHA512
7cc5ba61cce149431098223ba124da0dc34a079a26af7e2e38c1e01c905b5c34bb27f52140808cea302d638379f0a2648344e1ebf30f6089bfae263e21afe5a4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1f5d757f0db1005daa2dee10d6117655\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
0357fac505a1028f1b803e4170de3a62

SHA1
0ce8e6445a23e02b8b23e964e3cced0f304f556d

SHA256
c0d079e51a8b642b9e7fea65b241204f4d890ec4f81030b6e1cfc86ac8a2c435

SHA512
ebde8c35ffeb88ffdcf14b0e7ef669acd641822e9b3a919aeb8a29b01237a8b3b44e3a446d4a6b2fb53781e944dee94ae471b94ee12e27a279169d51a87acb12

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\24b4805c141426b0fc65f15f30aff1d4\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
1470cfad13c6f88d957ac9f3b73de9b2

SHA1
6f4d54cb2ff2fa3764936c43b92fd3e313c0a877

SHA256
857ad997562cf6b40648c3be9c3a9377f1833f44e5326c8fbc8939060318fe92

SHA512
a6c34dcca249e7cbfde62bf204542a66d5c88756c320bf2438ea7529baa7a56f5b160a7ed37d56f04599f641c2e7476c428469b19410b6666758606a16bbb31c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c0e67e7ef4fdfc6b88ce2a1b9491fe25\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
a401be2081f90b100550494bb5add3e1

SHA1
9fc3397c6c74f96be79e86d05e72a7143c7558af

SHA256
01e14f3636e64f806ac0e9f38b3a492826df26b5529982816bb9e9d6c792311a

SHA512
ddc52179976fb6959fc8a7967379e847dece5e9084f906e80409a1329a52b0a6cd8a0e50499116c617462fdd829be0ac99cb6ceb8df3f5a5d9bbe17871c29b5e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
311KB

MD5
2dd8eb322c4290519130aed7e570fd9d

SHA1
99b28cf18ec7fcc15f8d61b356a5c94af13d8bf2

SHA256
3b0c581cc70b2f5fdedf77c0b4418a4dd24268aa2c4444758410259f3c649bce

SHA512
4e3dcd15b7614e9c3b591aa4cb5fc6f4ace5704dda88b56e586e4061677eb94d7c8a64fbea356091ad40ee3ab6c8b44f488a46fcae026a56384aadc6c1306568

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
149KB

MD5
c905f503d3d8fd6bf9cf65f568b31a0f

SHA1
6ba7230172fcb2461e5957666e109eaedf4889db

SHA256
a8fefb23ed0d302e349d0db616713c018fdf02dc145a989591c69f43eb2b6b71

SHA512
2ce57d5eb0a9511b235e10ae9a246221cbd6eef47454ee8f5a773850246fc13753fb268ec721dbef79c56e91cb6bc2419d3da8088fa8780b906387f72ac8b3fb

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2KB

MD5
cf252fa5d2add7cadceb9de147da5f38

SHA1
4c4d152ca621dc186d39357c27b1de7324f7cca8

SHA256
559cf8e11d6f028d52c19e285c21d25d1e3ceb7cca1b5f5c2637751e930087bf

SHA512
77b5f2196b2a18a1a28dcc54c57d8b08e5cc0de0796328b9a6611db5d21a2eed2899f1d8294858b04714093582a063b18a4f9c83881ab0d56452f4822be84b8b

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
181KB

MD5
286549dbee3edf79e9218f87d1bf0212

SHA1
42da18a205e9ec73c9315a2636b5b71642388990

SHA256
79c8250e1b87d4c12736f16b4b8077bf76fba9f807e1da569b5e19d0b20260de

SHA512
67b10e02588ed0272ae7bbdef963c0e1d9596a1bfbb8e6488f1eeb227e651b74be5f4270656e45e3615909c01f919053f01c7055eaa873d3dd04c9a3094979e3

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
113KB

MD5
5b72b7bc79acf10c5803f3d755053d23

SHA1
cce9370497428269c9062daca1debdf0b649b0a5

SHA256
28e7dc706bbf2d029e086785347e38e3b60b3e8c03b6c1b3abe414973adb2eec

SHA512
fdef78cf9ceeb28d7078cc925412b1a5bc5caef9464b81a5338e35277102187f1405855c1aecb65e9c99cb982bb4a3b8b1b56e6b783fd5fda5ff7bcec50c2571

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
682fb222a1faf5bcc72ea818931c7e7a

