816e63c2d44d8a4839d376c1b0d83fa5dde31bc9d88e343012059f2b4358a58b

Analysis

max time kernel
151s
max time network
160s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Size

24.3MB
MD5

89c574bacc70a12d6a92476f7afbff54
SHA1

4317bdec13a6309b20c3c91c104033cef052d823
SHA256

816e63c2d44d8a4839d376c1b0d83fa5dde31bc9d88e343012059f2b4358a58b
SHA512

5eddc955d4784af904922acef6c2ca89b36b7b01f4d966c2e5624677d625cd0049ecda12bf5fddc24aa89d76cf15323b844fe116862efba7ada5a30beec51f84
SSDEEP

196608:VP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018vML3s:VPboGX8a/jWWu3cI2D/cWcls1vL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
472	Process not Found
2580	alg.exe
2724	aspnet_state.exe
2420	mscorsvw.exe
532	mscorsvw.exe
2820	mscorsvw.exe
1252	mscorsvw.exe
2512	dllhost.exe
1732	ehRecvr.exe
3032	ehsched.exe
1976	elevation_service.exe
1972	IEEtwCollector.exe
1204	GROOVE.EXE
1872	maintenanceservice.exe
2952	msdtc.exe
1564	mscorsvw.exe
2004	msiexec.exe
1948	OSE.EXE
2784	OSPPSVC.EXE
2808	mscorsvw.exe
1980	perfhost.exe
1952	locator.exe
1516	snmptrap.exe
2336	vds.exe
1128	vssvc.exe
772	wbengine.exe
2204	WmiApSrv.exe
1628	mscorsvw.exe
588	wmpnetwk.exe
2356	SearchIndexer.exe
676	mscorsvw.exe
1748	mscorsvw.exe
2928	mscorsvw.exe
2056	mscorsvw.exe
2548	mscorsvw.exe
2524	mscorsvw.exe
308	mscorsvw.exe
1512	mscorsvw.exe
2508	mscorsvw.exe
1844	mscorsvw.exe
3040	mscorsvw.exe
2140	mscorsvw.exe
2948	mscorsvw.exe
1600	mscorsvw.exe
1968	mscorsvw.exe
1200	mscorsvw.exe
560	mscorsvw.exe
2412	mscorsvw.exe
2832	mscorsvw.exe
2096	mscorsvw.exe
2892	mscorsvw.exe
2792	mscorsvw.exe
2640	mscorsvw.exe
2044	mscorsvw.exe
2036	mscorsvw.exe
1616	mscorsvw.exe
2300	mscorsvw.exe
1552	mscorsvw.exe
2868	mscorsvw.exe
2060	mscorsvw.exe
2108	mscorsvw.exe
1044	mscorsvw.exe
2484	mscorsvw.exe
2708	mscorsvw.exe

