dcfa301a11aa0bab642b6191b08c9eaee6c0f65cf602ab48d54241870ddf7609

Analysis

max time kernel
114s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Size

4.7MB
MD5

9af471c6bb0c001f8296fb2ff15f0d9d
SHA1

96d4e9ab3338d25e3608e17de86ac03dacfa2a0d
SHA256

dcfa301a11aa0bab642b6191b08c9eaee6c0f65cf602ab48d54241870ddf7609
SHA512

5718b80a52c66c6529b77f45c9c7ffb18339619ec3a0a0fd8306313053f0cf4d93397bcece9d9a6b8881334e5c0638ebacc065e95b0d17bcfffd68e3a0320908
SSDEEP

98304:GJeV/ztZBeL1oiImuUiK9N9EGQKF9lSHbr7ar7QMvI:MS/hekmg4EpbrOfQ1

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (6135) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

steamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exemscorsvw.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
476
3032	alg.exe
2600	aspnet_state.exe
2568	mscorsvw.exe
2620	mscorsvw.exe
2988	mscorsvw.exe
2636	mscorsvw.exe
2764	ehRecvr.exe
112	ehsched.exe
1548	elevation_service.exe
2548	IEEtwCollector.exe
584	GROOVE.EXE
1532	maintenanceservice.exe
1016	msdtc.exe
3040	msiexec.exe
2016	OSE.EXE
1848	OSPPSVC.EXE
2700	perfhost.exe
2608	locator.exe
2516	snmptrap.exe
2104	vds.exe
1720	vssvc.exe
1836	wbengine.exe
1072	WmiApSrv.exe
2632	mscorsvw.exe
2168	wmpnetwk.exe
2460	SearchIndexer.exe
2772	mscorsvw.exe
2008	mscorsvw.exe
2560	mscorsvw.exe
2428	mscorsvw.exe
688	mscorsvw.exe
2712	mscorsvw.exe
2560	mscorsvw.exe
2976	mscorsvw.exe
2664	mscorsvw.exe
924	mscorsvw.exe
1388	mscorsvw.exe
2800	mscorsvw.exe
2432	mscorsvw.exe
1020	mscorsvw.exe
1752	mscorsvw.exe
2864	mscorsvw.exe
1908	mscorsvw.exe
1408	mscorsvw.exe
2424	mscorsvw.exe
1384	mscorsvw.exe
2164	mscorsvw.exe
1964	mscorsvw.exe
1692	mscorsvw.exe
1892	mscorsvw.exe
3484	dllhost.exe
3096	mscorsvw.exe
4008	mscorsvw.exe
3552	mscorsvw.exe
1224	mscorsvw.exe
3568	mscorsvw.exe
2588	mscorsvw.exe
3796	mscorsvw.exe
3688	mscorsvw.exe
796	mscorsvw.exe
3184	mscorsvw.exe
3772	mscorsvw.exe
3340	mscorsvw.exe

Loads dropped DLL 64 IoCs

Processes:

msiexec.exe2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe

pid	process
476
476
476
476
476
476
476
3040	msiexec.exe
476
476
476
476
476
756
476
3452	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
3568	mscorsvw.exe
3568	mscorsvw.exe
3796	mscorsvw.exe
3796	mscorsvw.exe
796	mscorsvw.exe
796	mscorsvw.exe
3772	mscorsvw.exe
3772	mscorsvw.exe
1676	mscorsvw.exe
1676	mscorsvw.exe
3332	mscorsvw.exe
3332	mscorsvw.exe
2076	mscorsvw.exe
2076	mscorsvw.exe
3872	mscorsvw.exe
3872	mscorsvw.exe
3000	mscorsvw.exe
3000	mscorsvw.exe
4008	mscorsvw.exe
4008	mscorsvw.exe
3544	mscorsvw.exe
3544	mscorsvw.exe
3716	mscorsvw.exe
3716	mscorsvw.exe
2536	mscorsvw.exe
2536	mscorsvw.exe
1752	mscorsvw.exe
1752	mscorsvw.exe
988	mscorsvw.exe
988	mscorsvw.exe
2728	mscorsvw.exe
2728	mscorsvw.exe
3224	mscorsvw.exe
3224	mscorsvw.exe
2188	mscorsvw.exe
2188	mscorsvw.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exemsdtc.exeSearchProtocolHost.exeGROOVE.EXEalg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d2c9781f43e3c333.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7ADE9966-696F-4996-9E1A-1D7786573DA1}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9CFB.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCEF3.tmp\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP978E.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA1EA.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exeehRec.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ehRec.exe2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe

pid	process
1972	ehRec.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe

pid process

1560 2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe

pid	process
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exewbengine.exevssvc.exewmpnetwk.exeSearchIndexer.exealg.exesteamwebhelper.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: 33	1144	EhTray.exe
Token: SeIncBasePriorityPrivilege	1144	EhTray.exe
Token: SeDebugPrivilege	1972	ehRec.exe
Token: SeRestorePrivilege	3040	msiexec.exe
Token: SeTakeOwnershipPrivilege	3040	msiexec.exe
Token: SeSecurityPrivilege	3040	msiexec.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: 33	1144	EhTray.exe
Token: SeIncBasePriorityPrivilege	1144	EhTray.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeBackupPrivilege	1836	wbengine.exe
Token: SeRestorePrivilege	1836	wbengine.exe
Token: SeSecurityPrivilege	1836	wbengine.exe
Token: SeBackupPrivilege	1720	vssvc.exe
Token: SeRestorePrivilege	1720	vssvc.exe
Token: SeAuditPrivilege	1720	vssvc.exe
Token: 33	2168	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2168	wmpnetwk.exe
Token: SeManageVolumePrivilege	2460	SearchIndexer.exe
Token: 33	2460	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2460	SearchIndexer.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeDebugPrivilege	2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Token: SeDebugPrivilege	2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Token: SeDebugPrivilege	2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Token: SeDebugPrivilege	2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Token: SeDebugPrivilege	2072	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
Token: SeDebugPrivilege	3032	alg.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	2988	mscorsvw.exe
Token: SeShutdownPrivilege	2636	mscorsvw.exe
Token: SeShutdownPrivilege	4036	steamwebhelper.exe
Token: SeShutdownPrivilege	4036	steamwebhelper.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1144 EhTray.exe
1144 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1144 EhTray.exe
1144 EhTray.exe

pid	process
1144	EhTray.exe
1144	EhTray.exe

pid	process
1144	EhTray.exe
1144	EhTray.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

SearchProtocolHost.exe2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe

pid	process
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1688	SearchProtocolHost.exe
1560	2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exeSearchIndexer.exe

description	pid	process	target process
PID 2988 wrote to memory of 2632	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2632	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2632	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2632	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2772	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2772	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2772	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2772	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2008	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2008	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2008	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2008	2988	mscorsvw.exe	mscorsvw.exe
PID 2460 wrote to memory of 1688	2460	SearchIndexer.exe	SearchProtocolHost.exe
PID 2460 wrote to memory of 1688	2460	SearchIndexer.exe	SearchProtocolHost.exe
PID 2460 wrote to memory of 1688	2460	SearchIndexer.exe	SearchProtocolHost.exe
PID 2460 wrote to memory of 1916	2460	SearchIndexer.exe	SearchFilterHost.exe
PID 2460 wrote to memory of 1916	2460	SearchIndexer.exe	SearchFilterHost.exe
PID 2460 wrote to memory of 1916	2460	SearchIndexer.exe	SearchFilterHost.exe
PID 2988 wrote to memory of 2560	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2560	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2560	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2560	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2428	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2428	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2428	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2428	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 688	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 688	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 688	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 688	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2712	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2712	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2712	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2712	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2560	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2560	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2560	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2560	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2976	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2976	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2976	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2976	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2664	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2664	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2664	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2664	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 924	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 924	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 924	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 924	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 1388	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 1388	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 1388	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 1388	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2800	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2800	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2800	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2800	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2432	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2432	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2432	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 2432	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 1020	2988	mscorsvw.exe	mscorsvw.exe
PID 2988 wrote to memory of 1020	2988	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Users\Admin\AppData\Local\Temp\2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3452

C:\Users\Admin\AppData\Local\Temp\2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe
3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=1560" "-buildid=1716242052" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
4⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1716242052 --initial-client-data=0x228,0x22c,0x230,0x1fc,0x234,0x7fef044ee38,0x7fef044ee48,0x7fef044ee58
5⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1136 --field-trial-handle=1228,i,14223518200416962030,7012049975498502973,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
5⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1480 --field-trial-handle=1228,i,14223518200416962030,7012049975498502973,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
5⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1672 --field-trial-handle=1228,i,14223518200416962030,7012049975498502973,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
5⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1720 --field-trial-handle=1228,i,14223518200416962030,7012049975498502973,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
5⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2124 --field-trial-handle=1228,i,14223518200416962030,7012049975498502973,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
5⤵
- Checks computer location settings
PID:692

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1584 --field-trial-handle=1228,i,14223518200416962030,7012049975498502973,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
5⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=2432 --field-trial-handle=1228,i,14223518200416962030,7012049975498502973,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
5⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery64.exe
.\bin\gldriverquery64.exe
4⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery.exe
.\bin\gldriverquery.exe
4⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery64.exe
.\bin\vulkandriverquery64.exe
4⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery.exe
.\bin\vulkandriverquery.exe
4⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=1560" "-buildid=1716242052" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=1" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\2024-05-23_9af471c6bb0c001f8296fb2ff15f0d9d_magniber_qakbot.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
4⤵
- Checks computer location settings
PID:3184

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1716242052 --initial-client-data=0x228,0x22c,0x230,0x1fc,0x234,0x7feef36ee38,0x7feef36ee48,0x7feef36ee58
5⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1108 --field-trial-handle=1232,i,4528412710728173758,13629221756308643097,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
5⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\steamerrorreporter64.exe
C:\Users\Admin\AppData\Local\Temp\steamerrorreporter64.exe -pid=3184
5⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1244 --field-trial-handle=1232,i,4528412710728173758,13629221756308643097,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
5⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1696 --field-trial-handle=1232,i,4528412710728173758,13629221756308643097,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
5⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1712 --field-trial-handle=1232,i,4528412710728173758,13629221756308643097,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
5⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2108 --field-trial-handle=1232,i,4528412710728173758,13629221756308643097,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
5⤵
- Checks computer location settings
PID:3588

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1568 --field-trial-handle=1232,i,4528412710728173758,13629221756308643097,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
5⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716242052 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1248 --field-trial-handle=1232,i,4528412710728173758,13629221756308643097,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
5⤵
PID:3784

