Malware Analysis Report

2024-10-10 12:01

Sample ID 240615-xqxf3swall
Target 2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil
SHA256 866080cead8b9024d2a05bcf0c14f970fcc772e9a8898ea05479d908bbe90fed
Tags
risepro discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

866080cead8b9024d2a05bcf0c14f970fcc772e9a8898ea05479d908bbe90fed

Threat Level: Known bad

The file 2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil was found to be: Known bad.

Malicious Activity Summary

risepro discovery spyware stealer

RisePro

Risepro family

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Uses Volume Shadow Copy WMI provider

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 19:04

Signatures

Risepro family

risepro

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 19:04

Reported

2024-06-15 19:06

Platform

win7-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe"

Signatures

RisePro

stealer risepro

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\df042a21ad1aea39.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\system32\SearchProtocolHost.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{5629EE71-1934-428C-A492-DBD2787497EC}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE37C.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8A02E209-A3E9-4C44-A0E9-CCECA51608FC}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9E42.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA007.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9D29.tmp\Microsoft.Office.Tools.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9972.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD836.tmp\ehiActivScp.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\SearchIndexer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Windows\ehome\ehRec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 756 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 756 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 756 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 756 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 756 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1216 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1216 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1216 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1216 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 1400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2972 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 260 -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 25c -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 26c -Pipe 1ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d4 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 274 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 25c -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 284 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 258 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 24c -NGENProcess 1d4 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 294 -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 238 -NGENProcess 28c -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 27c -NGENProcess 23c -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 28c -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 28c -NGENProcess 294 -Pipe 2a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a8 -NGENProcess 294 -Pipe 238 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 208 -NGENProcess 1e8 -Pipe 1b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 254 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 20c -NGENProcess 22c -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 24c -NGENProcess 258 -Pipe 228 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 260 -Pipe 1c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 244 -Pipe 22c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 244 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 27c -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 280 -Pipe 20c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1e8 -NGENProcess 288 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 288 -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 1e8 -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 29c -NGENProcess 284 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 1e8 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1e8 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2b0 -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 294 -NGENProcess 280 -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2b0 -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 280 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 29c -NGENProcess 2b8 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 208 -NGENProcess 2c0 -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 29c -NGENProcess 280 -Pipe 2c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 288 -NGENProcess 2c8 -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2c8 -NGENProcess 208 -Pipe 2c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d4 -NGENProcess 280 -Pipe 2bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 288 -NGENProcess 2dc -Pipe 2c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2cc -NGENProcess 280 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 280 -NGENProcess 2d8 -Pipe 2d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 2b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 2d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2e0 -NGENProcess 2cc -Pipe 2f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 288 -NGENProcess 2ec -Pipe 2b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 2e4 -Pipe 2f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2e4 -NGENProcess 2e0 -Pipe 2f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 208 -Pipe 2e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 208 -NGENProcess 2e4 -Pipe 2fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 308 -NGENProcess 2d8 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 304 -Pipe 2dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2e4 -Pipe 2e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2d8 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 304 -Pipe 300 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2e4 -Pipe 208 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2d8 -Pipe 308 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2e4 -Pipe 310 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2e4 -NGENProcess 31c -Pipe 330 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 31c -NGENProcess 2d8 -Pipe 334 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 318 -NGENProcess 314 -Pipe 2cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 338 -NGENProcess 328 -Pipe 304 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2d8 -Pipe 320 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 314 -Pipe 32c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 328 -Pipe 2e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2d8 -Pipe 31c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 328 -Pipe 338 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2d8 -Pipe 33c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 314 -Pipe 340 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 358 -NGENProcess 354 -Pipe 328 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 344 -NGENProcess 314 -Pipe 348 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 314 -NGENProcess 35c -Pipe 350 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 368 -NGENProcess 354 -Pipe 360 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 364 -Pipe 34c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 2d8 -Pipe 358 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 370 -NGENProcess 36c -Pipe 354 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 324 -NGENProcess 374 -Pipe 344 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 37c -NGENProcess 368 -Pipe 35c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 36c -Pipe 378 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 374 -Pipe 2d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 314 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 370 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 374 -Pipe 324 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 384 -NGENProcess 368 -Pipe 398 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 37c -NGENProcess 394 -Pipe 380 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 390 -NGENProcess 3a0 -Pipe 384 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 364 -NGENProcess 394 -Pipe 388 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 3a4 -NGENProcess 37c -Pipe 36c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 3a0 -Pipe 38c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 394 -Pipe 374 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 37c -Pipe 39c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 3a0 -Pipe 390 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 394 -Pipe 364 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 37c -Pipe 3a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3a0 -Pipe 3a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 394 -Pipe 3ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 37c -Pipe 3b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3a0 -Pipe 3b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 394 -Pipe 3b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 37c -Pipe 3bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3a0 -Pipe 3c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 394 -Pipe 3c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3c8 -Pipe 10c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3d0 -NGENProcess 3e0 -Pipe 3a0 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 crl.microsoft.com udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 crl.microsoft.com udp
US 8.8.8.8:53 vjaxhpbji.biz udp
US 8.8.8.8:53 vjaxhpbji.biz udp
US 8.8.8.8:53 crl.microsoft.com udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 crl.microsoft.com udp
US 8.8.8.8:53 crl.microsoft.com udp
US 8.8.8.8:53 ifsaia.biz udp
US 8.8.8.8:53 ifsaia.biz udp

Files

memory/2104-5-0x00000000008D0000-0x0000000000937000-memory.dmp

memory/2104-0-0x00000000008D0000-0x0000000000937000-memory.dmp

memory/2104-8-0x0000000000400000-0x0000000000854000-memory.dmp

memory/2104-9-0x0000000003030000-0x0000000003031000-memory.dmp

\Windows\System32\alg.exe

MD5 6fd63e9c8ffea8280e6e32b7ad6e1199
SHA1 b3f1d5bea11bd0a9a6574b00e6e651a98bb2f694
SHA256 1bc1e0c054899b8990522a39d55729db2d4407dbb5da0b448a316a39a24a410f
SHA512 0ed6c29d4d207fa642672dbb703c670a2372b7d313dece7dcd2448643757b0d0d341b19bcd74331915feb3338d79bd251ff1b920160726e60743019ba97b0d89

memory/2612-13-0x0000000100000000-0x00000001001E3000-memory.dmp

memory/2612-14-0x0000000000390000-0x00000000003F0000-memory.dmp

memory/2612-21-0x0000000000390000-0x00000000003F0000-memory.dmp

memory/2612-20-0x0000000000390000-0x00000000003F0000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 47dc72f92bd48292dd2b0a55a8ce5f85
SHA1 b43cd8e2f71b5670a7459516dc180e9e68dbc7ca
SHA256 da8ecf497fb7c86ae9806a450d329f56f6d35672ca8596de2824582aceecbc97
SHA512 1db59270cdee947cca4499223b3a745678108d7596508fc39ab7a4667ec86e957b44b7cb8dc59ff99c5f87e3a3d9243db155b567f6627bed2b18e3b1ab6bc124

memory/2472-27-0x0000000140000000-0x00000001401DC000-memory.dmp

memory/2472-34-0x0000000000200000-0x0000000000260000-memory.dmp

memory/2472-28-0x0000000000200000-0x0000000000260000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 d7b778ef292dcb771811f3248c01441f
SHA1 d795fd4dce120060dde63ec6bcc30a03c5adfd78
SHA256 f26d520a0c90fc592942fd3bec989a5835144a147d6e078d28e437b1543220c9
SHA512 40a3fc21b01b535193a1d009115cccc07cd97e1733ff5175cb06d5894dff4ba0e0e77209215f81e0b241a764811f8fdc70cabf0ade9c1016c830984fa73f8fa2

memory/2632-38-0x0000000010000000-0x00000000101DE000-memory.dmp

memory/2632-39-0x0000000000240000-0x00000000002A7000-memory.dmp

memory/2632-44-0x0000000000240000-0x00000000002A7000-memory.dmp

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 cc248478ddc0820b1cdd360124338006
SHA1 f37414cda021b7992ba6f444191932d190df12fd
SHA256 b4b31aff97313a0ae48ea5c582388144e81a4b13df49d97aa3cf3135e6823d7e
SHA512 a034a35fc1ca453cc7dd46a68e7e7cb5dad5ccb918d2b16f9b17f493b6bfbed0aa8629ea372e0437d2fd8be805447960741647c3f233e5083199ec99919281af

