a684f379b1c2616c0ed2bb2f02c3d35b593c28fa0fc184adafd4f08bf70c32f7

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
Size

24.3MB
MD5

9c1292a2bfebc5711f00613abd160989
SHA1

d915dc3b341075f71bd189569fb9348c4804a3e9
SHA256

a684f379b1c2616c0ed2bb2f02c3d35b593c28fa0fc184adafd4f08bf70c32f7
SHA512

5f10c2e8ded0563f93d978f02390654a615ecc01b52e1b3b1f0fcb854790f32d6283a07acc7f7ba5238697f82b2466cea9becd42d2c688b4e8b998cbe90bb19d
SSDEEP

196608:FP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op1H2SAmGcWqnlv018i:FPboGX8a/jWWu3cq2D/cWcls1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2624	alg.exe
2640	aspnet_state.exe
2364	mscorsvw.exe
2108	mscorsvw.exe
2648	mscorsvw.exe
1040	mscorsvw.exe
668	dllhost.exe
2004	ehRecvr.exe
1968	ehsched.exe
1540	elevation_service.exe
2128	mscorsvw.exe
1660	IEEtwCollector.exe
2168	GROOVE.EXE
1612	maintenanceservice.exe
1616	mscorsvw.exe
1936	msdtc.exe
2364	msiexec.exe
2180	OSE.EXE
1536	OSPPSVC.EXE
2952	perfhost.exe
2792	locator.exe
2852	snmptrap.exe
2620	vds.exe
2896	mscorsvw.exe
2428	vssvc.exe
1044	wbengine.exe
3044	WmiApSrv.exe
2496	wmpnetwk.exe
2672	SearchIndexer.exe
1864	mscorsvw.exe
2480	mscorsvw.exe
2544	mscorsvw.exe
2188	mscorsvw.exe
1372	mscorsvw.exe
2308	mscorsvw.exe
476	mscorsvw.exe
2468	mscorsvw.exe
2576	mscorsvw.exe
1580	mscorsvw.exe
1776	mscorsvw.exe
1372	mscorsvw.exe
2888	mscorsvw.exe
476	mscorsvw.exe
2940	mscorsvw.exe
1200	mscorsvw.exe
2748	mscorsvw.exe
2612	mscorsvw.exe
2704	mscorsvw.exe
2196	mscorsvw.exe
1236	mscorsvw.exe
1684	mscorsvw.exe
1156	mscorsvw.exe
1508	mscorsvw.exe
2456	mscorsvw.exe
1056	mscorsvw.exe
240	mscorsvw.exe
1552	mscorsvw.exe
1508	mscorsvw.exe
1236	mscorsvw.exe
1272	mscorsvw.exe
1916	mscorsvw.exe
1616	mscorsvw.exe
1156	mscorsvw.exe

