a8fe36dc25d3fd63e776810ceac866ab63121050b72f8b5aabfdfc1e6f5e675d

Analysis

max time kernel
51s
max time network
158s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
Size

24.3MB
MD5

39e27086f2631f2c54cf75a3572e9ac7
SHA1

5643b341f4489bac9b8e5e3ac81bf918addcb04d
SHA256

a8fe36dc25d3fd63e776810ceac866ab63121050b72f8b5aabfdfc1e6f5e675d
SHA512

d8b9f94737f1a4490e6e6ef7b5b2952a86f86eb7649ae17dc8180a1f70bfc0c911b4d5570f6f6a42266b9b4169b109222e249f5a0c2a15bf2a663160c625a41c
SSDEEP

196608:fP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op1H2SAmGcWqnlv018hQ/:fPboGX8a/jWWu3cq2D/cWcls1h

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 52 IoCs

pid	Process
468	Process not Found
2620	alg.exe
2692	aspnet_state.exe
2732	mscorsvw.exe
2324	mscorsvw.exe
436	mscorsvw.exe
816	mscorsvw.exe
1916	dllhost.exe
2728	ehRecvr.exe
2304	ehsched.exe
820	elevation_service.exe
1760	IEEtwCollector.exe
1636	GROOVE.EXE
1532	maintenanceservice.exe
2400	msdtc.exe
1704	msiexec.exe
2608	OSE.EXE
1944	OSPPSVC.EXE
1972	perfhost.exe
520	locator.exe
2844	snmptrap.exe
2464	vds.exe
2800	mscorsvw.exe
360	vssvc.exe
1428	wbengine.exe
2168	WmiApSrv.exe
1720	wmpnetwk.exe
2220	SearchIndexer.exe
264	mscorsvw.exe
2776	mscorsvw.exe
2508	mscorsvw.exe
3052	mscorsvw.exe
548	mscorsvw.exe
1452	mscorsvw.exe
1568	mscorsvw.exe
2532	mscorsvw.exe
2860	mscorsvw.exe
1740	mscorsvw.exe
2948	mscorsvw.exe
1568	mscorsvw.exe
1672	mscorsvw.exe
2452	mscorsvw.exe
1588	mscorsvw.exe
1568	mscorsvw.exe
1220	mscorsvw.exe
896	mscorsvw.exe
1764	mscorsvw.exe
2828	mscorsvw.exe
620	mscorsvw.exe
1516	mscorsvw.exe
1316	mscorsvw.exe
1360	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1704	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
728	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\67eff9428ab55808.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\CheckpointSave.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{5889422B-4E7B-4F63-944F-9F172CF77CBB}\chrome_installer.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1121FE94-A5C8-4684-A084-141281E444EB}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1121FE94-A5C8-4684-A084-141281E444EB}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090b65c017fc8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f07d54007fc8da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1544	ehRec.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	436	mscorsvw.exe
Token: SeShutdownPrivilege	816	mscorsvw.exe
Token: 33	1928	EhTray.exe
Token: SeIncBasePriorityPrivilege	1928	EhTray.exe
Token: SeDebugPrivilege	1544	ehRec.exe
Token: SeShutdownPrivilege	816	mscorsvw.exe
Token: SeShutdownPrivilege	436	mscorsvw.exe
Token: SeRestorePrivilege	1704	msiexec.exe
Token: SeTakeOwnershipPrivilege	1704	msiexec.exe
Token: SeSecurityPrivilege	1704	msiexec.exe
Token: 33	1928	EhTray.exe
Token: SeIncBasePriorityPrivilege	1928	EhTray.exe
Token: SeShutdownPrivilege	436	mscorsvw.exe
Token: SeShutdownPrivilege	816	mscorsvw.exe
Token: SeShutdownPrivilege	816	mscorsvw.exe
Token: SeShutdownPrivilege	436	mscorsvw.exe
Token: SeBackupPrivilege	360	vssvc.exe
Token: SeRestorePrivilege	360	vssvc.exe
Token: SeAuditPrivilege	360	vssvc.exe
Token: SeBackupPrivilege	1428	wbengine.exe
Token: SeRestorePrivilege	1428	wbengine.exe
Token: SeSecurityPrivilege	1428	wbengine.exe
Token: SeShutdownPrivilege	816	mscorsvw.exe
Token: SeManageVolumePrivilege	2220	SearchIndexer.exe
Token: 33	2220	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2220	SearchIndexer.exe
Token: 33	1720	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1720	wmpnetwk.exe
Token: SeShutdownPrivilege	436	mscorsvw.exe
Token: SeDebugPrivilege	2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2964	2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1928	EhTray.exe
1928	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1928	EhTray.exe
1928	EhTray.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe
2216	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2800	816	mscorsvw.exe	52
PID 816 wrote to memory of 2800	816	mscorsvw.exe	52
PID 816 wrote to memory of 2800	816	mscorsvw.exe	52
PID 816 wrote to memory of 264	816	mscorsvw.exe	59
PID 816 wrote to memory of 264	816	mscorsvw.exe	59
PID 816 wrote to memory of 264	816	mscorsvw.exe	59
PID 2220 wrote to memory of 3016	2220	SearchIndexer.exe	60
PID 2220 wrote to memory of 3016	2220	SearchIndexer.exe	60
PID 2220 wrote to memory of 3016	2220	SearchIndexer.exe	60
PID 2220 wrote to memory of 1124	2220	SearchIndexer.exe	61
PID 2220 wrote to memory of 1124	2220	SearchIndexer.exe	61
PID 2220 wrote to memory of 1124	2220	SearchIndexer.exe	61
PID 436 wrote to memory of 2776	436	mscorsvw.exe	62
PID 436 wrote to memory of 2776	436	mscorsvw.exe	62
PID 436 wrote to memory of 2776	436	mscorsvw.exe	62
PID 436 wrote to memory of 2776	436	mscorsvw.exe	62