memory/2104-62-0x0000000000400000-0x0000000000854000-memory.dmp

memory/2632-69-0x0000000010000000-0x00000000101DE000-memory.dmp

memory/2428-65-0x0000000010000000-0x00000000101E6000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 2e2d6cda109e85bb2c4730e94f674c66
SHA1 6384e0cf9808f9277e15b402abf71cb1994e33eb
SHA256 9236b165190179f3e25179590f60d0acaa85d294fd9f0c05059485a558661ed2
SHA512 5b0bf40a5711934fc002afcfdd5ec3f9132d22bea921c127e29a12215fafef6157a4adb1668137d75bc8e033242e1c2cc9295db8231264d234a527ee09e12412

memory/2428-60-0x00000000001E0000-0x0000000000240000-memory.dmp

memory/2428-54-0x00000000001E0000-0x0000000000240000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 d034dba903bb21ad2dbb73f717f9a271
SHA1 6daed4ef50778a5bf1d5af9d21fec31d6af13011
SHA256 8c5b473b89f7dbf5396544c1e9b8b0bc9dd939cb9fd683b08d989cd5daa3d3c3
SHA512 c0180cb4b5947561c273ab848e5682ae4fcf02eb0d92541d9a6bb44d09249b429b4b1252e19e0f23c8433efb2c8fb31e6ab6c88cf0b4667088391d62364c5ca5

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 c052078ec8b1a68defdc80476701f3d0
SHA1 6c75b1d220fd2db48d071f0053127827f7e46cd7
SHA256 ed5ab3779a0d5da3fb3ca1366f4355d6f70cf587b1cb8ede192a2df8aa4d9568
SHA512 7c059e3b65dbf42e1a1475b6fa0e1c6c7fb0ef87f70953440b77775645d07e3065f83e43f7f0ff0af7d1e76ebd50946b7b49c8f5e3ce9fc458096d14e8e9c8e7

memory/2972-78-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2972-84-0x0000000000370000-0x00000000003D7000-memory.dmp

memory/2972-79-0x0000000000370000-0x00000000003D7000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 b399a6db2caa458f331cced6b2473a33
SHA1 bcaf7cb2b9a43ededdd873c6c7bd3abff97b1ab8
SHA256 a372d2f0193c0a4f2adfcb069f90c59dca367f1b86174a06d20ceb7bae094e0a
SHA512 4d87880bc83a57b9b790ca2b2597bc4244236f16727b08cb9a1eb54daf27122cb66e7189f0e741a4f632ce0f26da36f6539c81735aa3b5128bef30b2484c2e45

memory/756-100-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/756-98-0x0000000000A30000-0x0000000000A90000-memory.dmp

memory/756-92-0x0000000000A30000-0x0000000000A90000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 8b22a79d7543978d082bb6546653b8bc
SHA1 f7824bd20a82b56e409b59dab0bd1bd55a1047de
SHA256 5d52cb938528161f45372f21d252938d040768450c64bc8fb40f305e8e03932d
SHA512 322609acebae6e8b6bf887716dd8cc5e557ef963a3ad9a7d3e99936e23e668fbe7b63a75ec858436806bf7a911c25f758198f4671f35804e2d1304ac5a521b16

memory/1416-108-0x0000000140000000-0x000000014013C000-memory.dmp

memory/1416-109-0x0000000000AB0000-0x0000000000B10000-memory.dmp

memory/1416-115-0x0000000000AB0000-0x0000000000B10000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 fdb4a1cb17cce115b5253c31feb9a6a7
SHA1 fe1b05aa7e9018a0530aeb84509603929979854d
SHA256 61ef0c640dd9156e6931821376a3a67cdb77492a1feff07b5377556433523211
SHA512 df106656cc85ac26a2239e5780d34b44721851d4bcf57af5f415a1d71886237a5e1e09d41b898958247b0f52ec3c7b4fb330f653bd53fc6639e336ac840cc007

memory/2612-130-0x0000000100000000-0x00000001001E3000-memory.dmp

memory/1172-131-0x0000000140000000-0x00000001401F1000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 ff52ea07f6814a53a3ec195b98c64452
SHA1 1491142add197d249d689c3bec2619e227a8f5c3
SHA256 b01b5fbf82b05059b296ec74a324f6ce815f53a5249aeda8fd0f6a0092033a8a
SHA512 73504c08309af49868435492c8c2ec5c59246dcfdf2da1b37f0c86e3888e81f699de9bdc85ac445744f9401172926d4201f4e05feb7066c609055f7b56d4c0f3

memory/2152-143-0x0000000140000000-0x0000000140237000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 7a365ac20672c6aa4e9f7ffaa3f1a7f2
SHA1 ad59c3a4477d4396249336176d844acdb6f212ba
SHA256 e14049e63e0886dd431960cbcba2330482adab9e64fd8eb63e6a68a1d1b9b5f2
SHA512 862d405891c85082153086a9cf0e64a84cf07372f0e54e880dee96d4f9ed12e1914a9f92aa750989608ad0ecbd0be0d6cbc8d5d2b30710736e14516f9a1c973a

memory/648-156-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2472-155-0x0000000140000000-0x00000001401DC000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 c712abab002e9773e5f7d4c5cf7ec40b
SHA1 be000331569276b9d5ab09067927cbce76a6a5ac
SHA256 aca2349c967e37883884d486fc70b81859c70f8a886e42d29a47060154a3ee64
SHA512 c273719703ddd0cece125c63680b2aac2bd54a5aadd0bf677ddbcd517f19139fb2bb16b367e61bc411dfc5aeff72378a8e8b087dedc5827a1eafda9e8a69a9a7

memory/1692-167-0x000000002E000000-0x000000002FE1E000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 07a0d7f14819540eda174e29db210252
SHA1 64c0d3be6457e4adae447e0bdb251ce7c8b59cd9
SHA256 2466e97fe2f58a81dcc1a75763b623a14d4a583fb9e95073a1e7a6586b85303c
SHA512 da3591acb02f8ac07a5f09e8aa3a9867cc954e283c852112ff30207429c9b69cdd59f160501832f8062623445af36b4fa319f0e65f6e94092bf6b0fc3d60678f

memory/3056-178-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3056-182-0x0000000140000000-0x0000000140209000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 7a618c3cdd9629517b3cbb0b9d9f9c85
SHA1 8275c66aa2b699700cc5575ae3cb3c0fc7f950d2
SHA256 17747753b3bc3ee7a91a0bfb45a6610b8c6be151ca23cb289a2056e2200ed6e8
SHA512 57ecb20c0c1cf1af34631493df8c584c833676776cbe9ccd8befda665236b468317b420685fdeba10cbc5d6824cf52b532ca147381878f88fd4e2f58d7c38e3b

memory/1632-186-0x0000000140000000-0x00000001401F5000-memory.dmp

\Windows\System32\msiexec.exe

MD5 674b9602eeed6cada44113a2d4330bd3
SHA1 71617d7d6a160a33780bb5dcd10c27772a590cf3
SHA256 fd5ceb26fdd6961024f7e10c6dadf14a4b49e919e7cf8fdf2adb27b7f2d94447
SHA512 77b5434f849096ba54e6df22efb41e78f81783d21430ebcc7b520d09172e2434c944b3222a6ce78f19abbe97ec1649533e5263ab6d5163b2077c3c5e2f6bb130

memory/2892-200-0x0000000100000000-0x00000001001F1000-memory.dmp

memory/2892-210-0x00000000005A0000-0x0000000000791000-memory.dmp

memory/2972-209-0x0000000000400000-0x00000000005E7000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 831958196870ebe467ec6b86e960caf2
SHA1 4d501acfb91e3644cfe6e8c097069dd7df5d95e1
SHA256 d078da69ab80d3435c50af38a6b6168c7775f3a35860ec31c25fcd1235714d50
SHA512 000ff5d9c48846b2f02f85a0db2c7e0ae53c2d1ba4079465a8bce8cff000169174aa8242a9cb974dda523de87b5e3e3ecdc53c53e7087700d5dc43521a64ffe8

memory/756-215-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2704-223-0x000000002E000000-0x000000002E1F4000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 5cf1b267f069427f657179c93b013620
SHA1 66cb9f4e180459eaaa220a735ac8f001b297018e
SHA256 e2d0ae4bf0d2da4918209deb3c2be76adda8e25ca60d3a511b6d9d692d6fc993
SHA512 a00b76a7c6b50b16804e33e1094946eeb4584e8861b7c9245587134cebd33e1db47e54ca823c5d442535f552dcffbf71e8d8462d317322cac51a9dd8eb72069b

memory/1416-235-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2580-239-0x0000000100000000-0x0000000100542000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 1fff765a87e3928ac8ac9a7b48e066e2
SHA1 f863b7300345746a95c83c9d1ad8c813808aefea
SHA256 d75c59986bd1f8e82156a371a968fa858719dfa88bf3db6cfcaac64352708d82
SHA512 cf77d7b2856f4aa9d221a3576c0a1d78d856c4b86afb89fe138d87c36628ffcda956c12114a45acc5247f50cea72db74dbcc22fed29d088547a17516686a28da