Loads dropped DLL 49 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2364	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
756	Process not Found
240	mscorsvw.exe
240	mscorsvw.exe
1508	mscorsvw.exe
1508	mscorsvw.exe
1272	mscorsvw.exe
1272	mscorsvw.exe
1616	mscorsvw.exe
1616	mscorsvw.exe
688	mscorsvw.exe
688	mscorsvw.exe
2116	mscorsvw.exe
2116	mscorsvw.exe
1764	mscorsvw.exe
1764	mscorsvw.exe
844	mscorsvw.exe
844	mscorsvw.exe
984	mscorsvw.exe
984	mscorsvw.exe
368	mscorsvw.exe
368	mscorsvw.exe
1236	mscorsvw.exe
1236	mscorsvw.exe
1612	mscorsvw.exe
1612	mscorsvw.exe
1368	mscorsvw.exe
1368	mscorsvw.exe
952	mscorsvw.exe
952	mscorsvw.exe
2712	mscorsvw.exe
2712	mscorsvw.exe
368	mscorsvw.exe
368	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6150d9484501ed38.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7CE.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2A0.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{81409CD6-2204-41DA-BCC1-EFEE350451FB}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1AE0.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4875.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP77BF.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP280A.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000601ae8e26a87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1516	ehRec.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	2648	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	2648	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	2648	mscorsvw.exe
Token: SeShutdownPrivilege	2648	mscorsvw.exe
Token: 33	2360	EhTray.exe
Token: SeIncBasePriorityPrivilege	2360	EhTray.exe
Token: SeDebugPrivilege	1516	ehRec.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeRestorePrivilege	2364	msiexec.exe
Token: SeTakeOwnershipPrivilege	2364	msiexec.exe
Token: SeSecurityPrivilege	2364	msiexec.exe
Token: 33	2360	EhTray.exe
Token: SeIncBasePriorityPrivilege	2360	EhTray.exe
Token: SeBackupPrivilege	2428	vssvc.exe
Token: SeRestorePrivilege	2428	vssvc.exe
Token: SeAuditPrivilege	2428	vssvc.exe
Token: SeBackupPrivilege	1044	wbengine.exe
Token: SeRestorePrivilege	1044	wbengine.exe
Token: SeSecurityPrivilege	1044	wbengine.exe
Token: 33	2496	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2496	wmpnetwk.exe
Token: SeManageVolumePrivilege	2672	SearchIndexer.exe
Token: 33	2672	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2672	SearchIndexer.exe
Token: SeDebugPrivilege	1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1948	2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	2648	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeDebugPrivilege	2624	alg.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	2648	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2360	EhTray.exe
2360	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2360	EhTray.exe
2360	EhTray.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
1352	SearchProtocolHost.exe
1352	SearchProtocolHost.exe
1352	SearchProtocolHost.exe
1352	SearchProtocolHost.exe
1352	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1456	SearchProtocolHost.exe
1352	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2128	1040	mscorsvw.exe	39
PID 1040 wrote to memory of 2128	1040	mscorsvw.exe	39
PID 1040 wrote to memory of 2128	1040	mscorsvw.exe	39
PID 1040 wrote to memory of 1616	1040	mscorsvw.exe	45
PID 1040 wrote to memory of 1616	1040	mscorsvw.exe	45
PID 1040 wrote to memory of 1616	1040	mscorsvw.exe	45
PID 2648 wrote to memory of 2896	2648	mscorsvw.exe	54
PID 2648 wrote to memory of 2896	2648	mscorsvw.exe	54
PID 2648 wrote to memory of 2896	2648	mscorsvw.exe	54
PID 2648 wrote to memory of 2896	2648	mscorsvw.exe	54
PID 2672 wrote to memory of 1352	2672	SearchIndexer.exe	62
PID 2672 wrote to memory of 1352	2672	SearchIndexer.exe	62
PID 2672 wrote to memory of 1352	2672	SearchIndexer.exe	62
PID 2672 wrote to memory of 2832	2672	SearchIndexer.exe	63
PID 2672 wrote to memory of 2832	2672	SearchIndexer.exe	63
PID 2672 wrote to memory of 2832	2672	SearchIndexer.exe	63
PID 2648 wrote to memory of 1864	2648	mscorsvw.exe	64
PID 2648 wrote to memory of 1864	2648	mscorsvw.exe	64
PID 2648 wrote to memory of 1864	2648	mscorsvw.exe	64
PID 2648 wrote to memory of 1864	2648	mscorsvw.exe	64
PID 2648 wrote to memory of 2480	2648	mscorsvw.exe	65
PID 2648 wrote to memory of 2480	2648	mscorsvw.exe	65
PID 2648 wrote to memory of 2480	2648	mscorsvw.exe	65
PID 2648 wrote to memory of 2480	2648	mscorsvw.exe	65
PID 2648 wrote to memory of 2544	2648	mscorsvw.exe	66
PID 2648 wrote to memory of 2544	2648	mscorsvw.exe	66
PID 2648 wrote to memory of 2544	2648	mscorsvw.exe	66
PID 2648 wrote to memory of 2544	2648	mscorsvw.exe	66
PID 2648 wrote to memory of 2188	2648	mscorsvw.exe	67
PID 2648 wrote to memory of 2188	2648	mscorsvw.exe	67
PID 2648 wrote to memory of 2188	2648	mscorsvw.exe	67
PID 2648 wrote to memory of 2188	2648	mscorsvw.exe	67
PID 2648 wrote to memory of 1372	2648	mscorsvw.exe	76
PID 2648 wrote to memory of 1372	2648	mscorsvw.exe	76
PID 2648 wrote to memory of 1372	2648	mscorsvw.exe	76
PID 2648 wrote to memory of 1372	2648	mscorsvw.exe	76
PID 2648 wrote to memory of 2308	2648	mscorsvw.exe	69
PID 2648 wrote to memory of 2308	2648	mscorsvw.exe	69
PID 2648 wrote to memory of 2308	2648	mscorsvw.exe	69
PID 2648 wrote to memory of 2308	2648	mscorsvw.exe	69
PID 2672 wrote to memory of 1456	2672	SearchIndexer.exe	70
PID 2672 wrote to memory of 1456	2672	SearchIndexer.exe	70
PID 2672 wrote to memory of 1456	2672	SearchIndexer.exe	70
PID 2648 wrote to memory of 476	2648	mscorsvw.exe	78
PID 2648 wrote to memory of 476	2648	mscorsvw.exe	78
PID 2648 wrote to memory of 476	2648	mscorsvw.exe	78
PID 2648 wrote to memory of 476	2648	mscorsvw.exe	78
PID 2648 wrote to memory of 2468	2648	mscorsvw.exe	72
PID 2648 wrote to memory of 2468	2648	mscorsvw.exe	72
PID 2648 wrote to memory of 2468	2648	mscorsvw.exe	72
PID 2648 wrote to memory of 2468	2648	mscorsvw.exe	72
PID 2648 wrote to memory of 2576	2648	mscorsvw.exe	73
PID 2648 wrote to memory of 2576	2648	mscorsvw.exe	73
PID 2648 wrote to memory of 2576	2648	mscorsvw.exe	73
PID 2648 wrote to memory of 2576	2648	mscorsvw.exe	73
PID 2648 wrote to memory of 1580	2648	mscorsvw.exe	74
PID 2648 wrote to memory of 1580	2648	mscorsvw.exe	74
PID 2648 wrote to memory of 1580	2648	mscorsvw.exe	74
PID 2648 wrote to memory of 1580	2648	mscorsvw.exe	74
PID 2648 wrote to memory of 1776	2648	mscorsvw.exe	75
PID 2648 wrote to memory of 1776	2648	mscorsvw.exe	75
PID 2648 wrote to memory of 1776	2648	mscorsvw.exe	75
PID 2648 wrote to memory of 1776	2648	mscorsvw.exe	75
PID 2648 wrote to memory of 1372	2648	mscorsvw.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2364