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 26c -NGENProcess 1d8 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 1d4 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 24c -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 264 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 1d8 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 1d4 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 268 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1d8 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 25c -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 278 -NGENProcess 26c -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 260 -NGENProcess 278 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 244 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2a4 -NGENProcess 260 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 250 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2ac -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 1ec -NGENProcess 24c -Pipe 22c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 274 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 1d8 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1f8 -NGENProcess 240 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 1f0 -NGENProcess 1d8 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 284 -NGENProcess 248 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 23c -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1ec -NGENProcess 21c -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 24c -NGENProcess 23c -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1e8 -NGENProcess 1d0 -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 240 -NGENProcess 23c -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 294 -NGENProcess 244 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2b4 -NGENProcess 2b0 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:3896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 21c -NGENProcess 23c -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 250 -NGENProcess 260 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d0 -NGENProcess 23c -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2ac -NGENProcess 270 -Pipe 250 -Comment "NGen Worker Process"
2⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 244 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 26c -NGENProcess 290 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2b0 -NGENProcess 23c -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a4 -NGENProcess 2bc -Pipe 26c -Comment "NGen Worker Process"
2⤵
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2bc -NGENProcess 1d0 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 1d0 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
2⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 270 -NGENProcess 2b0 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 21c -NGENProcess 2b0 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c8 -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c4 -NGENProcess 2b0 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2a4 -NGENProcess 2dc -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2dc -NGENProcess 290 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 21c -NGENProcess 2e4 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
PID:3668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2cc -NGENProcess 290 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 290 -NGENProcess 23c -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:3424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2f0 -NGENProcess 2f8 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 2d8 -NGENProcess 2fc -Pipe 270 -Comment "NGen Worker Process"
2⤵
PID:3828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 21c -NGENProcess 2f8 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 23c -NGENProcess 304 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 304 -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f0 -NGENProcess 2c4 -Pipe 21c -Comment "NGen Worker Process"
2⤵
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 30c -NGENProcess 290 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:3512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 314 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2f0 -NGENProcess 31c -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2fc -NGENProcess 300 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 23c -NGENProcess 31c -Pipe 290 -Comment "NGen Worker Process"
2⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 320 -NGENProcess 2f0 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:3836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 300 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:3284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 23c -NGENProcess 32c -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:3336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 308 -NGENProcess 300 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 334 -NGENProcess 324 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:3592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 304 -NGENProcess 2f0 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 308 -NGENProcess 33c -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2fc -NGENProcess 2f0 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 340 -NGENProcess 304 -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 33c -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 2fc -NGENProcess 34c -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 31c -NGENProcess 33c -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 348 -NGENProcess 354 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 324 -NGENProcess 33c -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 358 -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 354 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 33c -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 31c -Pipe 350 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 36c -NGENProcess 354 -Pipe 368 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 374 -NGENProcess 34c -Pipe 370 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 364 -NGENProcess 37c -Pipe 36c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 378 -NGENProcess 34c -Pipe 35c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 374 -NGENProcess 348 -Pipe 354 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 33c -NGENProcess 380 -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 31c -NGENProcess 34c -Pipe 358 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 384 -NGENProcess 348 -Pipe 360 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 380 -Pipe 324 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 34c -Pipe 378 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 348 -Pipe 374 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 380 -Pipe 33c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 380 -NGENProcess 38c -Pipe 34c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 39c -NGENProcess 348 -Pipe 384 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 348 -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 348 -NGENProcess 39c -Pipe 38c -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:3392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 39c -NGENProcess 380 -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:3704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3ac -NGENProcess 388 -Pipe 37c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 390 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:3776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 390 -NGENProcess 39c -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3b8 -NGENProcess 388 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3b4 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:3348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c8 -NGENProcess 39c -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3a4 -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
PID:3864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3b4 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:3244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 39c -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3a4 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:3624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3b4 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 39c -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3a4 -Pipe 3cc -Comment "NGen Worker Process"
2⤵
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3b4 -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
PID:468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 39c -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
PID:3496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3a4 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:3528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3b4 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 39c -Pipe 3e0 -Comment "NGen Worker Process"
2⤵
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3a4 -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3b4 -Pipe 3e8 -Comment "NGen Worker Process"
2⤵
PID:2056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 39c -Pipe 3ec -Comment "NGen Worker Process"
2⤵
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3a4 -Pipe 3f0 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3a4 -NGENProcess 404 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:3752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3f4 -NGENProcess 418 -Pipe 40c -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 418 -Pipe 3f8 -Comment "NGen Worker Process"
2⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3fc -NGENProcess 41c -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 420 -NGENProcess 3f4 -Pipe 410 -Comment "NGen Worker Process"
2⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 418 -Pipe 414 -Comment "NGen Worker Process"
2⤵
PID:3496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 41c -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 430 -NGENProcess 3f4 -Pipe 42c -Comment "NGen Worker Process"
2⤵
PID:2220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 424 -NGENProcess 438 -Pipe 428 -Comment "NGen Worker Process"
2⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 404 -NGENProcess 3f4 -Pipe 418 -Comment "NGen Worker Process"
2⤵
PID:4092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 420 -NGENProcess 3f4 -Pipe 43c -Comment "NGen Worker Process"
2⤵
PID:1464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 43c -NGENProcess 3a4 -Pipe 408 -Comment "NGen Worker Process"
2⤵
PID:2864