PID 436 wrote to memory of 2508	436	mscorsvw.exe	126
PID 436 wrote to memory of 2508	436	mscorsvw.exe	126
PID 436 wrote to memory of 2508	436	mscorsvw.exe	126
PID 436 wrote to memory of 2508	436	mscorsvw.exe	126
PID 436 wrote to memory of 3052	436	mscorsvw.exe	64
PID 436 wrote to memory of 3052	436	mscorsvw.exe	64
PID 436 wrote to memory of 3052	436	mscorsvw.exe	64
PID 436 wrote to memory of 3052	436	mscorsvw.exe	64
PID 436 wrote to memory of 548	436	mscorsvw.exe	65
PID 436 wrote to memory of 548	436	mscorsvw.exe	65
PID 436 wrote to memory of 548	436	mscorsvw.exe	65
PID 436 wrote to memory of 548	436	mscorsvw.exe	65
PID 436 wrote to memory of 1452	436	mscorsvw.exe	66
PID 436 wrote to memory of 1452	436	mscorsvw.exe	66
PID 436 wrote to memory of 1452	436	mscorsvw.exe	66
PID 436 wrote to memory of 1452	436	mscorsvw.exe	66
PID 436 wrote to memory of 1568	436	mscorsvw.exe	77
PID 436 wrote to memory of 1568	436	mscorsvw.exe	77
PID 436 wrote to memory of 1568	436	mscorsvw.exe	77
PID 436 wrote to memory of 1568	436	mscorsvw.exe	77
PID 436 wrote to memory of 2532	436	mscorsvw.exe	68
PID 436 wrote to memory of 2532	436	mscorsvw.exe	68
PID 436 wrote to memory of 2532	436	mscorsvw.exe	68
PID 436 wrote to memory of 2532	436	mscorsvw.exe	68
PID 436 wrote to memory of 2860	436	mscorsvw.exe	69
PID 436 wrote to memory of 2860	436	mscorsvw.exe	69
PID 436 wrote to memory of 2860	436	mscorsvw.exe	69
PID 436 wrote to memory of 2860	436	mscorsvw.exe	69
PID 436 wrote to memory of 1740	436	mscorsvw.exe	70
PID 436 wrote to memory of 1740	436	mscorsvw.exe	70
PID 436 wrote to memory of 1740	436	mscorsvw.exe	70
PID 436 wrote to memory of 1740	436	mscorsvw.exe	70
PID 436 wrote to memory of 2948	436	mscorsvw.exe	133
PID 436 wrote to memory of 2948	436	mscorsvw.exe	133
PID 436 wrote to memory of 2948	436	mscorsvw.exe	133
PID 436 wrote to memory of 2948	436	mscorsvw.exe	133
PID 436 wrote to memory of 1568	436	mscorsvw.exe	77
PID 436 wrote to memory of 1568	436	mscorsvw.exe	77
PID 436 wrote to memory of 1568	436	mscorsvw.exe	77
PID 436 wrote to memory of 1568	436	mscorsvw.exe	77
PID 2220 wrote to memory of 2216	2220	SearchIndexer.exe	73
PID 2220 wrote to memory of 2216	2220	SearchIndexer.exe	73
PID 2220 wrote to memory of 2216	2220	SearchIndexer.exe	73
PID 436 wrote to memory of 1672	436	mscorsvw.exe	121
PID 436 wrote to memory of 1672	436	mscorsvw.exe	121
PID 436 wrote to memory of 1672	436	mscorsvw.exe	121
PID 436 wrote to memory of 1672	436	mscorsvw.exe	121
PID 436 wrote to memory of 2452	436	mscorsvw.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_39e27086f2631f2c54cf75a3572e9ac7_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 264 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2e4 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2dc -NGENProcess 280 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2f8 -NGENProcess 2e8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 280 -NGENProcess 300 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 280 -NGENProcess 2fc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2e0 -NGENProcess 300 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 308 -NGENProcess 2ec -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 280 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 304 -NGENProcess 2ec -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 314 -NGENProcess 2e0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 280 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 304 -NGENProcess 320 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2fc -NGENProcess 280 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 324 -NGENProcess 318 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 304 -NGENProcess 32c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 304 -NGENProcess 328 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 304 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e0 -NGENProcess 328 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 338 -NGENProcess 31c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 30c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 328 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 1e4 -NGENProcess 208 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 22c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:1464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 208 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  PID:2628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 248 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 208 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:1228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 260 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 248 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  