\Windows\System32\Locator.exe

MD5 a8d249875eeb93fc84ab25af0e93b28d
SHA1 270477b37d0d55c72753264a5a9b5c88cfa02d07
SHA256 ad9b1e5c7c7ac96a3471272167c961b67ee4c2b0c7958ccb12ba7d212b3ab6fc
SHA512 37e0f1a79bc557186425e23398899bd610fb8b72d22dae30c39ac765b20b448e03721bfe75b7dc89d148cc63b777e9330af24ebc353889ca8ad21e6d18c27182

memory/1172-249-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/2152-261-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2804-262-0x0000000100000000-0x00000001001D4000-memory.dmp

memory/2692-260-0x0000000001000000-0x00000000011D5000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 2c5bab17ea6c2ee3e28c2b9077b35b3e
SHA1 9445f65305d0919ac41a40118a9bdd0fb23e1d8d
SHA256 6b9c249c2d3eae47d7a23e8305c040ca37f866bed0ea9532fe3910ce32113338
SHA512 c8cc7968cadca25d6676fa8a91f3346b868fc1ee6903dc1da60d68ead4b294f29fe32794219dac40118553d89cbec1593090e28c38b46955b326b703025aa9bd

memory/2012-290-0x0000000100000000-0x0000000100219000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 b0e462d9145b33071fd5f7828da1fde9
SHA1 c40eb63d003552d2cea9dd7fe2e7e0fb37a32c6a
SHA256 5018e112f3fea68dade7f1acdb260643a7bc64e75a375299349c818728407782
SHA512 1dc43b657ba35de97349150e01688aa615b4590c13ea0ab55c7c1510f5e370580b46848d5ab4a25db8ceae1d21c43917acff659b6c67e7e2fcfd3bdf577696b3

memory/380-279-0x0000000100000000-0x0000000100253000-memory.dmp

C:\Windows\System32\vds.exe

MD5 39e460f0a84d7239ae151a09801aee4d
SHA1 e4c32489a4ca39480b6cf2638bde799d77c47d57
SHA256 d5347cabf79148ba952152d0d795686528f14dd8ba05c7beefb85e6a1db73eff
SHA512 77f50389e46ca8d4f1f77450bb00546f0724bd23abdf297de973b1efc044a936967e755af45ef852d0c4c3107a624574cae94c446d77d17ad31ba9c8747d3590

memory/2984-277-0x0000000100000000-0x00000001001D5000-memory.dmp

memory/1692-276-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/648-274-0x0000000140000000-0x00000001401ED000-memory.dmp

\Windows\System32\wbengine.exe

MD5 9ef717c810e4831dc7d5ae958e6a2ab1
SHA1 3baec4954287f40d628d447cb5a2883567215c9d
SHA256 8611f2d70c4d87450c17620b5d63338b428572c8134f03c15a97ff3c715054c5
SHA512 159f9d7b18436fc7ad3c22b204b48139af4229345115a4f42ddf8d1f656afa6f7c5d199cc17e4295e79c92b877c240a7e375ef46cc21e6de5faba51a20ae0bc0

memory/1632-302-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1616-312-0x0000000100000000-0x0000000100202000-memory.dmp

memory/2892-303-0x0000000100000000-0x00000001001F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

MD5 b9bd716de6739e51c620f2086f9c31e4
SHA1 9733d94607a3cba277e567af584510edd9febf62
SHA256 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512 cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

\Windows\System32\wbem\WmiApSrv.exe

MD5 b61af701a8aa0495a04c00ad08710337
SHA1 3e54e08834eb6d88cfd50396fca31b62367eb398
SHA256 347261d826ade28a103c01be4cf619dcf81b324ce7a32cfb4845fac596822ec2
SHA512 41967a93f0011ac0ade8fca1a98e1f7a5cb06783249749bfea6417f455335329c8d1b1ce5bb758de2b3d6c06536731b5b681617d6392d151baed99545589c8ee

memory/2656-326-0x0000000100000000-0x0000000100203000-memory.dmp

memory/2892-328-0x00000000005A0000-0x0000000000791000-memory.dmp

\Program Files\Windows Media Player\wmpnetwk.exe

MD5 0aa1acd19279b832b657dab531a6a7b4
SHA1 86fbd78002f9d4d9a3ab5f1c80f7d5af0855832b
SHA256 3b31db219170e237e6f4f440901bda5d4acda63822414d780cb5bc7e4b3d15e7
SHA512 749faa5a7e74f18542470a8e37be7f67d9ae4256eac8acf55ad5d3b23ff0891605ad2e02a0e7ea0db1addc0d211e4cae4cc5dc6119a3b21582c8c61b3d293db0

memory/340-357-0x0000000100000000-0x000000010020A000-memory.dmp

memory/2704-348-0x000000002E000000-0x000000002E1F4000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 14927bc95bdfc72c1c8026d88ce2bf34
SHA1 b5dbad3a66fc76c3a1fa2538d4cb1ccca537f833
SHA256 4bb5db9cdb2393030316cb62e2d7b017d0c0f83f7ef6819d75e1987663567861
SHA512 fb2207bdab8c604dc2bd467d1fcea25f3fe55fcbc93142dfc1c2dbc8ef56cdc1bae9d7078441609047a06f16164e8e1ddd0567fdd61382dd5ce895be987be5f7

memory/2580-370-0x0000000100000000-0x0000000100542000-memory.dmp

memory/2836-373-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2268-375-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2856-372-0x0000000100000000-0x0000000100123000-memory.dmp

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 fdc3accd78acfa25f2074d59f416d440
SHA1 6be3cab39ed55cd25d7d915a5dc32244ff040059
SHA256 7606cc0b6e69924a1788b0393286f2fa784536a1c609da42c94e6589a61e91f0
SHA512 b7ecfbb29d3f98f6412802542568ab1b2b4f5a010923ec4b1d38cf0382bfac70b1ca1282380f6768b339d438ce2b6d10644807644e0ad7fd938ef10504517e96

memory/2836-440-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2692-460-0x0000000001000000-0x00000000011D5000-memory.dmp

memory/1384-462-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1216-509-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2804-508-0x0000000100000000-0x00000001001D4000-memory.dmp

memory/1384-513-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2984-522-0x0000000100000000-0x00000001001D5000-memory.dmp

memory/1216-527-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2536-524-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2536-542-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2748-545-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/380-543-0x0000000100000000-0x0000000100253000-memory.dmp

memory/2012-558-0x0000000100000000-0x0000000100219000-memory.dmp

memory/2268-559-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2748-563-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2268-581-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2652-703-0x0000000001BE0000-0x0000000001C9A000-memory.dmp

memory/1616-811-0x0000000100000000-0x0000000100202000-memory.dmp

memory/2656-846-0x0000000100000000-0x0000000100203000-memory.dmp

memory/340-858-0x0000000100000000-0x000000010020A000-memory.dmp

memory/1172-866-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/2856-867-0x0000000100000000-0x0000000100123000-memory.dmp

memory/648-886-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1416-923-0x0000000140000000-0x000000014013C000-memory.dmp