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1f0 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f0 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 268 -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 23c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1f0 -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 290 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 23c -NGENProcess 26c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 298 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 290 -NGENProcess 29c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 2a0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 294 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 1f0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 298 -NGENProcess 288 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 218 -NGENProcess 204 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 258 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 230 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 1e4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 1b0 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 218 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1b0 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 27c -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 284 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1b0 -NGENProcess 22c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 230 -NGENProcess 288 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 28c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 22c -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 294 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 298 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 290 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 294 -NGENProcess 2a0 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  PID:1116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 29c -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 230 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 2ac -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b8 -NGENProcess 29c -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c4 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 298 -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b8 -NGENProcess 298 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2c4 -NGENProcess 2d0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d0 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 28c -NGENProcess 2d8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 28c -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2dc -NGENProcess 2bc -Pipe 108 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2d0 -NGENProcess 2dc -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 28c -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2dc -NGENProcess 2e4 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2ac -NGENProcess 2e8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 104 -NGENProcess 2e4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 2d4 -NGENProcess 2dc -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 28c -NGENProcess 104 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2f4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:1852

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:668

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2004

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2360

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1612

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2180

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1352
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2832
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
560b45909b5b11cc5ea7de2bded3ca75

SHA1
bff4bf0c7c3a931415a9ffe766ed0bff98e3e026

SHA256
09006d75dfa278c5b28f8d39ae9472c78041ac3d8b889045bdbe5b2e433a37d3

SHA512
3078e100fa9315a9766b7795daa970b48e6f9a926a7bce557d75a359bfae33852c913d144b897a3a7ac0a64bd9a56ab4a669e7cc9328ac522d52bc5889a48e0f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
15e424d91297bf7a3026299debe4c8d1

SHA1
d72634c95e76d5d934e6e8a54ff4b070dc041daf

SHA256
8ecae3247fbf9d27250f6f8627a278719a73130f833d4c66bc536e21367b6ca1

SHA512
3c537d2adb49957969dfd89aec541b6165c9cd792207874fc40c040faa05eaaf19ad885935a2e523d70a87441e48067501139f26c61eaa1df4df6b316099f10c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
9af9bdfee05f0df67d1088c395fdd300