PID:564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 248 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 260 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:1788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2c4 -NGENProcess 2f0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2bc -NGENProcess 2e0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2f4 -NGENProcess 2e8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e8 -NGENProcess 2c4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2c4 -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e8 -NGENProcess 308 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2bc -NGENProcess 2f8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 30c -NGENProcess 300 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 308 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2f8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 300 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f8 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 300 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2f8 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 300 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2f8 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 300 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 308 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2f8 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 300 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 308 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2f8 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 300 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 300 -NGENProcess 358 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 368 -NGENProcess 2f8 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 368 -NGENProcess 300 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 354 -NGENProcess 2f8 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 2f8 -NGENProcess 34c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2dc -NGENProcess 374 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 374 -NGENProcess 360 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 358 -NGENProcess 37c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 384 -NGENProcess 2f8 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:3052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 2f8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 390 -NGENProcess 38c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 374 -NGENProcess 2f8 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 39c -NGENProcess 388 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 38c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 390 -NGENProcess 2f8 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 384 -NGENProcess 3a4 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 384 -NGENProcess 390 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 37c -NGENProcess 3a4 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3b4 -NGENProcess 3ac -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a0 -NGENProcess 388 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 3a0 -NGENProcess 3b0 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 390 -NGENProcess 388 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 388 -NGENProcess 1a8 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3b8 -NGENProcess 3c0 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3c8 -NGENProcess 3a0 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 390 -NGENProcess 1a8 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 1a8 -NGENProcess 388 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:1788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 2f8 -NGENProcess 3a4 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 3d8 -NGENProcess 3c8 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3c8 -NGENProcess 1a8 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3e0 -NGENProcess 3a4 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3a4 -NGENProcess 3d8 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3e8 -NGENProcess 1a8 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 1a8 -NGENProcess 3e0 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 3f0 -NGENProcess 3d8 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3ec -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 1a8 -NGENProcess 3fc -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 3a4 -NGENProcess 3ec -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 404 -NGENProcess 3f4 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 444 -NGENProcess 448 -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 46c -NGENProcess 45c -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:2232