Loads dropped DLL 57 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
2004	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
752	Process not Found
2300	mscorsvw.exe
2300	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2108	mscorsvw.exe
2108	mscorsvw.exe
2484	mscorsvw.exe
2484	mscorsvw.exe
320	mscorsvw.exe
320	mscorsvw.exe
1300	mscorsvw.exe
1300	mscorsvw.exe
2448	mscorsvw.exe
2448	mscorsvw.exe
2708	mscorsvw.exe
2708	mscorsvw.exe
2600	mscorsvw.exe
2600	mscorsvw.exe
2464	mscorsvw.exe
2464	mscorsvw.exe
1264	mscorsvw.exe
1264	mscorsvw.exe
1960	mscorsvw.exe
1960	mscorsvw.exe
856	mscorsvw.exe
856	mscorsvw.exe
2176	mscorsvw.exe
2176	mscorsvw.exe
960	mscorsvw.exe
960	mscorsvw.exe
676	mscorsvw.exe
676	mscorsvw.exe
1300	mscorsvw.exe
1300	mscorsvw.exe
828	mscorsvw.exe
828	mscorsvw.exe
2212	mscorsvw.exe
2212	mscorsvw.exe
2412	mscorsvw.exe
2412	mscorsvw.exe
1172	mscorsvw.exe
1172	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ec9d63ebae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP906D.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5966.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP927F.tmp\ehiActivScp.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP60C6.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5DE9.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6A19.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0ff966c9db1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 01000000000000002049ba659db1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1844	ehRec.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
2724	aspnet_state.exe
2724	aspnet_state.exe
2724	aspnet_state.exe
2724	aspnet_state.exe
2724	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: 33	1116	EhTray.exe
Token: SeIncBasePriorityPrivilege	1116	EhTray.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeDebugPrivilege	1844	ehRec.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeTakeOwnershipPrivilege	2004	msiexec.exe
Token: SeSecurityPrivilege	2004	msiexec.exe
Token: 33	1116	EhTray.exe
Token: SeIncBasePriorityPrivilege	1116	EhTray.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeBackupPrivilege	1128	vssvc.exe
Token: SeRestorePrivilege	1128	vssvc.exe
Token: SeAuditPrivilege	1128	vssvc.exe
Token: SeBackupPrivilege	772	wbengine.exe
Token: SeRestorePrivilege	772	wbengine.exe
Token: SeSecurityPrivilege	772	wbengine.exe
Token: SeManageVolumePrivilege	2356	SearchIndexer.exe
Token: 33	2356	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2356	SearchIndexer.exe
Token: 33	588	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	588	wmpnetwk.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeDebugPrivilege	1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1432	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeDebugPrivilege	2724	aspnet_state.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1116	EhTray.exe
1116	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1116	EhTray.exe
1116	EhTray.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1168	SearchProtocolHost.exe
1168	SearchProtocolHost.exe
1168	SearchProtocolHost.exe
1168	SearchProtocolHost.exe
1168	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
1168	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1564	1252	mscorsvw.exe	45
PID 1252 wrote to memory of 1564	1252	mscorsvw.exe	45
PID 1252 wrote to memory of 1564	1252	mscorsvw.exe	45
PID 1252 wrote to memory of 2808	1252	mscorsvw.exe	49
PID 1252 wrote to memory of 2808	1252	mscorsvw.exe	49
PID 1252 wrote to memory of 2808	1252	mscorsvw.exe	49
PID 2820 wrote to memory of 1628	2820	mscorsvw.exe	57
PID 2820 wrote to memory of 1628	2820	mscorsvw.exe	57
PID 2820 wrote to memory of 1628	2820	mscorsvw.exe	57
PID 2820 wrote to memory of 1628	2820	mscorsvw.exe	57
PID 2820 wrote to memory of 676	2820	mscorsvw.exe	62
PID 2820 wrote to memory of 676	2820	mscorsvw.exe	62
PID 2820 wrote to memory of 676	2820	mscorsvw.exe	62
PID 2820 wrote to memory of 676	2820	mscorsvw.exe	62
PID 2820 wrote to memory of 1748	2820	mscorsvw.exe	63
PID 2820 wrote to memory of 1748	2820	mscorsvw.exe	63
PID 2820 wrote to memory of 1748	2820	mscorsvw.exe	63
PID 2820 wrote to memory of 1748	2820	mscorsvw.exe	63
PID 2356 wrote to memory of 1168	2356	SearchIndexer.exe	64
PID 2356 wrote to memory of 1168	2356	SearchIndexer.exe	64
PID 2356 wrote to memory of 1168	2356	SearchIndexer.exe	64
PID 2356 wrote to memory of 1048	2356	SearchIndexer.exe	65
PID 2356 wrote to memory of 1048	2356	SearchIndexer.exe	65
PID 2356 wrote to memory of 1048	2356	SearchIndexer.exe	65
PID 2820 wrote to memory of 2928	2820	mscorsvw.exe	66
PID 2820 wrote to memory of 2928	2820	mscorsvw.exe	66
PID 2820 wrote to memory of 2928	2820	mscorsvw.exe	66
PID 2820 wrote to memory of 2928	2820	mscorsvw.exe	66
PID 2820 wrote to memory of 2056	2820	mscorsvw.exe	67
PID 2820 wrote to memory of 2056	2820	mscorsvw.exe	67
PID 2820 wrote to memory of 2056	2820	mscorsvw.exe	67
PID 2820 wrote to memory of 2056	2820	mscorsvw.exe	67
PID 2820 wrote to memory of 2548	2820	mscorsvw.exe	68
PID 2820 wrote to memory of 2548	2820	mscorsvw.exe	68
PID 2820 wrote to memory of 2548	2820	mscorsvw.exe	68
PID 2820 wrote to memory of 2548	2820	mscorsvw.exe	68
PID 2820 wrote to memory of 2524	2820	mscorsvw.exe	69
PID 2820 wrote to memory of 2524	2820	mscorsvw.exe	69
PID 2820 wrote to memory of 2524	2820	mscorsvw.exe	69
PID 2820 wrote to memory of 2524	2820	mscorsvw.exe	69
PID 2356 wrote to memory of 2816	2356	SearchIndexer.exe	70
PID 2356 wrote to memory of 2816	2356	SearchIndexer.exe	70
PID 2356 wrote to memory of 2816	2356	SearchIndexer.exe	70
PID 2820 wrote to memory of 308	2820	mscorsvw.exe	71
PID 2820 wrote to memory of 308	2820	mscorsvw.exe	71
PID 2820 wrote to memory of 308	2820	mscorsvw.exe	71
PID 2820 wrote to memory of 308	2820	mscorsvw.exe	71
PID 2820 wrote to memory of 1512	2820	mscorsvw.exe	72
PID 2820 wrote to memory of 1512	2820	mscorsvw.exe	72
PID 2820 wrote to memory of 1512	2820	mscorsvw.exe	72
PID 2820 wrote to memory of 1512	2820	mscorsvw.exe	72
PID 2820 wrote to memory of 2508	2820	mscorsvw.exe	73
PID 2820 wrote to memory of 2508	2820	mscorsvw.exe	73
PID 2820 wrote to memory of 2508	2820	mscorsvw.exe	73
PID 2820 wrote to memory of 2508	2820	mscorsvw.exe	73
PID 2820 wrote to memory of 1844	2820	mscorsvw.exe	74
PID 2820 wrote to memory of 1844	2820	mscorsvw.exe	74
PID 2820 wrote to memory of 1844	2820	mscorsvw.exe	74
PID 2820 wrote to memory of 1844	2820	mscorsvw.exe	74
PID 2820 wrote to memory of 3040	2820	mscorsvw.exe	75
PID 2820 wrote to memory of 3040	2820	mscorsvw.exe	75
PID 2820 wrote to memory of 3040	2820	mscorsvw.exe	75
PID 2820 wrote to memory of 3040	2820	mscorsvw.exe	75
PID 2820 wrote to memory of 2140	2820	mscorsvw.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2420