SHA1
1fc61f1a4d37e9f40f6ff77f93fefb123050579e

SHA256
e2f98fef12c79706ccecb7b0f33999886a368f0a3f38c6e7ac77d4b6e294af7b

SHA512
e41c05831cb894c90491e91043ddccd205f81c735942e0195d98ca9b2d74e2447b073301b40468cbfd3424eef5c9a74073f138941f8bd5fd40fa01c650cf21e9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
dbe39354b4ab3d2789c58e43400240ec

SHA1
96970afa2146e7c43dddae9234432e2371530d06

SHA256
955d165679215c985707e9ad28599db09af80ddf140e869da21d72c07b3ee996

SHA512
ef924b48f1d0b22aad4c911ff4abcd1b9d4d18cebd3794930634f528a30442deb366f61286309e5d90ad463470a4c5cfcf446958bf5cc6950b53dd9012f5d012

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4d0c73c8554a169da14c3350d7c66781

SHA1
609f694d481f303b0e9ac7b8f2ac87c3605f708d

SHA256
d3f70c9d0635c39750ec60ec4a01440b3e089bf75099955d4f401abc7a648055

SHA512
6097cd36fe0999702ce4d30e44eb3a111001539a75d09424196739d9f64552e97ddd13745c7909b6b3cc1699af6ee037efef147c55f19533b04fe4f5c475b1cd

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
40077e58c61fad92519e140e0dc34022

SHA1
2cce66177530344f88e37eb84f0043be701bf444

SHA256
6e3868949a3dc1443296f14a96c93c58e3b50bfc4b177f37ac0b233ed8baa1f0

SHA512
20e5128d8533a27568aacd900a58a947cbbce92dbd1bac8dce44871d1f7edb57b8d303c21c1b9945e386bb42265c48ed32347b3f4b275e0dd835c30eab2f662f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
78def10ee6f7e7a3e5a1a8b1d75b6b2f

SHA1
a1a58ae2a3c222be7d477e0c5ac0dc1f0370d98c

SHA256
cf629b1075b36f2fa1ffa2355149e78c244bf72e32a5e4d1c04d37a28332c04a

SHA512
19ef9da5c33bc004260e2bf88ec6301f307261c82f6978a5e91db61cac8e9969562b4a87362ef94222225a2459cbed60c9738f46b6769ea4e17a9c19f20c1159

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
a9b6097161e7cc59d6052312349cb804

SHA1
bf924b1b99847dd4e33a93bee78602343ea1c900

SHA256
11c53f588d59707a932304444ea97e09c9b6cea3dfca3ae09085ad7d2fe7afa1

SHA512
d6dc5ac1d8ffd4b5149aa271beb8e458ecc30d9e519ab7cc2ada1480781a72377a6faf2612049dcf6a17ab1d371c5d6172f3dc44c2ab517bae1a0fc7ea08cd0a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
41daadb62455fa6e775ef4c0a8599f46

SHA1
57a081c16978cbf39f2f76fae3dd94a0a3e870d4

SHA256
823691f11073d6b667248c5287b009c25d8dbb07847e1a2ef52322be8060c74f

SHA512
f24320404a83bf0d2449ad6b1a1287492cff6bcfc2d81d95a4345293ef893e259418f790926f5929b6a999615f85ec9c79fec711b7b484e2ccf41a106bb85858

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
2abc39fad78d0f3b909cba82a880626a

SHA1
2884e3fca27cabb53b28cddfd3210d95923cd44d

SHA256
f65b5f4f9dd79a7c6f680e978570725771e3cdfd65cfcd87645d7a2dd8763776

SHA512
87aa6013cfb69d736dde638f2019e871887cdb70317b4aea011f269a616ba90fee35fa2e6fc795011ea99756876becc6b88d2cb29f2229f10ad2ccae8f157dce

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a3ccdb90beab389a428552194ddc1026

SHA1
eb94a08a8baaeef5fb754ce4fee73d8e03a1f286

SHA256
fe6d1189cb103801197e354c47ef7fad1db2f42814e8a1ae31ac9c5bedcf4044

SHA512
affeb4525e5e6b6683cce124c4fea4519e4ee690e209e9553766435104811557360177f07c9a203837a7df81c7718b0a031c63c4316be877fbc13ad108a15303

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
4d387bb7be286577c6c820ae8a9f0373