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1916

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2728

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1928

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:820

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2400

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2608

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:520

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3016
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:1124
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
e693ddf50f2e4abd91363d81b39f3eed

SHA1
164f9819ffc1c66ca139f47362738f32d9679ac0

SHA256
06e79a9d35285695908dcd0b967345ed42770068813084a272ce23ceccc2420e

SHA512
d09662688d0b587b05a458c78dce39d0994ffc132de8ba7033bc29286303d871274f569d67908704bf6220076ba0401c06c22259c4b6f3ab8aea24523ec5ed32

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
65c8fcf8810c15d3c63eebbf462535c3

SHA1
ab5c27caa5021e8458f376a8fbbd4d2608e1e82a

SHA256
d69310efcd94cee12f512fac3747797e4001857ff931a6caf3a309cd081dae0e

SHA512
ec44d3281430a2d3b094cc3c42ff5e11813d6d992272e64e7d44a82bb802669ad73857c1787beb5d336044a59224ca3881ee7871a0ff356cb22d8c897be67e61

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
97e2f067a068c2406e89c731538da3e1

SHA1
1ade2833ee8c9647798d5123fcd9bf9a504524d2

SHA256
ea08a908a8907d2aaed4df4f44c4c2bf8eb5f3f9598d0a1b0a6805753df1c64d

SHA512
e095259721c2ae3be9a91237c9756a266467f72973395dc04d0787cf3934c1c28440fc9645d4d2dd9b8bce4b9de8e6b400181bba8ae9765affd31c7634713339

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
9c5d5b8bedaab258fdf254018130e769

SHA1
6f2399cacba0fb053fc3991e4adcb8a483f8576f

SHA256
f08bccc8010e87da6642bbffb78a03886449d869041a5eaceb768562a2a55a1b

SHA512
fb230b0a6b0b038c5661979d4a77ee6cb01864d1ed9fc9055f8fdb9ee6d5abd60b08897f462db2dcfb921a4a3ac746b5790420a9575f632315551497276b0f8a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4f219af66be1af062fa0f0bb68e6d667

SHA1
0dbb09dec2a4651397a658480204db816df6bb62

SHA256
b47814f6c414598896502e76cd0752e05889b6a6892c498094e766957be60211

SHA512
50c5870b5e3d0e612f6b961e63d91487b564c262fc90f063facae21673b4261d02e5009c515bf31009c0a0fa97a059e918890786b1e58f86f0bd4e833afe6e18

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
d55b93d6117c493dfbb72c636253044b

SHA1
22e132a9bcc5d2b5bd9afe1abf96e1e1552dae97

SHA256
1a265a9d0fcab70215321561aab8332463e7fe19edbf52c29b1daa182ed5f6a4

SHA512
18ff367c8a3a70ff0571dd5888eab22a99a9852df09e349cf6cf5e1495470ac9373fb43796d1355a2cdc6ab211efcba41b642b38ca663ced5b345d6dd94d2768

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
6055cf892a89d7a80ac91f0125a0a6fa

SHA1
5af1dedba22b09023d03de76835bc4768bc83c6c

SHA256
c7ce31c965c402bd66d9dc2e42f0bcc29779308c94a2d0885da493349d464b99

SHA512
cc37c0078e792b93ac75d4dc4469dab3cfde4dfe9c64af8a4c0284b183f9ea9949baf11b3cef646e778af91ea9b7f4fe4d82a531098cac595ffbe335a841ed6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
150d3eaaf8c1e678da5662c8cd021e54

SHA1
42f3bb3fe1bf611f5eb3295ffd71f9693cbeee22

SHA256
5312d472640dd913f93d445ee78a94bf2da94a8927744543bee93c52b8f0ea73

SHA512
dcf3727b048e2e129b10ee38867465c04dad36055c1b5ab0ee53d2269626319bb2cf644df7a22ada36a90fe5d8e7ee6d227b1d5033f0a0ab9b03987f7bd20452