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 158 -NGENProcess 15c -Pipe 168 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 1d8 -NGENProcess 1e0 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1892

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:112

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1144

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:584

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1016

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2016

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1072

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
2⤵
PID:1916

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:3484

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3440

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
8cff1d3ee61222e373065ad57b1838f6

SHA1
22b2bd874eb76504d96e43fcd2385e35e7f24c81

SHA256
a0eaacd1d73888cb5e263a3ce81fefc94275b5ae17c3e6800c02beb5ad0c6ec0

SHA512
ebd6894a92a38d09b00c44513a78c862b9c09b0071e5ba126a8cc7356e977a52bb9e67da8c7fa350ffaba6b9f69ca37b27445ecbcaa7f697936b2b17e3dd81c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
067e67b36431d52450516fd8d7ad2c7a

SHA1
39a9bcce79758eb36c3e321ab303d4ec3eec0f3e

SHA256
69e0159170cc31a991912ae8b37ccb6eeae131292f6f2b9af20920ed89e0686b

SHA512
43c758a6356d889142bcd71d91e69ae17721038a7907202bc933927c94316499fada72ea394f71a85928ed9888e97241c274e70d11c38b0655b8c8774d77160a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
599744a4b444d6aefab73a5222b4f48f

SHA1
f85d1f3088b7cd0c0b08e52270b00f91c86014e0

SHA256
6951ca472a69a7d1aaa34e943ed4fa7d6388cf8e6eef55ba6bcde020dbef2d57

SHA512
7abb85efd76ced27e0a9c104883bcc5223de57a03d75ca1799da94994e60f031d49e2462b7161bb2193b915783f13ccb3a5741b8a84d12959a016c8bee7394ba

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
6949769ced1ac83fc35dfdcaf1cccc49

SHA1
27906e7a82d29ad6137b0bed06c9fc2896658456

SHA256
9cbdf8a54e89d597cbde1afa4936de4f755c9d27d3d6b75ee24b7d35ebfbbbe8

SHA512
33351f496b49590bfb2d639f963b1f5a4995e79a7a24b12ee6a3e04a100ed51ac87db501b18f122544d9df3b085ecbc941503614d374562a79a165324553463a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
259f84fc22f9ed22ec066d1512a1c699

SHA1
27ffa1ab41fef43750945446fb7032768b300d37

SHA256
39dd264c408d87b7a5516e44ffa8ffae319bdc0a008e249d7cf9dd61dcf7e17f

SHA512
6280994b9cbe892d4e5493c7b27c7d16b4bf8cdaa878290a17d5287377b494a7cf21e250167f472c4a36b0cf2bf794b2415bf29618ae0ccb72108dd829fb5c54

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
f5b10799a616dd521a007cffeb92b9ef

SHA1
c6eae24297ddb12673ed3617536b0b79e082ae85

SHA256
293347c594baa34bc956d54f5ee37b4b8f8e930c2e538793682883dd588d3eeb

SHA512
913b1e139fa7f62acf36c833f1fe8b61aba9f1604eec93a6208e67f5f7f2a6fc7d1aceb287904505e412266a0fd86746839e314405683b047e3ed0cf7ea6f3ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
fb296f018d2e60e4002c3952cf76aacb

SHA1
e689ee76a01b2077b38577b2e1a369e61a88d14f

SHA256
a17b9f3a2e7d4eb8458a3816a61bbe1e560086d0ec4c0112eb502275a41c7e4c

SHA512
570d00abf6d8301ab8448647465ce7db49296aa7858e0d71cec439fa8450619ad2d826ca7447b1d1a0a2901bc6245d3f0358cdfe1288917e98b8e2959fc02f51

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\CURRENT~RFf77b2ac.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3756.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE4A5.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32

Filesize
9KB

MD5
731d9c85eba7a46c32b67bed6a1e5c4c

SHA1
a13fb55ab7fdf294e1e60597d2a5a52ded075791

SHA256
3efd94245971e1688a56840b188d21e9ac2643aaf665e822b042e9c0df6111d8

SHA512
1de1de18a0b00234f33a5122392f8bd1541feab4cfa8c44fb2326a650fd549587e18b1b0b2df507803769af736406dbf58ef4767fec604a66ffb7c4797a12596

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\btnOvrOffBottom.tga_

Filesize
444B

MD5
89cb2bc5ccdab01b0653d4dbb3d6a062

SHA1
afb947fffd5f5f3723e0c8c3b52cb8cbff406ee9

SHA256
ecd13153d9d438809a38de30f3abbb0f6f92837a7e3cacb442a9a9309bcd78d9

SHA512
e5bef83bfad930e2b68720e00d450aa879619dcabcf8d96f9f8c47636a95a9662bc91b04cfa9160081d8af79a1257b75647d89677123f28b8c609808d5b86653

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_

Filesize
6KB

MD5
5a5715177822e69c98aab578421ae78f

SHA1
175ea27d6ef6df27fae93a724c94b2c770f78205

SHA256
5afc5816946e0d7b6d57a99a60be71d9e88670d9a63c18e249c9266d8e95cd2f

SHA512
b11d05dff7f9ce55c2b30de82709f5aa9b410734e1b88a6879e3489394a5b36a27389022de0a741a16f70d0639439d4f75942c3fd604567d63b9ec229d86b331