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 268 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 268 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 240 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 264 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 264 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 268 -NGENProcess 28c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1dc -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 294 -NGENProcess 28c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 1dc -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 25c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 29c -NGENProcess 26c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 274 -NGENProcess 264 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 290 -NGENProcess 27c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 26c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 1e4 -NGENProcess 208 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 22c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 208 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 248 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 208 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 260 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 248 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 248 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 260 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:1268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 258 -NGENProcess 2b0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2b0 -NGENProcess 2ac -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:1120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 294 -NGENProcess 2c0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c0 -NGENProcess 2a4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:1788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b4 -NGENProcess 2c8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2c0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c0 -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2d4 -NGENProcess 2b0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2b0 -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2dc -NGENProcess 2b4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2b4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2e0 -NGENProcess 2dc -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2b0 -NGENProcess 2ec -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2f4 -NGENProcess 2e4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e4 -NGENProcess 2e0 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e0 -NGENProcess 2d4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 308 -NGENProcess 2d4 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 304 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2e4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2d4 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 304 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2e4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2d4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2e4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 320 -NGENProcess 330 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 314 -NGENProcess 2e4 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 334 -NGENProcess 328 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 330 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2e4 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 328 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 330 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2e4 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 2e4 -NGENProcess 33c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 334 -NGENProcess 34c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 354 -NGENProcess 344 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 33c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 33c -NGENProcess 2e4 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 35c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 35c -NGENProcess 358 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 358 -NGENProcess 1a8 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 334 -NGENProcess 34c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 36c -NGENProcess 340 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 1a8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 34c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 340 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 1a8 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 34c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 380 -NGENProcess 37c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 36c -NGENProcess 374 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 374 -NGENProcess 38c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 364 -NGENProcess 370 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 370 -NGENProcess 34c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 378 -NGENProcess 394 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 39c -NGENProcess 374 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 34c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 394 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 374 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:3020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 34c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 394 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 374 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 34c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 394 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 374 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 34c -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 394 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 374 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3cc -NGENProcess 3c8 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3b8 -NGENProcess 374 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3d8 -NGENProcess 3c4 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3c4 -NGENProcess 3cc -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3d4 -NGENProcess 3e4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1120