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
598a3b7a3f54170cc645405cf7cd1d45

SHA1
d6b782c07332d32660f6f2082bbffeaf955c8a9f

SHA256
0fe12f0e9139923f372fbdea18b0aae5cea022928e2b7d729399832fc205b749

SHA512
02b43b5092bbf68f65b79b0cffa674dffc1659a20bfbf4593e6b1f3d2870c9942494ff9fb5ca93cbac0d15957840d34087cb900f0628031ed09d0802f4171f0a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
5b79b4b3f72d8672a9d05e08c50ff023

SHA1
edbe1ccdd253161ff7e78ed0e088f75c2c17c41e

SHA256
2f574268cc7684983ff21afcf039f19b4d46d672726d31ea6c1635b897580af2

SHA512
26869c4dd1a16cc45d0881c4f14e678920b7d61053291f49569aea3f0938387b482cbc014a5f2e69ecfa0e7ed1cbd408291f948058254589c12d73dea89b2fd6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
bb51af906d6d7e42fc49baefcf79462e

SHA1
3958f160a8104bb6e64e61500d97fdc17cbfc6d9

SHA256
da5b07953a40a78d6fd6de6c8ff1520d062532071784dd97ad5763f6ffd12818

SHA512
c6612824bc0d49dc45c7d181ef0fb5d4a42fa29ef884497abc3c8361062bc79acbf0c6616b12357507cede2ad7b6ab319d66476abcb6bcd558e668d04f3d1c81

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4e80c8fe6926167fe5df21e0a1a3b371

SHA1
b552da3d8a7d6111313c800f77c6e87485582987

SHA256
fbfd9f04930b214ca8e0d767d3c064623823cad17d6be028fc0c64346c2ad107

SHA512
1d936b50482b75f6fa7bab7585ff20059a7f29a7e5a83835c74915236d5c819f5c8d8c63d63626a202c6e93edd9dc1d9caa17f63dc05df9b670bbda6f22cbdea

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
14926da68d8f1260594d36e3b8d55ed5

SHA1
0e87f821766eacaf961cbe11c1341e35c2a807e5

SHA256
ad05b32b763085500d61b2a9f173f8f1d573455a19b59fbee7642d828d505421

SHA512
53068b2c9eaff0994b0bd5969eefe96718eaf735d06f1d9022111bfc36b08b23a8b8ef003b45b382c57330c735e026596b617e2b2ac75e3363d6270edd28e511

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\67eff9428ab55808.bin

Filesize
12KB

MD5
3b322fd655190f190c7ab883fbbc2827

SHA1
88e52033d2373234773d1ac70e04b968a6f10d1f

SHA256
27f84d3862f2f09c74fb277c3246f7376e3f48c64348607cc2946423182e52b0

SHA512
3255539ef8549ed49f214469b91850b7cfc09c25f5644fab28a0d538c64f2811f69afa1d2a57189be72b2e224e1f94ee5cd16214652fc9b635f07196f89d31cf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
a9cf2d0ef4a9df8e77972ad6bbe349aa

SHA1
92c1e9d4a9223249cdc56ddd07371b367e7431f3

SHA256
05ed54bf977750d68f116bc9397fbbeb8944ba0a209a8eda4ccb0ec440708ae1

SHA512
8caf06e3771a1375f077b41b0da5f66f662f67457bfdd142830d34e0c13ace2e369b6db42d2b35183631f788d51f54bfd745d9f9dae0dc603c0c4df3f30990ca

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
3b81e1991b8ad4ceb1e4a0ab205c60a5

SHA1
d6d15486865806a651d129857b8bd4ceb9262511

SHA256
ca64f3a55b811f2c521adbf6aef6a7eda441a82c06f5df6f4bbbe33e38ef5523

SHA512
812d08ac34b2dcb15c49d75c0783ea90d8f39aecaa0ce20d8cbb39e96a81541012b6f13411d887317f0d7439b1cff1c9a177a73bfc8835546569362ab3924f06