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\cloud_localfiles.tga_

Filesize
14KB

MD5
c4e538289a4c12da96cec77e7a3e36d8

SHA1
12d57144c0e79edbabc8033a9bf22b1720299f2f

SHA256
c7a1b0021d1f943e497c592d83050ac85a3b93aff732f9b94cd26d9c41b37ca3

SHA512
db3eac8c05b7277a6ab9974c682b20350705fcf616040204bab053d98cf193c2d6fc416eb571ca67f7e53bda59ccaddc0351bf60310a64dba2d83fd9aa539ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_

Filesize
92KB

MD5
323181f4e9013b8b341897abd322e56c

SHA1
85e2e4a5d38c515185415bd4aa8d24f32d428fa2

SHA256
e0ce36b93ae67846424364085ad79ee24fe5c036e5f6a78a4acbe1583f22daab

SHA512
24fc5c82e25f2ee689b0888c6905f13ae74037e8db06a39b247d525071c858e8a284600dc5e33f006a2657d04c0b045c146c2af0951c7ecdceec34082a95d004

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\tabStdBottom.tga_

Filesize
48B

MD5
bd64c051ae2410eef96839a3cb7297f7

SHA1
95a5b0455d69127fe50e396153c795d9914ce0d4

SHA256
5caa5fa3e79dcd8ec5ec20256ed7c77efaae77e0ae8d89e4a974c484cb177d84

SHA512
ea2f76c8cf5dc2fd15017ad9b942d020c3ad5ce1cedc2a1604137ea02f8411cfff4166ffe93c101756b404344488b304cf2b4a71c25b2929654dda9a88a88793

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\public\steam_cloudsync.ico_

Filesize
47KB

MD5
da277b7a17374bde018ffab02015238b

SHA1
ceaafa1a1ed7d2101ad3c2884159364aacbf9dcd

SHA256
5aaca90948de8f7d11264ed608a2f96acba061e6463d337d658b00ed1c552449

SHA512
5a6e542ae9938f560d40348ceac663feaf889a6c990efdcfbea919531dbc34771fe2f0f366ab7adc15e998e5ed392d80dad78a8392f11b9c8fdf2c67f0431a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\public\steam_cloudsync_posix.tga_

Filesize
64KB

MD5
be3a210738638c4f33aa7e01cb475e26

SHA1
02276a10cd77cfd57e4c796c45d69d526f8420bd

SHA256
fd2abb8945c06a6b9c5444baf6ea523b52bf7a03a58b34ebe0a6a110630ed5f8

SHA512
6a11640800df51a8d88ef4224acd39cbb051dcdd6239bee82575ca11772a6a52e40c6614af3ea61320d29b4f75fc9611f6182ad2a55d7284863fd38d89631feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\public\steam_tray.tga_

Filesize
1KB

MD5
7ecf5b072a3c49209af4710481dff5c9

SHA1
6b49560eb27b2d7cd169c066208d4fd3a4863f3b

SHA256
f747d5fd27e74412be05bb376c0ff12fcebb7f39c158eaa89ab6a0a9d92ef3b6

SHA512
ec9ed9d824471655a48b48324a023a7231560810f6403f0ded04af35b51dde4dcd244bd4147570ac9c5cf0c841af33caaf8de7d60cf20f6fcbedbd1717d6d262

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\resource\filter_clean_schinese.txt.gz_

Filesize
33B

MD5
dd542d7ca2128ef0e7c3411b5ab9e8d3

SHA1
0a98ce0efdb5fd75d3c697f06f3c084d5882dc49

SHA256
77f0055faba992867817c485930c5f60cf64e65c65b410128426dc35fd8d862b

SHA512
0d0c1801d0bdf69d2010b0e26ce0a156fa50baaa0370330bdcdb879cbd09a6146d7bc89de2d5ea6f3615123a60e1be87def44c07f92de24615974e3cae2cab85

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\steam\cached\game_details_header_green.tga_

Filesize
2.1MB

MD5
1ed17a7d11da47608f99d98a8d249e6f

SHA1
ea3d9e0de541be2a346e93e63286f0265ac302fc

SHA256
a24832de8b80e206143170a899ab91e76e85685aed74963fe2f490344bbf6427

SHA512
e423be766c3d615dee6f3ed8b0b7bb5735ec13617a93f6f5403a3e7c4c379b9ab87e9fd5f0c9fa9338f656e321488d0aba895ac9f77da413e27473b2218b9ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
4166de45bbade9ac35d19ab6656bd007

SHA1
cfc86bac87731c717da4d42ac94eb1b896554c4f

SHA256
23e059ae68d8c94ce1da4e0239513c65ed017290cbec6445343fe2e604c8a845

SHA512
8e164f34de2f9fb4fc969ebcf6dfac996a21ed67d354a40db71c3239cefa899bacb061e1477316c73f756d0124b9f8bcfc79b2e9c255c979be9e40ccf870d1e3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
6c618f6e4f200068cf892de381c13511

SHA1
2f1ea57cc5c66283fb2331084ad9b86049424dde

SHA256
18acc10e75fe87e3752eb98e6da951b2681e91684cbd426770e9b2e32cb5f950

SHA512
e8fb2f832a8fd4b788382daf20f4d00545f8c590a683551c0efd7ce4cfa10bed850cb70b7087581a9017688868d3f41a626cc56d907f4bf98235f06d32575aeb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b115b98829cb1c9d2f54ba8ddb71c485