memory/1908-982-0x0000000001980000-0x000000000198E000-memory.dmp

memory/1908-983-0x00000000019C0000-0x00000000019CC000-memory.dmp

memory/1908-984-0x0000000001A30000-0x0000000001A78000-memory.dmp

memory/1908-985-0x00000000019E0000-0x00000000019F6000-memory.dmp

memory/2188-997-0x0000000001890000-0x000000000189E000-memory.dmp

memory/2188-998-0x000000001ACB0000-0x000000001ACBC000-memory.dmp

memory/2188-999-0x000000001ACC0000-0x000000001AD08000-memory.dmp

memory/2188-1000-0x000000001AD10000-0x000000001AD26000-memory.dmp

memory/2188-1002-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

memory/2188-1003-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

MD5 5180107f98e16bdca63e67e7e3169d22
SHA1 dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256 d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA512 27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

memory/2236-1021-0x00000000018A0000-0x00000000018B8000-memory.dmp

memory/2236-1022-0x00000000018F0000-0x00000000018FE000-memory.dmp

memory/2236-1023-0x000000001AE60000-0x000000001AE7A000-memory.dmp

memory/2236-1024-0x000000001AE80000-0x000000001AE9E000-memory.dmp

memory/2780-1036-0x0000000001990000-0x00000000019A8000-memory.dmp

memory/2780-1037-0x000000001ACD0000-0x000000001ACDC000-memory.dmp

memory/2780-1038-0x000000001ACE0000-0x000000001ACEE000-memory.dmp

memory/2780-1041-0x000000001AD60000-0x000000001AD7A000-memory.dmp

memory/2780-1040-0x000000001AD10000-0x000000001AD58000-memory.dmp

memory/2780-1039-0x000000001ACF0000-0x000000001AD06000-memory.dmp

memory/2780-1042-0x000000001B250000-0x000000001B26E000-memory.dmp

memory/2780-1047-0x000000001B6B0000-0x000000001B6C8000-memory.dmp

memory/2780-1048-0x000000001B6B0000-0x000000001B6C8000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

MD5 5fd34a21f44ccbeda1bf502aa162a96a
SHA1 1f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA256 5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA512 58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

MD5 c51c6b15930bcd9b2767dd008ce81ab6
SHA1 0a498dbf0e918e68481234b5474b20deee7ef627
SHA256 0aebb76e1e250d47346632c4052952d3b25861fdd54291988c328e959aa37f86
SHA512 c92e5b9e96cc1eadc70f1ad6841eff74f5de8e1403c105e13950d0858527de9d0b4ce35c88566e50074263ca8f22c14bd16c0e6cf771a307487794b837b1573b

memory/1916-1066-0x000000001AA50000-0x000000001AA5C000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

MD5 3d6987fc36386537669f2450761cdd9d
SHA1 7a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA256 34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA512 1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

MD5 a8b651d9ae89d5e790ab8357edebbffe
SHA1 500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA256 1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512 b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

MD5 4bbf44ea6ee52d7af8e58ea9c0caa120
SHA1 f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256 c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512 c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

MD5 ed5c3f3402e320a8b4c6a33245a687d1
SHA1 4da11c966616583a817e98f7ee6fce6cde381dae
SHA256 b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512 d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

MD5 9d9305a1998234e5a8f7047e1d8c0efe
SHA1 ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256 469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA512 58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

MD5 dd1dfa421035fdfb6fd96d301a8c3d96
SHA1 d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256 f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA512 8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

MD5 57b601497b76f8cd4f0486d8c8bf918e
SHA1 da797c446d4ca5a328f6322219f14efe90a5be54
SHA256 1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA512 1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

MD5 68c51bcdc03e97a119431061273f045a
SHA1 6ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA256 4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512 d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

MD5 0a41e63195a60814fe770be368b4992f
SHA1 d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA256 4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA512 1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

MD5 2eeeff61d87428ae7a2e651822adfdc4
SHA1 66f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA256 37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512 cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\00d298bf850727afbd193a56fcf96156\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

MD5 0e3e9b4bcb5a0a4b551759aa951053a6
SHA1 5aa4cd0e34ee8863157ebb8f3250b3a8b2849bd6
SHA256 6e767f5e48af3e268539e154c2cfd8032515cd56a7bc30c5ed460b643fb50576
SHA512 77020bcabece9a46ca0007744598464a8b434cb6cdf5203efc7ac0769b5562df2f866714660116185450741379f98b4cd0d08abd6bc954ee7402e291d7c074ff

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bc466d0dbaa976eeac750328db518f27\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

MD5 cab0b9f62922b956761c1e11069a8e94
SHA1 2c32b961fe56de41fde13956d8f0c0748ff5ce4f
SHA256 c07631df85b82253302b4b38aa1a0081fb08c33a688851d7ed24cc20b554d9c2
SHA512 faae45cca0aa0b358d030dc84824e8418bae0caf665b900b937c8b5f541b8f68793fc858ebaefb8f7793caa93b6e3ab2f9b2524d821c2076c6d752e6e55dfc80

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\280fc6c86e4ac0c4b954fa90909e488a\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

MD5 5105416cfb9fcc9990009e33d7088f98
SHA1 894fb4da9fcc6e0f1473fa4aa1e24a36f5bba064
SHA256 ba2c7c146b4c7e04f6e180ab6acfd9c6e2135888c1875108fbe5a22b785b8e1d
SHA512 40de1b8adbaf2dda8ed5b51077577aa2b3d7f4e2ce94e12cb6d040bd0c6519871e1ba255ed9c2baa4baa31ff4297ee6a4896a4d98ddc78f433bc46aff24205da

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3cbe2944e6de9a98006c5755801bd558\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

MD5 fd21b37bb98712b21a4b6969cfcc8c44
SHA1 13d5f2d8a3f51856564eaefc018ba40583d0bf53
SHA256 006d0ddb8830c28837eb0f8fbcb7e3f24632f26cde6802a1c2a79ad3e01c7198
SHA512 b8cf7bfe647a7c0e27aaf8bcb8437501b237c1ed08e160b997854dfd74f32328d0b0580b04b41f53de3648351597f27343ca190f2ea22393ae8baea885068fb8

C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

MD5 10b5a285eafccdd35390bb49861657e7
SHA1 62c05a4380e68418463529298058f3d2de19660d
SHA256 5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a
SHA512 19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

MD5 1f394b5ca6924de6d9dbfb0e90ea50ef
SHA1 4e2caa5e98531c6fbf5728f4ae4d90a1ad150920
SHA256 9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998
SHA512 e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

MD5 929653b5b019b4555b25d55e6bf9987b
SHA1 993844805819ee445ff8136ee38c1aee70de3180
SHA256 2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2
SHA512 effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

MD5 d9c0055c0c93a681947027f5282d5dcd
SHA1 9bd104f4d6bd68d09ae2a55b1ffc30673850780f
SHA256 dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed
SHA512 5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

C:\Windows\Temp\Cab19E7.tmp

MD5 d59a6b36c5a94916241a3ead50222b6f
SHA1 e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256 a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA512 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

C:\Windows\Temp\Tar4166.tmp

MD5 b13f51572f55a2d31ed9f266d581e9ea
SHA1 7eef3111b878e159e520f34410ad87adecf0ca92
SHA256 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512 f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

MD5 598a06ea8f1611a24f86bc0bef0f547e
SHA1 5a4401a54aa6cd5d8fd883702467879fb5823e37
SHA256 e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512
SHA512 774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 19:04

Reported

2024-06-15 19:06

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe"

Signatures

RisePro

stealer risepro

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\63f0638f85dff9a7.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{0F1D587F-0CD0-4502-B48A-EF0248B94ACE}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012c27ad456bfda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000382fdfd156bfda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd6718d256bfda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000976b80d356bfda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6a6b6d156bfda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4f5c4d156bfda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065ff91d256bfda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_ca9010123910ce8fa1077666594df092_magniber_revil.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3028,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 api2.amplitude.com udp
US 54.186.49.188:443 api2.amplitude.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 188.49.186.54.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
NL 23.62.61.194:443 www.bing.com tcp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 44.208.124.139:80 przvgke.biz tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 44.208.124.139:80 przvgke.biz tcp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 139.124.208.44.in-addr.arpa udp
US 8.8.8.8:53 35.97.193.34.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 212.31.129.47.in-addr.arpa udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 44.208.124.139:80 fwiwk.biz tcp
US 44.208.124.139:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 44.208.124.139:80 fwiwk.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 44.208.124.139:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 8.8.8.8:53 acwjcqqv.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
SG 47.129.31.212:80 ftxlah.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
SG 47.129.31.212:80 ftxlah.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
SG 47.129.31.212:80 oflybfv.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
SG 47.129.31.212:80 mnjmhp.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
SG 47.129.31.212:80 oflybfv.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
SG 47.129.31.212:80 mnjmhp.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 8.8.8.8:53 mgmsclkyu.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 gcedd.biz udp
US 8.8.8.8:53 uaafd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 8.8.8.8:53 pwlqfu.biz udp
US 44.213.104.86:80 xccjj.biz tcp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
SG 47.129.31.212:80 rrqafepng.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
SG 47.129.31.212:80 rrqafepng.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 ctdtgwag.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 damcprvgv.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 8.8.8.8:53 ocsvqjg.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 8.8.8.8:53 pectx.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 54.157.24.8:80 htwqzczce.biz tcp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 udp