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1204

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2952

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1948

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2204

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1168
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1048
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
f90959c5b8f1b82a93d763dcdc05f54c

SHA1
443fa942dd3fb66c75f8c00dd821f5533a61c7f9

SHA256
3aa6eb97b36f5f39ad8ff7aed0be9b9060ba80165744f061da3e1e11db75a0b7

SHA512
83fa0903185f9a2a54ec90bf8f09e23bc8a82bc4c2833729923e5f9e9196fa7254582fa1743468fb37826cc1368e3e58ae866ac8dcf96731631f3233b8721a2e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
ecb5df1f23c8b385150939c8315a1ffb

SHA1
3e5ce2663dc15200467609d4351ce4c4f037f1ab

SHA256
4a5d74c013c92fc5210ecba08ddc71a59f4cda4d3f3f5d7eaf4276c5545691e9

SHA512
c0d2ea5be0d798bb2e4794e8ac01cf40e87cfa451a0adfa7498c62608219443a5593f0176625809e5cfba7ba17d2e31250297cdd6e106ffbd38aab4ca089e984

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
f8466c1f7b4bac62a2065d89360b0de3

SHA1
7159731f6016701dd8f6a9b3acb653bd7c683c44

SHA256
bd48e687376287b0e4626bd73aaa07115379c255b4691c1879474b77ef90d56f

SHA512
dc25e53c329120452db093a45aa7dbfd862387542f0245792eb47b5c39d075df954e46c0587f59b0d3dad4df75986ccccdb0b7f29dc9c9c3a2cdb5d0a8846934

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
f77d0efee6746872dee854a8aee1c65b

SHA1
c45a9a3d70e7a66618b1bdf70835a98785024f25

SHA256
5028e943332008e789b0c351fd06b838cc703628cb40b9ed11b4d3d7a03496da

SHA512
aad7ca203dcf7dffe44aa894ecce40fda2d70633f10863b534cb64cdc15206aebaa70c54fa10310999cd1d36da8aab874e8f4d6ea707fcd4ef2ff15fb8391718

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
63f5e67a1be03a24d7d3e965ab7942a5

SHA1
98c02112b79b7d042cfd12c174012fb4ff9231e4

SHA256
b044053ec1d1829d2b3c87cbb60e68776d50d1d921348ff3813b4ab035849b63

SHA512
4419c09d04f3c274ab766e73427d8c0ced9ce5a5437b705aa10de42f91423eb46ca6ec650a7e29ae55bb99b25cd4e39f77ab8e93e755a0a1134910be6f871c2b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
be34ce953e9cc4f79cc758890b41a8e7

SHA1
773ceaac4843ba2a7f92f7157314f2fad8aa0c2f

SHA256
43adc5f80c96748094a80f438cdf1d33fad46adc4dea4b3441ec59720a5dc61f

SHA512
61701da265f5bc911328408c743d7a2623eb144cf973433edd3c0a59dd1d52eab48db7198d071255325c5c51d91df8129c44fd12740c0949ee2cd9abdee353f2