SHA1
a6da09b0de4c012912b79eeb2fe69547ee080021

SHA256
2e92e1e59ebee589bda7a612ad84c4cd34acd72bc3fe7da2ea52c3e047f93008

SHA512
7ae37b00eb6d97ff3f1f4c632e7c02eb50fc082bfde30241cdc3f667519c1686fc0b2bcea3c355d3a99199621978c90ed3f114b2c9183fc17da39207ac87afbb

Download Submit
\Windows\System32\Locator.exe

Filesize
176KB

MD5
42788b7d4ff999176c615068113deeb4

SHA1
c457e0eed89dc60dd8d47e626a0c7afe5a08c0ce

SHA256
5db9df9b7a3467a0dbaded58c440c3c3984d2461b6c7f5949ab3ea035c50ec54

SHA512
a6489a010383134e02578d90ef4580831441f1919f4dc5ba2efb377466813be64592e1e91346adcca2c3bb2618465c4ca5f65461273ad00f4ad3aa08345c3932

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
2b253c542579693fe5524f6584218cdd

SHA1
2c21eb17b5c27cf2327ca0d32b58e80dccda9f53

SHA256
d7f74e853ea393a31f59c5374fe7943df2cb2a977e105f85d253a63b12d0df0f

SHA512
cc392b9ef7e32800a90f9dfcda064466bd1bce035dff45c2482e4dfcbdda7272d62af93202e9b886346ddd835337ed13462fe474eb2b955138133c969de84140

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
246KB

MD5
58cc59a63c7fcedcbabfca48ce0f7f48

SHA1
9cef91d9eee124c1368a769c87a52bd44a514963

SHA256
9cc183d453b3e446ea2d48397423d8bad918393d317114a26a1dfe38c7984830

SHA512
96d2562b1f48b2008f389407779a2253c92fa6ab4f9ca3786602e18e4e6d9df71f90851e8702ed3a52c80d13b13935e5762a577c42e4a863465c8ebccc2137fa

Download Submit
\Windows\System32\msdtc.exe

Filesize
275KB

MD5
284e3f1b7ca9800d41134cbfee04f960

SHA1
7fe3623d2d4363006a039d1d9c24af96fd6dadec

SHA256
86c579a96790fe736683822759bbdbe723ee45ab55de4e6df7fc54c4a2d1c231

SHA512
99c78829bd6588e78c46c1419199bbffa88b823708270c88b63096cd8f11f9faeca28f4ddb1b43e61929f3321bf0191b286c5a8c2b344ca97cce094f751cd2c1

Download Submit
\Windows\System32\msiexec.exe

Filesize
340KB

MD5
5d873447a616c741a5e73ec4d419c47a

SHA1
46dd73cd39dab13aa0f91f56abc4f56fad88ec5d

SHA256
c3b9c04f95355d6bd1d1e5072097e23983f6fb9ba4626cbaa5812cf7885b0650

SHA512
21c2d3334d6bdbd034bd4b1af977dd813c8b568ab2a3268cfd8c159c57ba82bdd3b28641a95eadc7b7dcfa4dbf680fcd0d0e6d7124592ffccdf94ebd2ef638f7

Download Submit
\Windows\System32\msiexec.exe

Filesize
347KB

MD5
f7680496b3c7df233db669331a461807

SHA1
612b55c6b89644a5d44fb0e147bac3bb710a46d5

SHA256
21087b34d908236b98526761aaf5e91955d6355e1de589a287c41949cd17a5f7

SHA512
fef48e47faf9051fbe5e1d40d6d2cca91281b932d291bc36d44f1e039b6d171a0be96d8b3038290d96ffc846ab83a5c5549066b5f6b780c7c21473b1f9cd2741

Download Submit
\Windows\System32\snmptrap.exe

Filesize
58KB

MD5
b3e6c2a3abcf05fc251b0c4e374c1be9

SHA1
c173d2b58556d6162a2c01037a2dc07765700cb2

SHA256
7cc343097ed8f6a90a95d4ea12a31011ebbde3c9c190b1fc66a03b8007afaa0d

SHA512
490fa37f13abf356ae5bbb51a82a1795d3704d5d39c8193030a48ca7bf3418e0d3a1fd17f018198506c0247557750b189381e0d6ff71335611cfd44bbfeac00b

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
104KB

MD5
2659a0fb97c1cb3af4908127d2808932

SHA1
ea7621a502b0c20f27f90a7b639305731c784abe

SHA256
537bba129d13a34f13833256f992a3be8994e34c38c8d64c52cd85daf1a208ae

SHA512
ec219b949eefd38e2377a370100f3f555ad5ba1e8d637af9b8e4db8420faa85520c2d549fcbc229d6253c37872baf9e4948520a015abb08267cf3e12c90d4a4d