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
740a7d48a48f1bd5f8d80ee6bfb1657a

SHA1
94ee24c2802f00d655310cc77906c2b1ae5c7a2f

SHA256
25cff0cc89c351318994af38c46d59d8b3e626e6efb23287230f8cde46d9731e

SHA512
13f0d9058be91c0fb4c30f6745cbb16f1c5a57b3c0daf2a2a70a80a55a56cedc55f493741c4b8aa964684ed4a0789ef7c8411775e12f2461c1dc084393d8474b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
e9c3a1d9f70d7695f1b8d8385f720e27

SHA1
001b1fe05c39d00435e638b0fac45994b73d6ae3

SHA256
9d24ad07d1706c8dbdeaeddf89e88bfec29b990de390b1012d5065affd5ad525

SHA512
ddb91493df72af6faa250013986ce6039c9103e24e146c190bf84837a24942dc9a6c33944fa2078439e785198643e11bfce3fd71f1a8b061debb24661f709a99

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
b6c508dc533791dfd81e4f23ce7a244e

SHA1
5414b9d2d8a1f6495859ce6049f30a4a78bb34fc

SHA256
e178be7a7ca3347b795498cd7344e82495e446b00f4bb767df1a75bb65f92f72

SHA512
9c4fbb381ad87cf31905799dbc09959a6e8bb8ebf52460e4a956c8744f1e9ab9b887739736b9c4a71fde69d031f213a57764392a7d6d810880e839c81206f787

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
5760f5cb7632be4b6c907b3d5dfabc4c

SHA1
d92c7d8ee3afc88e2e973e1e9f5ec428cc758d8c

SHA256
9446bef4f3a20ba86c8526a2f75cb5f5ef83f773c04b1da6fc08cd1705b434bb

SHA512
12a70402e0636adb31024c22abe67a8289c265076830473cc04f29ba09d46fe974c255267eabece5b101f5ae7cd26001ddea28505aaaa5aa9b0bcfcb982afd80

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
844c0d0cf185dce46ff2ed7c421fff78

SHA1
902a5136e2b350e6728011cdd450d1712ebd6b34

SHA256
2a5cffcc37f70a2d437c82e7c6efa91b6c676823981c12d06536a86826793345

SHA512
9412fafbf64089aca93d8bb4ea62710af007417c6ca9c2c424616aacd838e532fe426bbc60d7c9f24c206a40b92b250b5f83c499001e50f523488acd128f8f77

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
4271ec16b3c41bf74dd6afac29f56ecc

SHA1
7ab0c72cc2635b9000d52021d41080b3af4ef057

SHA256
2e1b1e3199620f534b56cbb60cbff058d4f6df0011903adda8797ed1b44b7188

SHA512
d267226539d3146cc7ffd8add446a47049642d9ea2e5ded8a72a38ea90c4bd61a625d9ddc1ffa17c5c6ff31f90e0a8685570cd0fe1d5390e623d0c0b01afc971

Download Submit
C:\Windows\Temp\Cab9CEB.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar9EFF.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3966bdb4e33d095719aa3b05ae3a0e0c\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
9125ff862bf385447d641a7d43e79665

SHA1
70400911320f1d6095da5284447fcd7ace4d6ab9

SHA256
6b7313d4c49fcb2ebddd53b33e87f4c96b376e47e49f7a591cd9aa71cdd512ab

SHA512
edbbd265ae34827f9c67250dc90a8456caf30ef62b7d44c1a3521b02167887e15d28fa7f31f82aff3ae4ee4bbf3acfdba330677e2ce3c22fcaafc4db7d7873f7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\789a705c90c6b211f370a6d4a7bdfa30\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
b96a160640877b2bcb731b7389678146

SHA1
aaf895b3d949face5cd7075070a0d857b0bff8ae

SHA256
73e9194a73a9ad23787741ee0c25a9afb45a7078530d553249ac5a9e8730bc78

SHA512
35e2be5c7bf2d121a546dd7aeac2facecfb1049fd8705ec8629420a05cc00068bbf65c9e3c47958d56f046ce19c72c383c224990409d543d6b92cbe0bfccbbf9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\910393c6d6585e08ce17cba37781d18d\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
6b97e9f7e919586d931af575b0a4c4ee