SHA1
8f7dd98e18363a3537737e8e45d9c816aed28f3d

SHA256
140878cbba39c6c5c81c6e39110fac215cc6ebf041287544d4ed5a2a184251c7

SHA512
d1cdf645b09990d45c7dffa2992ab4c35793b55cd4d70e3edffa4098a3759957c03652ea382f4abb848adf514f091e42873e85acdf424d5825d28e56cc4450ba

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
f1d48c6c0dce66ff9281e063330e3e1d

SHA1
22e04c18d952430c06b8629c3345dbaaa5beea5c

SHA256
ff79d01de5b7dfb42eba198e66cc64fe0d62b0ee1aafaaf8f0e06eb30162621b

SHA512
c9b2a3abde9444625b92ea802bb667ecee46f7212765705cb281d9d15487768ca3628cd83b149af27f62799dc962756de07b185aa8efd02f56cfbe5495fef1c8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e659f347fd67163b73fe1c5d3229bc45

SHA1
33a3d69d1ecbb975745a568b1908226a91789027

SHA256
ff3e6ad75b96a422edb1d408ed56a1417892642410cf8facc4a79ee2403b7770

SHA512
c9dffe3d9eb02ad70f28526d33be6b309bece60051cf98c2906478c4d3cc2a49da9a64f9224f2de9e763d6f651ddd6c09f62fdcb3eef42ef7b1fd088e774753c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3dfe3db34f490e83adee6ac8a40280da

SHA1
5efe882b50d8023327139362278034cf15614b78

SHA256
370a1ff4f65eb5d987d00b5c575b45fa0051b5c5f5d40abf7053afe8a14075fd

SHA512
20fc022ba5d734f79fd5e4ba3507c316ada8f91ce433063829fe1c69c9c4bcc8e82940ab43eb9030138b896e1ac0d6e777aa55282cf5e672664b609f301e36c1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
eeb9a7a592df65323a30ff4d48bffcf5

SHA1
ed49e5b467abd79c55fe34d5b44f892047f4d3b0

SHA256
03aaa9803c93be12d440681f42504c43d79a9ab37a5f1513790901f3f5bd9445

SHA512
d3bb2229732f35fd044952871f5d34d668beff5143456deb273533a8cfb4ab90ed04e004864ef9a17cf5384404b2abcdebe1bb1424f10a82c626dd8eef2c61cf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
828fd29bea2264908028862ae59ab780

SHA1
c28f1c5f8e8fb6430d75b722a659e1f72d1d1957

SHA256
d05c5e348266a8e0ec5434c6476a2e5e79471b76aa609aecb6b71f20b908ce59

SHA512
a6ed46ebeecdb610d4bc99ce79302f9212b918e02fcf5e4858d3e26112cf79f5d05e18ff423f94f91acbc4ff28a45c3d6c54b1b131fdcc8c073832350f944784

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0a90fae1d2234fab5336839244daef8b

SHA1
4c19c0eadf4434bf16aab8eddd8de228b8a7e436

SHA256
8b3df44f66ddf33da32ea8c7fdd0176e46b88ae1b9563a3b49c6e54aa29ec05a

SHA512
f9599b692fccfc2da80784e12e99307ce1edb4352fa94f3558f8aae92edb753096c4d02e58b6439bd651741d0b07677096bc1eb4fd90cd05a6b3d222fc970bc6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
62d4363d366c67d0302dff8f3b046dbb

SHA1
4c77660efe6f8f4691a81cb883eddc005d8a39f6

SHA256
27e2779698fe86d63bb209b8ab2606d1ee9fa6fe2a3119ba673863f6f19f4caf

SHA512
3bdcf79edf48a0bc702025a18f516a8229536d4992f45f758d1e197cd0f909c6db88db0817d506b94ee5652a8c9c09f0908aa2dbacd51012f13f13aba6acb3b4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
754572b98b6d1bd99d974c212b5f5a01

SHA1
2bb37b926c41cfc33012b70ff8e907aa359c7b27

SHA256
85ad10a28437f0f69eab357a740598d4ad49986bb9333dd426b6d9c5a5e04df2

SHA512
e2f03cbcb529ea036ef11840e5203e0a291f77ff5f713c718b0192dbf40124fac80fa06dec4b757750c9c7ef8fe1de0dc22532f3995767b233e01182ff970913

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
5a3f475329a38c7871d52bc226609e07

SHA1
7e9f4da279ea673ad3650f15eb0ec4a286cdf9b0

SHA256
c6d89fc357cd81b6f6e9ec2a0783de6f5cde13fc813bebed81cbcd4f03a54d38

SHA512
b678e94dd75ae011084dd74176475f6b18ed1536ba19d05d456e1e7a10af4d5069449f88dcfb67c2581f31e6e3e26bd72f5cd5c95acac92f892bec33acc79624

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
7c4cac0acc91a80ba8003829eaba0057

SHA1
584ecb01f49ff3b559f4b5d8a85f4181c00ec1b0

SHA256
6df72404d6b42d44ed2aacf848f2bab8b6d3a24a23f496c5096c55046d9092e5

SHA512
cd78216679d8a04d4b9007424f2576ccaed021c6deec62a51cbc7574747445b23bcb75c5969403922c66fd34e915236a70cf4d2e8820ea2c781c1d1ec48b310a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
3106ddb13dd9ab914e23b3c18e247f21