Download Submit
\Windows\System32\wbengine.exe

Filesize
38KB

MD5
887f664e8414cc3971f5fbbee18d8259

SHA1
0e6f864899a00f25eea4f81c2a55e499d282ffa5

SHA256
df9ea7fd64df887bca3ec708daa22f01228187d32b05acefcaa49e9ff44ec72c

SHA512
5257163c61859ed9773e6b2ff92a2f3dc465d86f094ad110ba213cd7915bfd51d8814929a961d07dd63a9e66cc2c21e2dc30fc0df59100ee7759403197b1b99b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
441KB

MD5
997e4d95c451996868b1213ecd20ff59

SHA1
837095b00ae7a01c14246dc0cb777b4a7dcaaecd

SHA256
cb8b5078944ca24d34cf7d41f599cb1daae96b5c635f712201cb779d970edd86

SHA512
a18ffd8b567cee0430f9cdb18322b6059bd0e1e970eeccb65e6f2db3f94b2b453ead77894656636ccf554c1731370ba3161c9d0a43f728ccf564203ff82ce881

Download Submit
\Windows\ehome\ehsched.exe

Filesize
128KB

MD5
63533d02350b3e54655bb866fe7c637c

SHA1
7b7efd10bd0e32b7783ea62544379be4633d9b18

SHA256
0790fd796246b292b8c0b0dc6b7b4635472ff29947972ba32afb27f180c7b86b

SHA512
dd244d3735b59a18d26e46699b6b502234944937d871d14abe6b1d9a47a30ea5969806d92973095de8a82902a9094fa62d4f1edf3b74ba9daaa40b23c5a70b9b

Download Submit
memory/944-1-0x0000000000400000-0x0000000000991000-memory.dmp

Filesize
5.6MB

Download
memory/944-6-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/944-7-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/944-70-0x0000000000400000-0x0000000000991000-memory.dmp

Filesize
5.6MB

Download
memory/944-0-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/1228-581-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/1228-568-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1352-526-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/1352-524-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1584-383-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1584-350-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1584-345-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1584-382-0x0000000072CD0000-0x00000000733BE000-memory.dmp

Filesize
6.9MB

Download
memory/1584-355-0x0000000072CD0000-0x00000000733BE000-memory.dmp

Filesize
6.9MB

Download
memory/2068-88-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2068-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2204-558-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2216-517-0x0000000072CD0000-0x00000000733BE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-381-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/2216-359-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2216-385-0x0000000072CD0000-0x00000000733BE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-518-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2276-473-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2276-452-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2276-578-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2396-570-0x0000000000410000-0x00000000004C2000-memory.dmp

Filesize
712KB

Download
memory/2396-564-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2496-555-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2496-547-0x0000000001020000-0x0000000001080000-memory.dmp

Filesize
384KB

Download
memory/2496-538-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2496-553-0x0000000001020000-0x0000000001080000-memory.dmp

Filesize
384KB

Download
memory/2504-478-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2544-52-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2544-47-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2544-45-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2544-93-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2656-529-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2656-537-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/2656-554-0x0000000072CD0000-0x00000000733BE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-68-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2720-261-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2720-63-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2720-62-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2740-18-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2740-24-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2740-100-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2740-17-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2756-572-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/2756-504-0x000007FEF4170000-0x000007FEF4B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-507-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/2756-516-0x000007FEF4170000-0x000007FEF4B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-585-0x000007FEF4170000-0x000007FEF4B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-263-0x0000000000A60000-0x0000000000AC7000-memory.dmp

Filesize
412KB

Download
memory/2772-338-0x0000000072CD0000-0x00000000733BE000-memory.dmp

Filesize
6.9MB

Download
memory/2772-353-0x0000000072CD0000-0x00000000733BE000-memory.dmp

Filesize
6.9MB

Download
memory/2772-352-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2772-254-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2828-343-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2828-80-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2828-82-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2828-87-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2864-354-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2864-126-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2864-449-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2864-102-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2864-101-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/2864-109-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/2908-533-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2908-531-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2908-528-0x0000000072CD0000-0x00000000733BE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-548-0x0000000072CD0000-0x00000000733BE000-memory.dmp

Filesize
6.9MB

Download
memory/2916-29-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2916-75-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2916-30-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2916-35-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/3040-379-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3040-116-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/3040-115-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3040-122-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download