SHA1
0de5a529a0a947281a767a194e51ca1fb8e61404

SHA256
6a4345d265c15557ede5b788d96fd8ec3be044fde2572cecc07d18d6cfaac20b

SHA512
718bf6de6b2f98948d5388a45e0df91dce2b626f01ccda53f13e07f3a2e645abfbe90c1c61d49f69183650cc3e5957ff10a356c925381d0be528b91cdee2dd23

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
607b8ac628fb29b002e4719c64c5ebac

SHA1
de0834762503741b2e7b50f0b32cd6fbdd5d8806

SHA256
05cad3712981e49395aaaa3be517969bea1c546ee84ecdd9c3060e630c8a41b8

SHA512
0f290d504a2a8bc2eb57813709f0589e0fbe484afac8a7f40163f7dde455fa35763ae56f6b5a96428003a8d7af874c88eae2c3046045712704cef328e34bfdc6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
3637b45b568b0199c665b784c01bb023

SHA1
7809ae6550fde85852c5b6b45560109193f06185

SHA256
27bd51404d2226e5fad6e5b1780d9d9b9245584032d19fb8f8091cd9647323f8

SHA512
42fbafcc012ded493e970339212b22ee28333423121b605bd6d783754425e6ebe9128f15c0341ac5d3ba49cf25586ce71c0fc82508c385d381671a7a5d768421

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
42324e829b9f576914307940bf800c88

SHA1
aa79c36abf8a43e386d1a47038d41459ab6739d4

SHA256
e0cffa3b77ba4eb08f7c1c92ce6f677e9ccef3e4ad72e83f2749d42c187e2c37

SHA512
ce10088146bf8613da1f458866f1d466363d509e34648252a93ecb99a6c1884d2f9ca69a5d12c358488d121e6359fbbe2a61a0d33a516b2d6014a342d0c569da

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
e948a61d72b30947b48f8d752c092d16

SHA1
5f2d771d07e92479d335b061a4c30cd28fd8fc17

SHA256
bb687546e777b495e06d215b5c3c70c49e626cce7431f21bc532585cb06298b6

SHA512
c8e757106a32dd1ba1a9b43b19dc43941f2918314e37b4c65a07e48ebaf853212fd8f553aac8c0aa5244791a86ab0f9875428b9a3739a3d0ec575ab379948a97

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
1a59579cec32a303322ae479d10d13b1

SHA1
89a0b03f89b2132acaae30bd18a7873db49f1118

SHA256
9bce23b2f1de44a1836b7b3029abde03d0b073520f31494d80d742d53b06c9fd

SHA512
8a22044fc52633ec38240d052308efe8244bef8558b645eb6833b246fbbbc6cd8ed1470f760d90c62b6cc2728fb9e3f6eff6bc7501d6680baa404f2d95b9a9ed

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
5a24a33f9acdc61b999679903444c447

SHA1
def86ed282834f9cf5675dddb5df143d129b77ac

SHA256
d11ca88bd9e10d1cce757d69d2bcbb90dc2062d757056836e44560668acffa43

SHA512
b9812e71c099b229425cf008a538ec57fa937ddaf2de9e78928433b21b10eb656b4453e197fbf3a010f472f8c25860f061dfff28bd90293c07ac831c4de0a7b1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
8b6e068f8a7ee8397076fae0121859b0

SHA1
e89009a3cfa7f06d584a9b9040faecef4b5ff130

SHA256
132028e0c09220e0ae55492a4af9b1d75a228d359e0f9832e086d51cb2a1c878

SHA512
78dec8a1dbaedf3dc87b218e8ef64a5a8465c0adf6a52525454da901b1dbe4a8b4b3201723c9473c5b9ad6d0a7fb49023862cfec2c1ebb1834dbbc1a073474cf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
a5529ad8668fcc796031a41e857d7730

SHA1
ee5f4d9883169d842f6bc4a69b2d4c830a73e960

SHA256
6e5e50f78336cc2de863aa7d02a63b5e64cf8d1c68e1e667b9de3c8e83ee1851

SHA512
ca33c0c1e01fa4bb8516f5e080817f4033b1df80df03d3f6ebaec6351bfeb605a058449349d031135416cefd004fe1148c29b35aafba2fe5376ca5f3e1646c1d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\203454d533ad44357ec183c51feb1dc2\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
ccbae67eeb660cb61de3bd4568ed14ef