SHA1
b0309467e36ece3ea42b59f4c1769c18ecfc82a3

SHA256
cb09014a5b6215af20c2aefc113644a0e7571368b660a468bc86646c4c85d732

SHA512
0815e4506e79286a5ea33ba2dcc3af6caa168b6a77308a8e142aa37aaa666fb584cdb0dbf5d44c9eb5985e75e826c2b7a1c7a40be0d4a7f3318e53591060de4d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b4657ff8c0b4ff01e81fe706598d7574\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
90fe83267d0700c3126eea5fb155d523

SHA1
fbbf2cd874e8391d9e8a8c1877022cf1e5b9cd0d

SHA256
bfd5563e07d3710a7db96ad2ea4e947a349ca978cee01b5becbc974bd3dae77b

SHA512
ba0fa11ad94f72da51c2b078c80e9657227b0e6b8e99f187218efcf8e68c8111126ad7a565faa3d780cb95d6c23103bb41cf159ffe40f39bfa8d1d5c82713b2e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
6924a8f48d3f45fe3ab0f9f21c50c024

SHA1
b3670005c619180f6b42ed231e81719997e53c63

SHA256
49efc7de72c4e6451ddfa2cecd6d7897e615844efa83092f6004ea0b81504e96

SHA512
b57f85e92bf8cbd89b7154522d93f6305555ff0ab0b102cece39d9fff7e85e41d584deb29d2210e63d79dc1ad724d5949d2396fa7eaaa9510f88c98e4e071cae

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
31826d1039bfc10f15d0082951a72748

SHA1
9fea11e343fe9e88fad3b21526550e54e35fc893

SHA256
abd1ad9486f02cb77b79ee6de98eea854d46e270eae18145735703c358979160

SHA512
9def4d208d1308c215fd85bf1986738442f41c12be19260f134b83e003d02eeda4ee0fdd03805b4fbf712e76d7b27d6c6c8973c00c76e00679a04e48989af13b

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
8ba9c0bf79fb93c8cbe24e54e8d058e9

SHA1
6cf81a14a45101c55808a8973f62a09b131f1c08

SHA256
99b48f4864e21f1f03216c96ba8c7081a4e258871b6008623dc31c362a66873b

SHA512
ee31f5482adc400db43a14cf22578b12f10b1f1afea58a617b544881aa08ab6e079067693fe41db35878cefed2b13b415b1f625ce192da845c0575434b89d651

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
e3a152f04b7ed20c19d8fa9be08cc0de

SHA1
ebf0c53bfa3ed32031c37e78c8072ae2c960e58b

SHA256
b90690ac671bd531184a1de0f470a1a8a8aa4b30f741a528885f5df759e70782

SHA512
412ddb1271c1ad630dbcb1629bbff8dc287f59d7f1339c1840dded720b20456add806213f114882cb19bd45394f0c8d28a6521def528880055deda0b8e952eda

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
109c559d1c0921d15428495e6667c5d3

SHA1
85a8c08e23538973d978b75291babef5f2821034

SHA256
96b159fe0e5789f2683eadc0b54b02cc6aadf882fc13550ea35bd83bb87b57ec

SHA512
5f51a98c0cad993d24ecfecefea09174c1f8251631cf989135bdfd455cce8fb3af703a24ad26fdc70d5b06909a42802283aa45bff00c30119ba40c1911d3a55b

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
ade4632ced768ed05abe7f21c923a90b

SHA1
01879739091db8a43c367d8c7151bc334580baf5

SHA256
63e1b3a69416d29304efa74ad636597dbb4e03b0c30848296de1414083d2ff6d

SHA512
dddaccd01bf3de3ff8189ac4652db14e81b55ce1b8e8dc1ab4519776feb3c9bb35eccc1d61a9c30373804681aaded62b1898acd6bbd296bc07abb6cfb0f4eb60