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000

Filesize
240B

MD5
7ca2da6f1e7bca562d7d9376700a912f

SHA1
67feaa004013eee76282e3b3fc196279f2577dcb

SHA256
04fd7654331261ff9ec331c31b238ba7770f082abfb817d7881813ec02084a4e

SHA512
4f2f67dee86af03dae15145649f5eb65cd158686381d26005b91aab89f017b692289050f0b1def00f8c2e724aedba4025db0baa6b55f76d402ded8006c48b38d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a779d91ce665eb937963601d40a2ab7f

SHA1
5f7085546477ed47bb69302899784fe966f0ddfe

SHA256
be6171fb0a6ca0630c9e53f9e6af0c443c9a9a693dcd5bd895db380e2c115c3a

SHA512
88abb711c2afb59074094b090937896d2cde0aa1649cb67af3efc9ccc7ab087652106bcbabc5c0e02a29cc8a91c10c18d89fcbe618b75a1a191c0d6caca8280e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
c61f23e6d55a17b305b009dceeafb927

SHA1
81e6c1571519ed2c031d570b931eac2827863d27

SHA256
e51207a8151aa7d4752ea1b313ab336a1545b8d3287c7de82baa69a90a5f5f40

SHA512
85c63eae65eaf36be580a6ddd90225366e1f8c15ac318d671f86f780f3a1c309628f1b58eec74aa75a7c17d5030ea3c6a6a182cf3b1c578ac73ea584172274d8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
32dd041f91d35500eccf654e4f26b91a

SHA1
307508c4d380a26abc096792a18d3852d4bebf25

SHA256
44c373f90a1a04d4b0cfab35cf8ae80513d9525be659d6dc06846eafdf8cbd4c

SHA512
7bfca42b4f617924e2d36d4df8b4ac7f62967946715a390acd1930adc9afa132f8586d6db835e25def20a1d5cc47eff80c05262d04985e00dfb1387a6bb7e548

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
ad87cb43c56131a10fbbba95d12036d5

SHA1
a3d2b7f6d6badb6e4bae830f0834aaaea32eba7c

SHA256
37e21f57360e121b69cddc5c75a004ee977e2f88a92db865273d6fa27cde2206

SHA512
1bbce645bac4f137a4a3c7064ab2062a2ee98bdab6a342b5f953de12fa5f36c95d9181800b0f488a4df42721d75c9270ef1465a737a703fde85838a47cbc5b7b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
cd0d1b2d2d585e74ae6a71065aef6d83

SHA1
b57b36f28003d798b3313716e60d3120980f009c

SHA256
20fc681c4415a94e2573b3507fab82ebcb34c2c374984f4d7c57a8a0398031ca

SHA512
84dcd1658df1a6e29270afa649e49f19e0d47ca0c37ed08e2ea9955612fd89276ac0ec27d63202801a53bf017b3352342351b4da9ca36da51387cab62a41018d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
387534a25e720c9b7d9dfe2110eaff81

SHA1
9de823a73f361f80d22ba841807cc1c6e5e6d0de

SHA256
f4f8af2fda9c468b2eb4178674032f6820339bd54698dfd70ec452e9e83708da

SHA512
e51e291b4ca82a04ccf24fccfdf571eaa7879d2e2dd2d21f3d05c06bc55beb3baa032e027a538bb157c3eb54c7792aab5b2536ade331966fa7e274bf35be722b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
d0985a4332797d6642737e6494477a26

SHA1
16faaae323fecaf61a521bbf159585d0a250779a

SHA256
d5577a785691a30d183a5a8c7fc567b1ae1600e434829cc5a5e534bb4398ecae

SHA512
39bf9b7c1d1908a41b8a67dd79e08c0102ab023dbbfca3d2e6d44ea0ea19168318b0f627675e42735d5621b168b5fea08bb8bc3863d05fae51c4f4d8da35b8c8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
27c63f8f1f7f9268fbdf15b0a9a95ee2

SHA1
1c8f3bd18baeb837b8a908b8c3cf6594eba9049f

SHA256
52ccb6d3055b6157035e3decd5e03685aaa7660f13ba8dae4d1dfbaa5eb17bd4

SHA512
084de21bce816d19e1cbe8e79a830a615a7ced91de74ed87b0803c3f16c00b76c56d9467c7c0bfa816e0a5433a9508f3d1c4afbf4dc1475a3bdbb606443f5635