Files

memory/2708-7-0x0000000000400000-0x0000000000854000-memory.dmp

memory/2708-8-0x0000000000B30000-0x0000000000B97000-memory.dmp

memory/2708-0-0x0000000000B30000-0x0000000000B97000-memory.dmp

C:\Windows\System32\alg.exe

MD5 ebd60afdc0c62f8979d102c38707b7cd
SHA1 2be3cd7488fd3b2c21ffffd4fe838be8a7eea1df
SHA256 81f87768f574ccce7e5c7ee11efe2b0c4e3a6546c5773c4264af2baca27aa35f
SHA512 55a54a0c4d4065510aec8b5769a718c5b24d28b1fd8ac3e7bd0f10c08c902b6eefd43d696a79f3c5a3fdf5ba7dc568d439c8899688dd413725a57b73d177f6cf

memory/3332-12-0x0000000000750000-0x00000000007B0000-memory.dmp

memory/3332-20-0x0000000140000000-0x00000001401E9000-memory.dmp

memory/3332-18-0x0000000000750000-0x00000000007B0000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 1aaba2ff18a0cd21af3a98d5b230a187
SHA1 97a333cc8a4909e0a5037a072ea0238c618795bd
SHA256 a96b17e6360f8e3b42287180a703591509a07c2bf9258cefc0c4f58db5a8fc49
SHA512 de9444c7b6998786297baf90856823c1d167b7c973683eba2b2c056a627b4a1a49c1d5a68741ab5941ae70c733dc531f70da51ebfe548303ef0858b6d85382a2

memory/2488-25-0x0000000000540000-0x00000000005A0000-memory.dmp

memory/2488-34-0x0000000000540000-0x00000000005A0000-memory.dmp

memory/2488-33-0x0000000140000000-0x00000001401E8000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 2615d554dff46e4261e2d46080338786
SHA1 8efc64a3e76d4e407a180c2ca222baba2d52a9dc
SHA256 e4ebf8454605a1d886d9325eba898da2f4461ddf11bc9341ecd1020b2377cbb9
SHA512 2b34a7fe97beb1f267bd4e0d082db4b0b9d67111c4f7088c7a48a9d3107b01c2614295659082b1717bba79a9fba68759f9ffbb1420587eced58d4d032ddb2f73

memory/4596-37-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4596-44-0x0000000000530000-0x0000000000590000-memory.dmp

memory/4596-38-0x0000000000530000-0x0000000000590000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 c5e343852da1ac27db35cc15c870d6c5
SHA1 ee1da9149917c0ad15ec6d00eb4d6df4da8d4f49
SHA256 b14e9cb8460d9361f8f073ffdbeeae7a0261479989379578ca2109adc49c25be
SHA512 bcbd1e46cff6360b0d30474eaa1cbda525f8f608f5f23a8e452bca8ee49ed8b5eff0e9dcc126e81dde2d438e7baebfb419a7b76c28989f2746b1c73ba9e49294

memory/4596-50-0x0000000000530000-0x0000000000590000-memory.dmp

memory/4596-52-0x0000000140000000-0x0000000140135000-memory.dmp

memory/540-48-0x0000000140000000-0x000000014024B000-memory.dmp

memory/540-49-0x0000000000D90000-0x0000000000DF0000-memory.dmp

memory/540-58-0x0000000000D90000-0x0000000000DF0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

MD5 09f5374f59db27fd0afd832fca9b6620
SHA1 8260af73a042a02f67de686026470f79a298e0b3
SHA256 48994aa7b0e7d92ee980473e539090763d92b28b38fce8bf38151d4992608285
SHA512 ff62b89816913878a73d2225340acff356c0974fdaa2df50ac65546537f6f1e075facc1dbc424af9bc62ff7b4d8f36d95b640db0a34c80602ebdf8e7baba4f5e

memory/5024-62-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/2708-70-0x0000000000400000-0x0000000000854000-memory.dmp

memory/5024-71-0x0000000140000000-0x000000014026E000-memory.dmp

memory/5024-68-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 8c9d7a27a20c75ffb8f5528fb2767911
SHA1 f7d2e294f17c800b1f337c6846dd58d83f641e7e
SHA256 f3aff267dbef8a15ea562f61b49743accd62c3e1e625d717f22b212df9621994
SHA512 8d1f1c8789ae09ffa40cf79b8bbd2b0f356a14619558c88ac3bae31560a0da2c4dedde39a7671deed10453605969f321b706e4901c22f35f0f8437b8705e4598

memory/3748-80-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3748-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/3748-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/3748-87-0x0000000140000000-0x000000014020E000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 a2cad495f108febb687807245ee31057
SHA1 f7f79d3d1c7cfd0b708870d4ecc33391b551ebe1
SHA256 f04f0789f8908270ca6b5063970f95c69c1858e84e1e139fe4b0acf84f7ef3ee
SHA512 ac880d27caa0dd1c86f103096beea010ed1ffa04f3715cf329872dd03900b06aa82c58d08fbc86800c853b554a39dc372404cdfceec584a1abf30ecb08a811fc

memory/3748-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/3704-89-0x0000000000D40000-0x0000000000DA0000-memory.dmp

memory/3704-97-0x0000000140000000-0x00000001401F8000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 1459442ab93cb3cf046c81caf540c161
SHA1 21dc0015b70cef44291254f6425a93f0483d28e1
SHA256 a46a62d3c649998d79bbb08fdc7b0c0af8d6296c659a71e53c13835a8495cc27
SHA512 93da1c166c7b307e3def4a0234c21b91fb578dd9575136819dd6f3a81f6bef2fcf2b3580985b121b3d6a5307a30231b7bc169ef1f4dd34619c0ea57fc2e5cba5

memory/1904-109-0x0000000140000000-0x000000014020E000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 f6ec1925378f854853a1af3850177b28
SHA1 84f166adf1df245a03dc6f0b175c0aaff2c79d24
SHA256 11d3e86303db065359ff5e7c4f87608a9d65716475b1e66f48ada236fdd7aadb
SHA512 f9877f49ff798c3214d1a428249e48ecb8812a06ce894390353281c91796d5707bbfcde249df6adae7de6b36ec7b9b6c2853b1a0fcbcb2db154913b8cc6a5da4

memory/4308-124-0x0000000140000000-0x00000001401EA000-memory.dmp

memory/3332-115-0x0000000140000000-0x00000001401E9000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 ce70b7cf89758fa29c1c53b1abcc9106
SHA1 3761e802b4c634224b0fb8d536735a9685c71c18
SHA256 9318158fcc6fc80209f8f4f48efad208204fd4713b8a52c609b324bdd3355a5c
SHA512 193cecc36f2551bd25685da783d1fbbc9312eb0176ea8605e86a5dcfaa68acdd05f3ea299776b0a2441808e4d6719506838032a1fd72730a55fc5aa1051978ff

memory/2488-127-0x0000000140000000-0x00000001401E8000-memory.dmp

memory/4228-128-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 8783de3b8cdcc0f2d4d11c59e7e141e9
SHA1 6c076accced6b763ba69ac8ec4e19085c01fd9be
SHA256 bb6a4285716c4c35ebef21e8ac618a6b57d81e3473f8728cd399248d3cedc92b
SHA512 e27252ac31175628769179a6ef816d864301e181ec2c855bf51a4b4b34b833a1cdd3bdaafe311620c899bd00f942394ff73a9826d36d119c331b40283a9b1849