SHA1
fc6a27858333ad81c9a0123448ca162635464b8b

SHA256
a5209c1ca672f7a661a476faca1a3e3a6fac290ec1f230985a4a730dee537b8a

SHA512
2898e3152674d60f33a1b5672637a805bf69ec7f903b75df2c162e41592758e99520705c729f7a711f3827d1582538806e0047afb981e641539aff5754f1e498

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5358348d90c94eb87af40d384e9250a6\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
d0062ae5106a50437b283af6602c0d05

SHA1
372dd95b396bff0a7ea0afe733aff88685c5fd68

SHA256
f0959c7257fdb2184e6c002e12d294ce1cf9a855eeae3c5b5dbeea5177c12a80

SHA512
a9efd4a76328e1120fa147f9e0d73848e07880f19b0f3363cf3ab9a4846be52d207f94b73f5b6996352ac6c2bf81b44158f30c9c234266bbf8d66f2700aa1941

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6cb0c7b655e422204a399cd81492f82f\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
6b7d8af4d93abc5dd7a61a7e24e08f8a

SHA1
270413c35c165a187c43e003ea0ebbc7641f9129

SHA256
20bb09a00e6d6bff9aee4e4399bf7133991b919b918be7996a99d7d480910fc3

SHA512
5d295928580e2dca366eb709926f36a4939467442c6e54fee06b4968d660c91d06f233108e96b1fc131f66b89bed3d9f31c864b3829ac6ba28ea3eb63fbe3f63

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\898b154334d69e7ff554254ee9d466cf\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
5aebc8f127650c7b2512c8b38390d77b

SHA1
d23b5ef52e24bd245d29bf5d6854b56478e68593

SHA256
3055f712cce2297b35745c7c7afc986f42bc6d213fc0afec085aa7620d3693e9

SHA512
0286bd08ff74a7c00ada5762d488187d337afd069e127f44d83a38e11189cd0da230507d419b4b653ed436860439baffca44560c2388fec1121b8dee66e8dfba

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
6d4e1baf3745a974f86dc79b8ff68dcb

SHA1
002c7382951dbeeb13450f13ff275353ff355e47

SHA256
ae161616af0860ec081915cef04fb135473190629717078e09a1daecf93e684c

SHA512
8dd8ed9051e8e714cad5ec7c5895c6184305397a111d0dc04d57f98d95c9168c271b95e39f03bc941a1b7fbdfd089db14893575966fa7f1a7e943fbf15278551

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
13806a7922c4a2b7ba1140bb6ce4b794

SHA1
058022bd8aeecc2228a8a407d60da9c80ab0e872

SHA256
a49a669c33ec1333a15b380ecb57eae0631f016af65f72175ffb17d5a9867bcc

SHA512
0d95008d180f2d20ef9a8849b603f3109c987ef9e51957de7d633c6eeb1ddeb2ceb43306ae9903bf21e1ccfdfbf91c2b5f1ff1f3ff6af0d52fff3f6b8b715b13

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
ea28fdf9674f66378bfd8f12ef95ec43

SHA1
ca66af2ab80e1d152745016a0c3c02f82f4ac0af

SHA256
7be814f58c2e6a07ce6286355a7bfaa2b8417d1e1c8c890ff320a050c9df8e18

SHA512
259d02cf86c18dcb8dbe5a6efd2254d58938bc48483d755bd6ef68445e881b931a54b2550cfcf037ad2d47924f6541813cbdf9ca4f56e7a58ea241c8a1c92ff6

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
4ea79fd7273f0ebf074fa15885ab1a03

SHA1
09da67144dbed88f3c4d635371036ba0961cabd2

SHA256
03ec3eee6dd5361362586a668f5029480f63e9418d2e98b4b0cdce437576dd03

SHA512
9d1e80d6d1759cf8ad00f2e697eaffe3eeec3e30ca90b37e61e2135800c4eff057cb5818975de1110c8d695b5a40394279905addaf958b1976ddea64e6072f5b

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
39fa0d0f0c4fcb6d44881b6013008d4c

SHA1
691d1162559a0fcc7325c4517032c628b9df2d78

SHA256
417c7224ecb514c850ee17cc566fac80f809f01a3fa63d507f6ccca979ade1ad

SHA512
0a6dcc92748f9134bb9798391b84efc1bf712a7cbb815593ff6953b538cc12ba057ce7b31029b4ff0ff0b53708849f9685fae56cca647befa17bff0b002d905b

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
c193b51c85a511458bacda4c27e0fa85