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
3a361309636eafa30d78c74bf594873f

SHA1
0aa0bf967356231d550881831ed1540105ddbf46

SHA256
28c5c088aa47aa4bbfee83a994ca57da7905570baa383b630a9d0d2cd314d61c

SHA512
820aa6620296243699b6bc1ed1217ec62075178a0295361f19ab9f389e39439ba5a181ca8c07ecac0b245fe19ff349af1444bb1f10f12556c6eeb5bccfa0ac8f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
5b484cb714e0d481f835a288486ee956

SHA1
751326ec3e10d941bdf8e0a58e01f2b2313797df

SHA256
941f566eb7f8e5746d7ae80c24ad4ad85f277be31595e729836133ff25e3113a

SHA512
b9f413317220ad916c117cd14f7fa4a17b8f71a7edc7fce419fbd8f0f3be8d840e1f680a0c52184d8b42d25fd4edf07b642997757932972ad207d7aa4be33c1e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
aebee1c70649426fa6100d535287d0d1

SHA1
016eaf61be85deef1c913359c623b8ebcb1ac003

SHA256
a60d8b579f095c367974bfd75a4ac5cbfbf2e5dd2633dc1260ab1fa0ac7cab6a

SHA512
6f00608dc74dbccabf91e1e0c0bdd127b70079bbdc1549dcb19e26a857fd844d871619c2a91056c2e7eb3b72916c02087e66a596944bc14f2ca4623e9c882ec2

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
d2e52d2429f253c05ef5ac52a596c1fe

SHA1
a9274160f90c19526d9408b137f43253944ae27d

SHA256
51559d30869c1fbc7ae4d388b5f9e9968c3263bc9a3c5a6ec549a3f58a338213

SHA512
d3483a41749747579b3c8a5a475adf7fff7bccbcaecd106722a36c71782b15169a30616ea99aafec81bbc5c9e0ac198739dfc625de12c86e790d12fa5a974d11

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
e5df3c8ec0a3d8b4522358998d00f364

SHA1
35f7d7919013b0c7b10286d1b6942d3b9f219e69

SHA256
43169d536cf0166b1c0aa925f26d460a3576047c903145235dbf21f3d7b94b64

SHA512
2037bf3974616b3194f36e2d9eca6a20dc8e8daa326da03e8fa220e8b94a3d562394690b9c7e9a8ee09d48f9b6102149557c1a2ce913940035681d0f25f33762

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
a6ce70ca2e265b823eb6ffdd83131e73

SHA1
d41ea3a2c684311c13a68c0061f6ba9430f30bd2

SHA256
e68f9a1582ed9cd48abdda36241c8e6d9543c942ee2b063f80ade1b1a85b9a49

SHA512
5450d7fdaa6f6982ce307c96d395987720820aea7e7780d48f43f9a57a4c91accd5178120c00d04c8dfb88d8abe9c51590f8fb909295fa9231b0bd869944b8d5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
907efc7958339273aaa9dacab44597d4

SHA1
18b80d87929850945958ffc50431ea79dcab0978

SHA256
a8c759c286fb37217a2fd18955fb23e7780e1984a194907a1c61b51276104784

SHA512
776bc4d97e57aaa44f3111a76b694ac50e3493e317a7c31886d6b44704ae690935ba6e139dc83ce36da94d3cd3457021f77735e529708c58905b93acf9165b53

Download Submit
C:\Windows\Temp\CabDCE7.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarDE50.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
954KB

MD5
c63d5631dc9e6795d2b983a045e57a74

SHA1
5274102aed98d64bca81252720f353f582d7c8d0

SHA256
369c4ddd545fb26ed639a75fd3f3a70dfc4e96e61a4a39269cb4b62565bba5c9

SHA512
223132e8f2731e393431a09cffca4ce07b24ce7cdef3dd39a6d883169f6edb585f331f9acf75f1d1660396e0e7a8e64454c82fe5e5fda039eb894295f22396c0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\02edcaa6661378dc2f9d13e21a50f9cb\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
577fa8e9adf4f55816dd7c2066115676