memory/2184-146-0x0000000140000000-0x00000001401D4000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 f45effc8a0ab9287ac2163c45fb4fa89
SHA1 6fd142232eab7ab1e3e2ed898ecc17b65428a193
SHA256 88fe81a0251d7df8e3f9587edfcc871cea7e01fcd47e5fb737c002a0c632a36a
SHA512 16f69a3b03f5453f87b2038eb864a1c09bfa0282c7f89a0690b08e9f545afc17fa08d8afeebd688c6b58e3e562a557847f63359007dbd61ae5a59871bb2a4f46

memory/1956-157-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 2128895b40b8330bdce10846505300e8
SHA1 912dbecb12b0a849fdbaca79dfb98da0a2254e36
SHA256 439de8daafdf0c8a93bc6684c76748e52890ffee1663e16eda1b6b1948289cd0
SHA512 84412aed3a1caacdc13b09e19f688cb8cc6c92ff9d85258866a6478b140a16ef8ff804a91a16e2b3631330e4e0432fb2d9eec2b10f90320d3203344261230cbf

memory/2652-169-0x0000000140000000-0x00000001401D5000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 fe98a7e26001369d6b66362a1308c109
SHA1 9b48755e7c3dc03591907a8fe2af6b32af07ab23
SHA256 c03bcbade20313624a1cab8dccb7683fb9996d7d1e4a5423a682609f97b7aceb
SHA512 dc1c062e76c395e83a65a0d7d86f34514219ec4891ce110204242d219f770d4f73e16e4fce62e3f8c63c27ada898de3eb62280263e6b8c47b525f586115ccf17

memory/540-180-0x0000000140000000-0x000000014024B000-memory.dmp

memory/4856-181-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 d4875381c63795869fabc7309af9e4ef
SHA1 d8278de490de8174c219f4ff71d3ea839b4028a5
SHA256 16082fc203714fb6e473ddca68402959cbba17880de257e6d969266e818c56a9
SHA512 f796e4e3343c944695231850813d06c545f1b36d93d89594a60fed386a32834a1f4de08c00515116aa207bac14f09cdff4cf674c7fd296d87d345b4ad55cf86e

memory/220-186-0x0000000140000000-0x0000000140241000-memory.dmp

memory/5024-185-0x0000000140000000-0x000000014026E000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 faa462d4ccd81384dbca0c854d8df94d
SHA1 45ba8cca7dfc9ba0810728a31aee61ec6979e9e7
SHA256 510dcad5d7b3539268e34e0071a76852ab389a10b61a37fe83808bb18bd944c1
SHA512 d2dfc92c89f8d81cb6ba22ad43ed2498acfa1dfb953588ec047da1b81025fca5d04ed04a7eb95dfa260aac1c76e3df40823d83dc1f7f64a8bcefd94098d91850

memory/4664-197-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 60a73f13ca0727e0b77e1321e8dc2aa6
SHA1 e733a58521c5b7c08bc743dde757d0642342160a
SHA256 8df8039061382f4d0e17a55a6889df54c67350a9e6ebaad4c0cafc68e92fde66
SHA512 c3d91e2e10c4d943e8503231dd01f2c6c6d669466f6e4e1316809d7005757b8077f0a3587c18c349875f4f17c664c497400a47d220ffbbcad5d0151bb24636f4

memory/3376-208-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/3376-220-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 6df8e5384a6f4edaee83f2b4c3bfcabf
SHA1 4d36627c24f0690268152c9b7c327b95baf54ba3
SHA256 b864995b8483a5c9439f8a6a0e6928d13be80956af903d1f53fb64730618b522
SHA512 98b16cc555f7c8e7179aed77ee8d58bffbc70ceccb0cc15a84e8c72e10a1e7f02fdca5bbf2aeb91cb9a5e75e4ee8c17a85a4cd7b6fc1517102fe87d2de0dce6e

memory/1904-222-0x0000000140000000-0x000000014020E000-memory.dmp

memory/5028-223-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 6c243f9d19bc1c661109155a5c1e54eb
SHA1 131d11abec1cd5ec7ca8270efafa5defa0436481
SHA256 7ac8f2f3c5bacdaa685af701c0183e34f8d733a7d0fe00fd2ffd4d78be7c821c
SHA512 d4db04a108a6fc35c8166580f7259e235d1b43dea941454f612ef340c54227ab51fb50b0d8d6a14b1cb5a65a8541e4381fa72f2c54f6b2bbff3990a3fa717cf3

memory/4872-235-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4308-234-0x0000000140000000-0x00000001401EA000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 7a94cea8c655443b3356a3c3043c1dff
SHA1 2a090f99f00f487f5d91aa193d12a7cafcc6ffe2
SHA256 432ad2e3c8c6ff3c38a8aeb1fced8693e493aa7c901825fa68d6a08e49b38122
SHA512 41d9175ec71b988f4110c819c9a354b5875145ae9020e5ae762652755d553a6856f8fc391f9f4a5bf63a7dec8e3487fc1dd033cf44ef34ba05fa68740b5412c0

memory/4228-246-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3372-247-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 647076f2d525e9415e06722ec1d5b839
SHA1 12708130877918d0d06595e9e6adbf0ee55c6f09
SHA256 81cd55ed1c73246fdb482fb12b14acf1c9abb7bae004add271fbb35d6651bfde
SHA512 02fd9e5fd5a864024eff0b46b47ad7605eb1bbd3d1a9c8c601a1710863f2090db5c4737f1f1784d7fba125b52a50ca8ad74c4f47b1e74fc91714c52663670353

memory/2184-264-0x0000000140000000-0x00000001401D4000-memory.dmp

memory/4432-267-0x0000000140000000-0x0000000140205000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 549163f05cdac27c1e530575ec7aa498
SHA1 0ef25ff698d6e35a707ad9387049be9d1aef949f
SHA256 4bb56b899116e4a8886265c5d402c8ba32d9bbcd8b8250750191decf5c2799aa
SHA512 95e8cb026061126431bc55cede181cb34f4e612d51bc94a0d5dffe428fe1cce073475be40646cafb8afd72b763299a757d667459c17f8a64602ebb9439fabf2b

memory/544-280-0x0000000140000000-0x0000000140179000-memory.dmp

memory/1956-279-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2652-388-0x0000000140000000-0x00000001401D5000-memory.dmp

memory/4856-471-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1956-571-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/220-572-0x0000000140000000-0x0000000140241000-memory.dmp

memory/4664-579-0x0000000140000000-0x0000000140221000-memory.dmp

memory/5028-581-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4872-582-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3372-583-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4432-585-0x0000000140000000-0x0000000140205000-memory.dmp

memory/544-588-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 3010b603956003088136359e475b8da0
SHA1 90acd0e697610bdc0ac669fa46c38824b5623f00
SHA256 f4cde7b28ac91beb58d2c615a6c467739cd9f7de42c584ceadf0aa46148a6dc2
SHA512 7d978b2bf46aad8a82a0a713f11dfb4659caf0b7c48b4023bfdf3b2d021fb019f5052e813606965336a15da76e89dbff0cd27431380a194ae9010e09e76b7be3

C:\Windows\system32\msiexec.exe

MD5 8806ddee830f0412a07da34e671ec729
SHA1 7b01d945039b9ba0efaeafa35711b07c397d793b
SHA256 e3b32cdd44efc69b69ea31e72550832820fec1640580dc6d77ddde5b097b2261
SHA512 a2d40769f1cbf5398776bc2974b9cdfb95c8113e3d339ac60140729407a6a05b492de69282a941e09911d66c85275d22d26748f5656edbd961fa85256d95cbb3

C:\Windows\system32\SgrmBroker.exe

MD5 6845db8cc331de2b9dfd6c72371eb658
SHA1 bfd49411d37faf0b2567e066cf2d8696c024ca22
SHA256 34a54511fb67a3eae4f2fc27549a44ce0d6bd0194e50d7c73159a217c94150a7
SHA512 8cafa2820d6f764db5cb5f098d837a991c5cf50f4885ee2d222202042652a1d381c104bd46baa2c612cdbb9d6be60d10acf01d396b7369f21643fdfd55ce1fb7