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
fa683a57d7cf4601737a9a5f0a0d7a98

SHA1
ffc2976c2044a03a8f0f7ebbbbf867675c4575d1

SHA256
8aaec398161bc708c63c09f33ca8e920b74a0ee7a4e0b160f7306a5cb3078fe4

SHA512
b573b8a0a817c233a4246280b96aed12c474a8d70904172c513136f57d164742643605f902d44bd409fba519d87c6357e90da6bd67f9c3502c2b4234a42138c5

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
c06482a727cede5db74c80636f19509e

SHA1
adf1ff61be3acadf6f1def121177b258195a0c99

SHA256
6b9cb8d05f8c395407c14044ff96e40d8042b92dadf1a5863aad02d299584683

SHA512
e4ca0b642d82ac3bd0a18033ea915aecd980adb48257816e66fb37da62b9838c84e9ea1faa03fb79e251cf142ec1197ecfb984efa7c0598d8f3549e24315a256

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
b15c4feeceecbcaa601f594f450e5505

SHA1
733740d174a0c10ecec03547c964bb299433917d

SHA256
5322fc1bce546503c8e9e430894f7814dfd514f36af76ea06e750f10081ced8b

SHA512
4f2e6c18fde9f98dff4991203a6d0bad7ad84f1a37adf23331607f8c057bdaabd58094f3f2fe56e669c0af2785c4c223b8c4c59521e0cc60b0496487f4581bb2

Download Submit
memory/264-290-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/264-356-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/360-232-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/360-509-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/436-51-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/436-49-0x00000000007A0000-0x0000000000806000-memory.dmp

Filesize
408KB

Download
memory/436-44-0x00000000007A0000-0x0000000000806000-memory.dmp

Filesize
408KB

Download
memory/520-207-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/520-422-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/548-497-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/548-508-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/816-65-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/816-66-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/816-59-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/816-173-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/820-206-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/820-129-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/820-120-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/820-126-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/896-733-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/896-720-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1220-722-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1428-238-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1428-536-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1452-543-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1452-511-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1532-165-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1532-157-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1568-628-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1568-565-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1568-538-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1568-701-0x0000000003C00000-0x0000000003CBA000-memory.dmp

Filesize
744KB

Download
memory/1568-711-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1568-695-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1568-639-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1588-682-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1588-686-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1636-144-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1636-215-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1672-669-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1672-648-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1704-172-0x0000000000560000-0x0000000000612000-memory.dmp

Filesize
712KB

Download
memory/1704-236-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1704-241-0x0000000000560000-0x0000000000612000-memory.dmp

Filesize
712KB

Download
memory/1704-170-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1720-263-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1720-578-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1740-602-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1740-593-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1760-134-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1760-213-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1764-744-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1764-732-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1916-101-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1916-87-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1916-81-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1944-192-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1944-267-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1972-289-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1972-200-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2168-250-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2168-566-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2220-592-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2220-274-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2304-106-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2304-113-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2304-107-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2304-194-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2304-803-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2324-34-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2324-77-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2400-161-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2400-231-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2452-680-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2452-668-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2464-218-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2464-473-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2508-451-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2508-476-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2532-567-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2532-572-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2608-254-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2608-186-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2620-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2620-128-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2692-16-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2692-133-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2728-116-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2728-190-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2728-102-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2728-92-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2728-98-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2728-117-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2732-19-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2732-76-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2732-25-0x0000000000A10000-0x0000000000A76000-memory.dmp

Filesize
408KB

Download
memory/2732-20-0x0000000000A10000-0x0000000000A76000-memory.dmp

Filesize
408KB

Download
memory/2776-442-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2776-425-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2800-220-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2800-294-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2828-742-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2828-754-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2844-216-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2860-581-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2860-597-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2948-604-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2948-617-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2964-100-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2964-5-0x0000000001FE0000-0x0000000002046000-memory.dmp

Filesize
408KB

Download
memory/2964-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2964-1-0x0000000001FE0000-0x0000000002046000-memory.dmp

Filesize
408KB

Download
memory/3052-475-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3052-489-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download