SHA1
6ce21ad31f72f4865f58b0ffe95418b814e9fc20

SHA256
0ab6c96634e24d8675330aa86be66e0d997fbc5dbef54417ebbd356c5714a81b

SHA512
ad9fadf31f4a61b0f731d232ccb30e947f44db232c2d41ba4369bcd7bd014c8df054d8c1cadec3fae755047449a5af3f2e01a8d333bf4bb542947b5faef44438

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\c16bca51aa1dd419ffde9989c0bc4d03\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
5ef37a08c60e76424fc5e007b51096e9

SHA1
4dcbf77d4dc7552fe3b67292f1c858d0998d006e

SHA256
47e05f95d06d696261eaa688259722f0b01a5b33ae8c78d3ec2516ed835c3d5d

SHA512
4407d397b801ff13cf30296c21550afdd5719b5a02a395eeafc6a19d86252436b77d4367d3aed724ffbae12519cd3d135a4013677e188295547805b1624cbad8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dd2c793eabc407a5ee4fb32efe477324\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
989093f60dff087565f5fea5ee8502b2

SHA1
24f4c0f7d11a16cceb1091537846e804cd8d66a8

SHA256
01bab493814ed903a8fdcd2b985fb46fad0115553843137dbb6a903fb6091d4a

SHA512
be6a16b6bada5116090e7a75baec41920981593304428df9f3ce921ffca905869034ccfa00fabfed2250702e0de19b145aa95b1a17ce0a774806fafc6a85a9c7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ef9ba4b729696aebebd303d7b04b1d46\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
204980f93f95204786a47c6e1da09508

SHA1
dc72bfdf392f7287cde4895127daf0a75f70b4c7

SHA256
d95f58abfe030d6ace3af790b311d6d45e9ef0799c288e273c21f3aaa52ee749

SHA512
b18e78c1cece7edc39d6d3c819acab4844d152cadd68a275bb18dd893747bc07aa969da93768bb41455b1b2e02375a51c25afed86bc5bc14b24ef1cde1a9d423

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5541.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
3a1fd56b246c3656635130f932d58501

SHA1
3d04a556626c41d5d6f30d7466aad08ca968dcf4

SHA256
e8867ab3a26bc633c856b2376d2959208108d65eac21e36df0c1a748e21fbdbe

SHA512
0a8791d6273970cf26601e1788497ad233f0aab94056c17150f42b4867d6c0d6b14acbcf69666987828f7d5915be76f93df7689705f50a581188b0de0ed97306

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
b86f158d7d22146237a6979b3f300488

SHA1
247e9a61c2560e02c75829ba869eceddc766e499

SHA256
ae107d0bf36d3538ca7a2c69bac4fda0c86dffda9a3c00f75a1da49e3056a426

SHA512
6c0fa842203b722253460174000bc170f5e91bc1f8dbd3b88a17cf854db10e212b27e16b8421ab60007fc8b579b51a9792a780c8a35475d45343d1550b3a465b

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
feebdb1c90feb1d7252ee8480876bf84

SHA1
931b53402ebccebd9c8de5897c9baea7ddebb330

SHA256
c3367fda48eb5ae5607b707d8ebdba9e7808a8ac510364308079c7c14c486d8b

SHA512
8989ac88e401b2deb1884bc4d857257a8554c9d35ecc19e7729e2aebb16a080a16efce8fc1129bb692aab0f49f44b978b27b3118be63f321f5356f76119a564f

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
e0bae991a6e608d0b494a2dd71cd0c21

SHA1
5a0125abc96e9a91aa218acca2e2ebb51dbd57bc

SHA256
80c7b4059f389a43d8783c5cde86f23c815bf4c30bb6d7eda751a2b39963ccc5

SHA512
00938b9f018228bf9033d1e321c2dc6f8dbcddbf43f9b3ec1e6a3043a9c063cc297fe23b2ccd2de70449f06f3c779f172d1c2e5eddf1e1d494213723943d6258

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
ddfe9459e8197f2a22d0b907f6cb3968