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 44c2eaf8cc1885e3f787a573a90d53ad
SHA1 64f8759e2e0bc28c90de743a03341c318f4fb9c5
SHA256 429fceb4abbcaa5c665faba97a210704a664fd960c3726e237ef0751cdc131e6
SHA512 e0a0e2d0916bbd7129cf67c6f2e738dc1d89066fdda098542e1952c60db6994645b2cf642fade4a6920e1faffcd6f27d869d05cfea995b62920242a17b5386d1

C:\Program Files\7-Zip\7z.exe

MD5 694f8fdaaffef30045d290e9ff0fd74f
SHA1 7fa0a4ae9c9e959d62faca7694dd7819e6391ed0
SHA256 87b3820c632410563b4bc007c6695a589bc4a86fef7c9578a2cc8b6b2b43b32b
SHA512 5fab7269743974f8c57ca407d733d14e1f9f56dba804550b5048612b6e7fd1dcc0b704b33db31de5cac80ef2702a23dc0dc04b9ed800708231cd4d13fc4b16f0

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 b15ef10b441cae404a72b44f26c65139
SHA1 90fa43a30c8157dfdd9953b674dae4f71e30b419
SHA256 c314f3bc212de5734bcfe945724779e19938424694d9b28ab9d3ebb5256bfd7e
SHA512 64532e7504551167326ef1bc6c2275a1fbeea9bfd9be31c18d3e935caaf1b71c42ebd3c8231e0e002e4eff3ff682223f9becabd514c05f7fe2601b284f62741a

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 6123a0b0346dc816f040a7881ebb25c6
SHA1 85eeb21401fd39ca25ca5f14e2d38f94d6ffaf60
SHA256 1037658f48abd5e2936181b984659732557d85956e39217999c88a6a67bbed63
SHA512 c35cbb8f7a327598e8bcabe93b5ca27b847322b964a26d71b0b381d2bf0aa4be3d4da9adaf6e8f40b245c1274b0c78615204580c2bad4f59ab1387d6534d2268

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 97ab62ff3244359e3788b8d1e11b525a
SHA1 0427b9aef606c6ba11b4ef4e342d06be70cee03d
SHA256 98aef11a26f8f9bf7a1fe6f029b61355256ef7dd74d9e83990c4383a2cd28522
SHA512 6efbb11ae03c0954e6d56504e23b91f34261669e13c3ee3fb0a42c214e9084c78fd376e91775c6f78222b1d235a80e1b4dd1610ae17125bf8fa2b5183c118078

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 31eaab896f464e6e8ebd70cdcc8933b0
SHA1 a06e38ac7ab0b69aa3d5952e8c8d3d0ff542a525
SHA256 50f869ab38099ea248bfe7b1a0490ba4be17b274e25f5ee98e68ec8d5d097731
SHA512 ca3519ba6efd99ecbdd9cb748e0625c6501419d9b464deb86ac87fab3b8fb64781ab2719b27d214ca916b3c674442356547652c87ca4d3f104dd734a461dd643

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 e394c2da00a7581216103a8f90b997bc
SHA1 47562fca047eaca446ef99bb31bb0aae74b0b715
SHA256 6272f09469efc423ecb0a885aeaeabf218ab1f5868e9302322ee0dce1d4ee348
SHA512 23cf504bb0a791ad86f3e6aa0b7ce43aa80b483c8d5800c3e0f07c5638e7c53138e9b5b69af03c982d0ed6e26ebb6a403c9a5bff0d13c335b4e41053d702680b

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 ad2c8b1cb84dd2863a21e6a6da4de2ed
SHA1 450c4497bd650567c32bbacff0d1dc2ac798d8ad
SHA256 f041a953a909c481296800ea7d0a9ea3e20e3c7c586a868e02fb5b3b991e582e
SHA512 8ea15405e0b7cd26b1db37a4facd9a05c4c8ad293e26024edc20ea607f62b1d503c3e74401527830321693dbf71f3b56c272a8103749c05e47097c3b603c2514

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 f473fb101880f583b0018064ed4a6030
SHA1 9fc2e2ec30622bea23fb7cd127d0a02f4402bbd3
SHA256 71d3a84df9bd2cb79f732ef87e12b11e475656a44815d00a7d7a0964b5821dc8
SHA512 e1e99fcf83dbf84e76977e11e9d9a517a5dd3759a1907e703326d15a3ca64c33e76c2ff538be8c63d66b86ee389f604cd7af664c744f84810c3a490cf374999b

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 8137c72efe01d0854087177a0d835f95
SHA1 88a592527bac57e892b6b200f7aa8734d9c0c575
SHA256 236f84535e7bcb2838da030a2f33a77a2a18c9960bf5f2e8d14e7fbe63f0edcc
SHA512 6def267a1ff34ec6702490da1829a07824d467e599648b21e732c178ea61b00b987e9861db8daa01335e5d294c68ccbc88c186eeb8dfe08190934332bbcb37d3

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 cd212eac698f2b7a78f42271ee7f3a3e
SHA1 7fb0d494840d4788173aa5f73970f23d42d63265
SHA256 17e9f0096bb470bdb42812cb80edb5f2666c048d8c35170beb054fa2f45d8a5f
SHA512 52cd4607be78b26696ec38d2b417bcaa01275b4e2b8bc351d721865bc7acb770af572fd2e778823bafbcfa195ea84fb41666fe257c681ff62b77be443e777d74

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 5eb3550f9907419bc61a993e1cb52b8f
SHA1 a3fce214eda9ca0ff0b15aed0c0d9bba6a674a96
SHA256 cf2cacc699b814b606699ecbfaf8b4bc21b7ee5cc38f83262b61a9b010082ca0
SHA512 ea4c53c25410f56de680c3f399524c871bc0a2a78f3a18fb81bfc8a977c0bd23eab381ecaf5467c2a404ae97e3e94a126eeb095395583f0298c9d730c6399cf7

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 2b674b6b1f56768ba8e124a10e3a5280
SHA1 61c1f934675e86dc81e67e1924374e7f735765b9
SHA256 80d8405dca0db072789ae2e923def915e15f48a98e334c866b46109d0b1efa8c
SHA512 57099ac6b771167f2df6233b791151611c7ef0a78c620b928e6ee6db16f9b04fd1af5658b7fdf618cc9a94a71b689e65374bc0e591b1d81caa809c02cb88ff3b

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 fb223b4b427e89c42531de673796bffa
SHA1 eaf4246f2bac6edf68baf2f1fbe63de4f016d75b
SHA256 9c4edb68a412c21896585ef725af4c2410d291e1d27dc13a476cc7e9cd6c7009
SHA512 a526a901113e813ea3d14c020ee2cc7e068ddb28ba391a0797f554ce7623922c7cb0259608070a36f7e532c975cd646005009cdb2dd7ad56c1a1d9b65eb34e38

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 6f8255f88471333383f5edf71a0da4d9
SHA1 77a13c376001ededbab571009b009c3d4eecb1b8
SHA256 307fb00db76813545cf58a8b01f355e45207076e23aa432e530133fdbc8c29f0
SHA512 e7ced4a5bf9d0fd10c46df1f37dddc0eb9283052ff60857241c7c50777309ca937bea6130f134e7524111b562acf8c8ee8b6df19518bd7f22805c6679ad619c1

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 2ea5b4cfeac543862663bbf3745c9f1b
SHA1 1e0115d14732f496b1bde00a995a7abce505cb60
SHA256 2f301d3b7a3926b2e35512b590d46eabeed960e1f0c19f637165db77b1e1d6a6
SHA512 034e90ec3fd97afd4e736e3a09e28c0a3a3b0c5c0079d52fb3c3cb457593da50b4dba77867b9aedb193ed3b3fe286a41f7dced9fb6f2cd668b006a0a18d79e77

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 5cc64964fc547176c4b8ce9c9055f5bb
SHA1 d37cbf543f8b9fdee20807952fe339043b0aa667
SHA256 6082f6c2ce5c1c9f31c62f8e557d23eb2f23bb8025b8b4bba22e1a2022194ff7
SHA512 b034c79e700ef1f7316e2ef6b27ea33f89f16e89ef43ada4f3502336ddcc63e26aa6cc41151eb6cf95ff05d8776ff19378e2397684bf06cb57dc9abe1dd4caa9