SHA1
b3fad734a95b46e590225059d3faf6c9dc2c54de

SHA256
d78f779c41630e0315a4515c6e8db3ca4e9d77cf11afaab24c0200acfd5dec60

SHA512
abc92d622b28146a6b349eace3104ba12caaf72cc1434b58664d9b5f0f05ff754f10e7c932db3e2ec560096c0911916a0a2daedc4c560a0d827b842bf1bd1322

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
82915af8c4e3f2d58d8ae159ab717e17

SHA1
d21cb1944491b3d0210395a6db809a2f3f548a1a

SHA256
7c9179b5b5e5408dc3df13324fece9169b583d1cac2f3215ae6038f545d2432e

SHA512
1538d4d69a3f7c5555d298c5d16104917ae6a22216f3575d41b536a42a489b537052e296269f5de94d07b88cdbb5c257aa591da1fff04705246ab35c2fc89004

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
de0c423450df4135573ec3f7c3d010d1

SHA1
0e3a3b83c2f0b035fdc045bacb921d4defa00b82

SHA256
6c8c6ee55c74cc6e31863d5695fe7874d9d5a6e34380c43e67bfffda95def629

SHA512
26eda012d75c5137844d05af39acafd7cd9828edbe08adbac40a1d48d9dab478e18981cfa7f71328cec7ea3bd56cf25cd2eb9b0706a34c40853a00adc49fdcf6

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
c6937ec1e4fab2707d524b323339d65b

SHA1
ad1f308e408c7f3b2e18ea6e8738bf13a16f79d2

SHA256
a3dd7b606e9c6d75697ee59e1a2be559e843be6f3742d7db2a24e4b72ff36995

SHA512
c6724c865355cb84722dece08c2623596001a823e9b9122ab017972e1cc93fa897de4e1a1f456417a8e91667290d3ae55f9a59707d7b3f22727a1e58a95d4fc2

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
e3a7f305e5934f5ca058fce342f74608

SHA1
73924e90cfff7123b0577392982f6f2d8678d381

SHA256
6fba679b19b1aa01c68654e309f2f3c29ce7a1af02832748304d04594827d1ab

SHA512
2be085d680e63c6f603c39f7315c090418b06fc1908d0ea1516f59dd9e6be5e9aeb772f7305a07d65b1cc2a8e3eacc1087762b8e0d5f4361bbfcd5f920146edd

Download Submit
memory/668-95-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/668-101-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/668-93-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/668-165-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/668-100-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1040-72-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1040-151-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1040-74-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1040-81-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1516-279-0x0000000000B80000-0x0000000000C00000-memory.dmp

Filesize
512KB

Download
memory/1516-297-0x0000000000B80000-0x0000000000C00000-memory.dmp

Filesize
512KB

Download
memory/1516-285-0x000007FEF3300000-0x000007FEF3C9D000-memory.dmp

Filesize
9.6MB

Download
memory/1516-277-0x000007FEF3300000-0x000007FEF3C9D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-296-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1536-294-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1540-140-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1540-153-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1612-227-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1612-225-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1616-246-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/1616-245-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1616-247-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/1660-167-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1660-173-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1936-302-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1936-303-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/1948-73-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1948-5-0x0000000003950000-0x00000000039B7000-memory.dmp

Filesize
412KB

Download
memory/1948-0-0x0000000003950000-0x00000000039B7000-memory.dmp

Filesize
412KB

Download
memory/1948-7-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1968-128-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1968-320-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1968-120-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1968-121-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2004-129-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2004-107-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2004-108-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2004-115-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2004-130-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2004-137-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2004-175-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2108-83-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2108-46-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2128-207-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2128-210-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2128-236-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2128-160-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2128-156-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2168-311-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2168-240-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2180-314-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2180-290-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/2364-56-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2364-36-0x0000000000500000-0x0000000000567000-memory.dmp

Filesize
412KB

Download
memory/2364-29-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2364-30-0x0000000000500000-0x0000000000567000-memory.dmp

Filesize
412KB

Download
memory/2364-295-0x00000000003D0000-0x0000000000482000-memory.dmp

Filesize
712KB

Download
memory/2364-298-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/2364-288-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2620-336-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2620-325-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2624-12-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2624-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2624-92-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2624-20-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2624-19-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2640-26-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2640-106-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2648-58-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2648-59-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2648-64-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2648-136-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2792-317-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2792-316-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2852-321-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2852-319-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/2952-301-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2952-300-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download