SHA1
2522d851f201b59f313cd2caca106ac4a998b8d3

SHA256
1e642b11e38e1af02dfb05c0b4faadec1b9a421f08da390587b0dc300c8beae3

SHA512
75ce497f15a6fc6298f98ec8d9b4a69d4d0464cc394399376aae088debe5fcd9d4387c2ce0748548d500caa4bdfea81cc2da8b85faa12b22e293253cb23cb621

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0d2dcd6f21c0b131d695ffa9cf75090d\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
41298148680f6b8f5b99373fa1dd87e8

SHA1
86bf36593fe3d1503a492f39895a0623233893ab

SHA256
8a174a604b01525fa6c4154df152401b13d334b258bf758b296a2fb83c1321ef

SHA512
1a8666913f3cfddddc2fd1871b01cea8cb9454760b0a14c1e21a9b91e3c6d336646dd9806ac8437576b3d80648ce9c2ed9a35c8037220a7ff96be914cd798f2c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
356KB

MD5
87111e9d98dc79165dfc98a1fb93100b

SHA1
4f5182e5ce810f6ba3bdb3418ad33c916b6013c8

SHA256
971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42

SHA512
abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4a0b81edcfa84e139174a2b43f0ae684\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
b2aa1e255d3e58485431aea218f7125f

SHA1
cc56b0d258a0442b5666c1e60e4b143f4ce3f161

SHA256
a63ccfe6a4ab0e3eabb724aab2dfbc6dc3cf3facbe60d20d1d12958c012b86ac

SHA512
c581a02ddd855b79024dc9d1cbab24346e7b75d8d4f8ba88da44a4ea6d8fd63320a37afb10ca2a130bd6aaf33888f121a5629f817e1963eacfb129c11cbb9a97

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\677f702dae85e9e71dd263389b314e4c\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
707dfd12050367afa559a46fb9f58cc3

SHA1
5de2d34f0244ea30a7cee2ce057911d496b275ec

SHA256
c573fbe5d6d82ded4bf0b6e009ec70ce0deb2b6a17d071941d4be4d7a533c4b2

SHA512
09129b72022fdd6853ab271997dfe452df1fecc718b07b334559c481f5524c9cbb9a36f3f51631046332b5841012d273882b8ce5e95c6d38a52b7634dc15e3b8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
278KB

MD5
d74d434aa70ce827715b5e0ac7eda5be

SHA1
b53f3374be4c96af51c78fd873de1360f17c200f

SHA256
54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496

SHA512
631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\efda1e10312a453b9858ed5a46d7abb0\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
6cb5aa7d8561c0a85d710ec1d4e86340

SHA1
3f4b7f295cb74520bf721bd3f6c8d61a13bd9170

SHA256
44442d518a5127d0283f75d00665b318c92cadc87a27c34333665f7abd5bb6ad

SHA512
984bd3c2a3a2093c67594b399f704424da38c5df8cf54404687f939a96400a5794d9cc8049dcc4638d4bf6a2603327982050976b5eae45651b9be8f73a13582b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
28d154f47d00ec1cb7cb9df99a52f9dd

SHA1
a1b4d186354b6f2bf56e0574afc14d5ce7fed3c3

SHA256
5ddef38ea7760d67aa2cac3924521a05616b9146c06fdfccc322df7c3c4815c8

SHA512
0293fb19013385f3d9e53a48b7a860d51ed972ff4cda13a747c9d17dc8bf35ca8faa8e0b1385f012f64b35c3e6ad7c7105b29caed81eec55ca5d2e19c8919f55

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
59286234b23a58c6a279d2dd4f01ff73

SHA1
4d794b2c0c7417f3e479e332849cb025b1203d78

SHA256
2efcbc8875b7fdd7b9bb47e6ceb4edd4c53c4b63f1a3f95bb36b2058d740757f

SHA512
5135a467e167cdc102134d9360c4cbee2ef921428605df30a8d03cd5e902d32da05dfb98e4da460c8c9e6668f21e6321d3946dc0c514068e1e7a1e15be68785e

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
294083b2bc1c1d6cf38a1ac0aa56d6ab

SHA1
ab7b1bad34757fefbf61709a75900c0fa0d397e0

SHA256
b49101f80a3e7d3eb8fd62900948936d9330a245fc095ffc42bd4acc227f7bf8

SHA512
1b4e9eccf8292b5338c57de307b8cc9e0b4fb3b3cc303bc88be3dc09c8d21d7d49ac7f78e72fa0133d8899ac97dd830e57b5c5f2a040c3faa525e97ba2e43746

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
99f959f451877f26e5b9f313636911e5

SHA1
80dff98f473078bce0f06fd23ff6a5588f99666e

SHA256
226fc2f17f64a7a748cec71b9f0bc2e3b955f7cfa01a58f02944d370c82eb714

SHA512
ba6028fddeeba62b4193f7f476f8de22d701b90fba6456bfb674a04e032d7cfba54df2c53a7ae901ee285089f84e9e47693097fff4c49aa3c2b5569fdb5e89f6

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ed9da94854f7fa54d0734d4257300276

SHA1
849fed58e1eea2a7ebdd76dc9ec0d179e5dad7b8

SHA256
c7cdc7acef8baed61341991ffb42011ad777b879eddef57ccf5033ef55c24a1a

SHA512
858b4818f8e56b2517761a01ea713662658ce902e58e260abf8d11cd19e8427034b3ae7a6e2d5a62f77bf6ddb19b0bf5b255e72d2e249f56f992da861b35f8c1