SHA1
da48f6f52e555a10916dfdd8c3709c21db060d13

SHA256
5a334803c292b87f8877f197304dc78069b69a735b22f1847f59c3db590ab8a2

SHA512
d5829224bb0b90a7c5bd70878c88c95c3a6795c37267b2e6dc213cdd940fb74c818e668303ad676b93494f4c332a50f676c8837916a4e632329e5f9feea9eafe

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
c2d4ab428544567130771483a37b4cc4

SHA1
84cf45402d6f40a30f6eb7b96fd507300fb79cfb

SHA256
4350b74bd03d275b4103e9524d9f894ef63fdcf9f4852d9f0018eeaef779dcff

SHA512
1a9d559c8b2595d44f63d1e840e88ce2b19015b3ccf29a5abb09df5d1f82b2518a42d73ebd245554f0246409ceaf5b4195b2b2a7c3bf8a2cfd3c16ffed7d20a5

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
964a14abedf4fa686d5d466718c90f01

SHA1
26ec9351c4eb8359cbfcff3e8bc3e925e94e7807

SHA256
8ea07d0dc71fe9b7612641319aaa1fb875103fbd76e87dab7f8af9c3a22e5048

SHA512
f422df2a0163e48b215b96f507f85e486e5accadc934d907561d7c3a0dba9bdefae44013d586e568dc14e984c5f96222cce29f84203a11eba547e998067c3073

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
7a0f48a5a1de0440f858703faa31d649

SHA1
da84bc38f840065ab7b2739cca2e9cd11b0cde65

SHA256
c4f600dcf5c24bccb89bf76e5158b24a4b2570db469b5d1e2d94a5bcc37fc19d

SHA512
ef85ca729b2197bb731a889cbe159590a2f2ad5c6913f0359b65b02e406b13f074accd7039c267d00b8d8eeb816ed8dfe5ce05f974809646b925b3730076daea

Download Submit
memory/308-569-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/308-566-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/532-50-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/532-61-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/532-44-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/532-43-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/560-719-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/560-735-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/588-301-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/588-578-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/676-336-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/676-390-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/772-515-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/772-274-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1128-269-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1128-485-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1200-709-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1200-703-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1204-254-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1204-163-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1252-88-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1252-82-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1252-91-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1432-0-0x0000000002150000-0x00000000021B7000-memory.dmp

Filesize
412KB

Download
memory/1432-5-0x0000000002150000-0x00000000021B7000-memory.dmp

Filesize
412KB

Download
memory/1432-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1432-90-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1512-579-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1512-583-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1516-259-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1564-195-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1564-238-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1600-679-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1600-684-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1600-681-0x0000000003D30000-0x0000000003DEA000-memory.dmp

Filesize
744KB

Download
memory/1628-281-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1628-343-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1732-115-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1732-113-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1732-207-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1732-120-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1748-472-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1748-357-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1844-604-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1844-615-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1872-173-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1872-177-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1948-214-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1948-300-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1952-256-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1968-706-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1968-693-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1972-810-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1972-152-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1972-237-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1976-224-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1976-149-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1980-246-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1980-355-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2004-280-0x00000000002C0000-0x0000000000372000-memory.dmp

Filesize
712KB

Download
memory/2004-277-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2004-202-0x00000000002C0000-0x0000000000372000-memory.dmp

Filesize
712KB

Download
memory/2004-200-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2056-518-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2056-486-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2140-643-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2140-662-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2204-278-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2204-535-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2336-257-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2336-448-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2356-591-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2356-314-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2420-77-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2420-29-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2420-30-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2420-35-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2508-592-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2508-608-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2512-107-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2512-101-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2512-100-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2512-199-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2524-565-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2548-516-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2548-530-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2580-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2580-112-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2724-16-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2724-17-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2724-23-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2724-125-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2724-24-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2784-221-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2784-313-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2808-262-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2808-225-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2820-66-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2820-181-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2820-72-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2820-67-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2928-484-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2928-473-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2948-664-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2948-680-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2952-268-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2952-183-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/3032-126-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3032-220-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3032-777-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3040-647-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3040-622-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download