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 38991a3de06e1a2b2cd0d887a6117e69
SHA1 90b77069edeb5a7a398e5791ea05164aaa04fbad
SHA256 d06088305c45bd5ba4b960072dca53faea63a3dc4b72874346ce1737e91eb892
SHA512 11d9e362cf867db281a7cd51d58003e4e1eee43d9311c0a29416f4713d23764be8742109c2a4328a664fe40fbc888bfe04d1f4ff2d19780cdb5d05059eaa99a6

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 1d29e6bcfcfcf949ea9a313f7612a4f1
SHA1 416eebd974a9d3794071c85ab39079b1bc809f0b
SHA256 10005bf412f9680e1db9cd8a246c9d92fab33ca3b44e9c38a7b5653df5e20fce
SHA512 2a14b5a44e3e70d18ab8c26950ec0338a654f2cfb9d5e480d23b9db40651d5e41a60fc14aa70db345ab427c6c6a6245f9196bd378e4dd438a1c3a33e708a522a

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 0e7e36b8dfbb7dd5e27e84ffe8a2f386
SHA1 c154c2220a6fd5f87ef7c9bda983d86c2ee0c6f3
SHA256 40a749fe55dff0920a2066cebdb68d3991e8a872c76de810208fac9163c82a21
SHA512 a9dabf86c95953250f071f0e0e7ffa418ffad7ae279e031ae1560bba54af40f6bc46bba70edf509ff668da72108a5df8b573496ea83e6e1a54fcb31bcf80792d

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 b22ba3ed33a5c65ca93f9bc2c26a1c98
SHA1 b9d3b6ef98a3a0dcf3a7dfbf09a8fae06426ad68
SHA256 948cea6f79426507382dccf9c4de70b8fcf1e2c961689ca1250d52bc858919ee
SHA512 efa9dcc9753fd1cce75bd9a412c747dbcc1ee5fb6aa6d91e2b3d2715be30cf8bbf55b35d7b6777028b6a6f9b8d593090cb46c6c82368c2ab90d25f9145b6f9d2

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 7a8d87389888432a885e1613c6def16e
SHA1 6fece38fce12c657987fc04e977beb3f65e33603
SHA256 f6eaff6407c79434a3180127d9c4161b8168b60fe88fa87666cc0756983a4704
SHA512 480f96440f8610028316abb7e935366ee9218c44cea43fbd4167a0df7327ad2d5ea57037ce27befe45d16df640899b8f854fea04bf784caa6f2a2e557a033a76

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 6b2460c01818f98122d0a483d0cda08a
SHA1 19eae14ddfcfcd6fee45bc3b9a5f94151bdd7fda
SHA256 b4108de0c33680f3d34d9d20fb91815f004f363c1401de48abeeccbaa0894529
SHA512 d8ef394aff4611359d9c6fc004d619f3111b5b26eec5a0918191cbbbaee15c78a6dd7fbde193ebfa42ae6adf449d71bdbe4b399cdc53152a1c557e87d474791d

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 da693d33188f34a2ab323b492f9c7dbc
SHA1 e4ad1b5da8658fe04c7882d2187712e01f6446b4
SHA256 54039e915bcff59a15bb2a8c9c4fe9ac3a0fcd93243ce0ea9d4d51c0806b1e7f
SHA512 dc62e4eb984975c42458f378404bb7df5aadab35dbefffb5170a4136f5a3305831cef032e96795202c9ff46f8b8050c05c34b51e5c78acdb0a317d5b44fb4daf

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 2deb5459f40b9312871d5728200a9d94
SHA1 20b96a96618f42f5865fe0f524baf62f65f11521
SHA256 7f6d4aa1bba6a055735196029ed71c937d4c83ebabf69604d1559b97b25581c7
SHA512 f36603fd004f44c5f57ece78b0b29a71df1925dc4eace4272c72fa0e7ed4326dd2b483f11b57f8244978c20903a7c19323b6351ee0ad059ade125145e3e903bc

C:\Program Files\dotnet\dotnet.exe

MD5 120397b15377693bd3586e566eef27de
SHA1 be932151015233109291cfd39701e856e2210bcb
SHA256 03194b958da72ae3360e89276dbfaa5385f2fb9d1716a986770a2ac8ce12593b
SHA512 4e72ddb54c5f95b1c72588f0e70ab56868a3402d1a91ef5060ad498a165a140d79bca189ddd585c972f5aa11decc45543444dd9f59a32604b1896e7745cbbfbd

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 27e5c45a6aa12183661e643f48bc32e2
SHA1 9271209de264adea1455fe8455e822ffef7b5b89
SHA256 1ba1ea7e901a8f670b728925fffa5592ac0aee5ce853ff07bb757bc7ac4bb394
SHA512 b5a0d7fd66e45af82054e56ba7f267277ba2526fd6e3ac0889dc9e0372a3f82da5e313596400fbdc2dc7ba9ae633660998fcc9dc61e1f481339a2763015eafc1

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 e720d4dc9b79968329d9db09fca15376
SHA1 bd33ddbe852c0597f0043457b6fedcff48ef6dbf
SHA256 60a7d2170674b4432845ca3845010fa9059416ab39707cd04fcbb8ce240de08f
SHA512 cbca9fc85f57dbbbd0e06e797858bd5bedde5d8d0e471054c21412c7869ba02d64a9b995afc27afa099d12e2b07a178c57e56107745a7fbdb1145fc8aae3402f

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 34c60afdab4e9a88bf21d9d5c08693a2
SHA1 c74de3074baba2001fa18c3b94379d18609ca5d8
SHA256 b7364c7773d558a048589f3019b84a5f5af58826f6e7382310e638f6ead9f9cb
SHA512 d3edbcd5c7605f5dcc2a3b2a068c243928e91f16de0064a4c2f5646c785001deb0a185c75b6dd0ccd03b80044e04019f2c3425160c67c8ad40aba7f144d7c2e2

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 5c229c76f4ec596e1c6167035c1bfac3
SHA1 595adb810337df143591fcd5a16b6fb9679980e8
SHA256 7bef6e7dfff74bb6359e02cbf6b082f0d6a67db99ad5fa6df289a9a932130f5a
SHA512 233553e220928963d9472c9a12ac14514466d3e02d1c797c35f7ed96c85dac0d146668f28cde1c4ff850582328255cefd10e0e40d90df5f919d43a7e2e42c57d

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 fba7f85e616cbf8361cdc4c7da093a55
SHA1 d9bf214c42dbc60d18642ee9f5ee9fa12ba15583
SHA256 1c0924f637dcaf3ae6665a4205b474fc7186f3fa1c69b2d9cadaaab2e1dd56c9
SHA512 165398b6a6e6f61e3debc9d626da35c72b3ba9a9807f7abb74b7afd8fb2282d7fdee8573e7f9a17e67eb0e7ba50ad90196df36155691f8813dbdc6c450313f07

C:\Program Files\7-Zip\Uninstall.exe

MD5 f29cf6f9b4423214b606f356a42bfa2a
SHA1 594e1f8cc3725321fb5c2dbf8b6792902f09da72
SHA256 c005fe71b1f0feaa636269108177cf727e35d35745cb2912303e30425fe61091
SHA512 ced9c6394b9cd443d684af5c38480bb3f0b09cb73c675475237e517c684d37ff29cd0c16dc38834ddc78659277fade9846817dbd8c01e1521119cbd325757c2d

C:\Program Files\7-Zip\7zG.exe

MD5 897c6664b85cbd75e6123231b9994136
SHA1 5ed9519e0b9f880dcf027e4d907cfcd4829fbdb6
SHA256 17e9a98741660c142509237808bb5e850bd65671def1bc0ed5059a0c4b053349
SHA512 4a73c522409579234adcc289a583f793826fb61bb0ccac8695155655478bca8e785d5f1700ca25e862360afc66ba91996a6a2bb252d9d72fe9a4676b55c74cc7

C:\Program Files\7-Zip\7zFM.exe

MD5 f2fef3ff9fddb1226597515e1a9184a9
SHA1 6543e06be489f6f398dcfd219f0e5f0f0d1f1ebe
SHA256 401d904b03f84ec603c4faa9ce1f1d4b903da6fed465658ff9aa41fdb90d6c59
SHA512 70c7f0411381128d7812b50a5673338257aff5616cddbb4b7f90f9e14c760841f18f7ac4f3ea95f37534185031a41d0f4bc6984ba0b95bdc327b863f213922d5