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
e540edfe091fc8470562236529c17c61

SHA1
c4e23ea680aea2580295a3bca8878824f051a199

SHA256
064dad147964fbc0d58878860ef20970783bc0661bedb2754e599745aad13dee

SHA512
f6ed8c1d8ac28b754fff9ddba20773ea2ef8cbccf81ef21e890d4b9cdcc0a7496c991e884e466842fcecd81de12c95acf32640e73f6618fad6b8460c2f4b811f

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7290df7671b5a5bcb4ae105f32c189d3

SHA1
077d6920ba210bda76680eaddaf5f29109d31483

SHA256
8ce54f7d8f1ff19022b9e01abf4f877b3b84595281859a8e0365e0e327e81e0f

SHA512
136fbcfc9976684087f633b651838044bb383f3c26b7643187f5785c744113be2120d205c33e043580dffca462764e76fc45ac6626a515e4bac6ef6c67cf16d9

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ce4bb409d90cf9d635e2cdd1adf26324

SHA1
40a807f5364038fc14b3be728a1a7993e1eca852

SHA256
bf2e4af092ed510f6d5b2c708a9053b8c869c5b3d65864fa163b771c13651116

SHA512
56a2d8dafdf3483ba4a79cb649b295ce4f9390e3771f3c3d7f94206e1eb3406b77535e217cd453f76e392b8c2b8b050aa7994789ed908fbedc99ca754307424e

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
fafcef652a12e3ecb0fb0427df5c74ff

SHA1
f39daa7c6f3220ae1a93e2f05ce7f18d8346ec67

SHA256
5bb0d8e358f5ad173476f7ce6afd8a3ccf895f02a8ecdd42a12f51e38b7b9d74

SHA512
d838c0347f828d5434654bcade98a71d8a7abbee2245b9facd996b07986ada4ac4ee7bed5df25c29811e662a5ad48fd31f2087cc071bbbd225016b05df570c93

Download Submit
memory/112-85-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/112-91-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/112-93-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/112-844-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/112-232-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/584-130-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/584-123-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/584-128-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/584-258-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/688-525-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/688-557-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1016-287-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/1016-159-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/1020-646-0x0000000003D20000-0x0000000003DDA000-memory.dmp

Filesize
744KB

Download
memory/1072-286-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/1072-553-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/1532-143-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1532-134-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/1532-147-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1548-236-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1548-107-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1548-99-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1548-105-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1720-247-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1720-523-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1836-263-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1836-550-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1848-341-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1848-191-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2008-403-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2008-485-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2016-181-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2016-319-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2072-71-0x0000000000400000-0x0000000000940000-memory.dmp

Filesize
5.2MB

Download
memory/2072-8-0x0000000000400000-0x0000000000940000-memory.dmp

Filesize
5.2MB

Download
memory/2072-13238-0x0000000000400000-0x0000000000940000-memory.dmp

Filesize
5.2MB

Download
memory/2072-0-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/2072-5-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/2104-502-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/2104-235-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/2168-300-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2168-834-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2428-503-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2428-526-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2460-320-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2460-841-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2516-234-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/2548-861-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2548-117-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2548-120-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2548-111-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2560-483-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2560-500-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2568-29-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2568-47-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2600-140-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2600-26-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2608-211-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2608-400-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2620-57-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2620-38-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2632-380-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2632-288-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2636-64-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2700-399-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2700-210-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2712-551-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2712-560-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2764-94-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2764-95-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2764-13230-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2764-208-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2764-78-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2764-72-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2764-79-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2772-397-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2772-374-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2988-23435-0x0000000002270000-0x00000000022FC000-memory.dmp

Filesize
560KB

Download
memory/2988-23462-0x0000000002270000-0x0000000002294000-memory.dmp

Filesize
144KB

Download
memory/2988-23453-0x0000000002270000-0x000000000235C000-memory.dmp

Filesize
944KB

Download
memory/2988-23467-0x0000000002270000-0x000000000229A000-memory.dmp

Filesize
168KB

Download
memory/2988-23449-0x0000000002270000-0x000000000240E000-memory.dmp

Filesize
1.6MB

Download
memory/2988-23438-0x0000000002270000-0x0000000002314000-memory.dmp

Filesize
656KB

Download
memory/2988-23459-0x0000000002270000-0x00000000022F8000-memory.dmp

Filesize
544KB

Download
memory/2988-23464-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/2988-23474-0x0000000002270000-0x00000000022D6000-memory.dmp

Filesize
408KB

Download
memory/2988-23455-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/2988-177-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2988-23430-0x0000000002270000-0x000000000228A000-memory.dmp

Filesize
104KB

Download
memory/2988-23415-0x0000000002270000-0x000000000228E000-memory.dmp

Filesize
120KB

Download
memory/2988-50-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/2988-55-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/2988-49-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2988-23312-0x0000000002270000-0x000000000227A000-memory.dmp

Filesize
40KB

Download
memory/3032-21-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/3032-13-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/3032-12-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/3032-119-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/3040-299-0x0000000000530000-0x0000000000721000-memory.dmp

Filesize
1.9MB

Download
memory/3040-298-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/3040-175-0x0000000000530000-0x0000000000721000-memory.dmp

Filesize
1.9MB

Download
memory/3040-174-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download