44ab3c25a3e341da85a1549854ae2543655a6c098a347bc4019d95aebfbabeaa

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
Size

4.7MB
MD5

834c9b268971af43fc2d7093cfc98ed4
SHA1

def003436af1719b472b2fe8be18e5ad5a29b16b
SHA256

44ab3c25a3e341da85a1549854ae2543655a6c098a347bc4019d95aebfbabeaa
SHA512

36d46d9463c9047e58899206a921fd11186518b9c4b1ce1f5147ce76b9876fe0eba230edb9f1586dd29ba32a96ddfc80f5d0453efcc60a3fc8935b183500857d
SSDEEP

98304:ofAgoCBa1bPIjilX6S3cMtSLG8aoSiOiicPyK3O7AFp7lb:sboCByweogccYOiv6AgAFp7lb

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
460	Process not Found
1640	alg.exe
2752	aspnet_state.exe
2844	mscorsvw.exe
2548	mscorsvw.exe
1972	mscorsvw.exe
428	mscorsvw.exe
2040	ehRecvr.exe
2228	ehsched.exe
1916	elevation_service.exe
2336	IEEtwCollector.exe
1352	GROOVE.EXE
2276	maintenanceservice.exe
2016	msdtc.exe
2896	msiexec.exe
840	mscorsvw.exe
2904	OSE.EXE
2212	mscorsvw.exe
880	perfhost.exe
2832	locator.exe
2256	snmptrap.exe
2008	mscorsvw.exe
1372	vds.exe
2320	vssvc.exe
2120	wbengine.exe
2628	mscorsvw.exe
2788	WmiApSrv.exe
1516	mscorsvw.exe
2012	wmpnetwk.exe
2192	SearchIndexer.exe
1368	mscorsvw.exe
2000	mscorsvw.exe
2864	mscorsvw.exe
3064	mscorsvw.exe
1584	mscorsvw.exe
764	mscorsvw.exe
556	mscorsvw.exe
2612	mscorsvw.exe
2748	mscorsvw.exe
3036	mscorsvw.exe
2424	mscorsvw.exe
1684	mscorsvw.exe
1584	mscorsvw.exe
960	mscorsvw.exe
2984	mscorsvw.exe
2060	mscorsvw.exe
2264	mscorsvw.exe
2640	mscorsvw.exe
3004	mscorsvw.exe
2028	mscorsvw.exe
2748	mscorsvw.exe
2244	mscorsvw.exe
2472	mscorsvw.exe
3036	mscorsvw.exe
2300	mscorsvw.exe
2628	mscorsvw.exe
1604	mscorsvw.exe
2828	mscorsvw.exe
2644	mscorsvw.exe
3036	mscorsvw.exe
2420	mscorsvw.exe
2548	mscorsvw.exe
2096	mscorsvw.exe
1960	mscorsvw.exe

Loads dropped DLL 54 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2896	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
744	Process not Found
2300	mscorsvw.exe
2300	mscorsvw.exe
1604	mscorsvw.exe
1604	mscorsvw.exe
2644	mscorsvw.exe
2644	mscorsvw.exe
2420	mscorsvw.exe
2420	mscorsvw.exe
2096	mscorsvw.exe
2096	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
1692	mscorsvw.exe
1692	mscorsvw.exe
932	mscorsvw.exe
932	mscorsvw.exe
2444	mscorsvw.exe
2444	mscorsvw.exe
2220	mscorsvw.exe
2220	mscorsvw.exe
2748	mscorsvw.exe
2748	mscorsvw.exe
2708	mscorsvw.exe
2708	mscorsvw.exe
2208	mscorsvw.exe
2208	mscorsvw.exe
2324	mscorsvw.exe
2324	mscorsvw.exe
1320	mscorsvw.exe
1320	mscorsvw.exe
1448	mscorsvw.exe
1448	mscorsvw.exe
2164	mscorsvw.exe
2164	mscorsvw.exe
2900	mscorsvw.exe
2900	mscorsvw.exe
1568	mscorsvw.exe
1568	mscorsvw.exe
2712	mscorsvw.exe
2712	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b9ef2b64d264f17b.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SuspendRead.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE62A.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB95.tmp\ehiActivScp.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDD74.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPEFDB.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD318.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPEA20.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9C1.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE36C.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCBD7.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCF22.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehdrop.dll,-152 = "Microsoft Recorded TV Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
604	ehRec.exe
2752	aspnet_state.exe
2752	aspnet_state.exe
2752	aspnet_state.exe
2752	aspnet_state.exe
2752	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2028	2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: 33	2340	EhTray.exe
Token: SeIncBasePriorityPrivilege	2340	EhTray.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeDebugPrivilege	604	ehRec.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeRestorePrivilege	2896	msiexec.exe
Token: SeTakeOwnershipPrivilege	2896	msiexec.exe
Token: SeSecurityPrivilege	2896	msiexec.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: 33	2340	EhTray.exe
Token: SeIncBasePriorityPrivilege	2340	EhTray.exe
Token: SeBackupPrivilege	2320	vssvc.exe
Token: SeRestorePrivilege	2320	vssvc.exe
Token: SeAuditPrivilege	2320	vssvc.exe
Token: SeBackupPrivilege	2120	wbengine.exe
Token: SeRestorePrivilege	2120	wbengine.exe
Token: SeSecurityPrivilege	2120	wbengine.exe
Token: SeManageVolumePrivilege	2192	SearchIndexer.exe
Token: 33	2192	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2192	SearchIndexer.exe
Token: 33	2012	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2012	wmpnetwk.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeDebugPrivilege	1640	alg.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeDebugPrivilege	2752	aspnet_state.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2340	EhTray.exe
2340	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2340	EhTray.exe
2340	EhTray.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1520	SearchProtocolHost.exe
1520	SearchProtocolHost.exe
1520	SearchProtocolHost.exe
1520	SearchProtocolHost.exe
1520	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
2356	SearchProtocolHost.exe
1520	SearchProtocolHost.exe
2356	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 840	428	mscorsvw.exe	45
PID 428 wrote to memory of 840	428	mscorsvw.exe	45
PID 428 wrote to memory of 840	428	mscorsvw.exe	45
PID 428 wrote to memory of 2212	428	mscorsvw.exe	47
PID 428 wrote to memory of 2212	428	mscorsvw.exe	47
PID 428 wrote to memory of 2212	428	mscorsvw.exe	47
PID 1972 wrote to memory of 2008	1972	mscorsvw.exe	51
PID 1972 wrote to memory of 2008	1972	mscorsvw.exe	51
PID 1972 wrote to memory of 2008	1972	mscorsvw.exe	51
PID 1972 wrote to memory of 2008	1972	mscorsvw.exe	51
PID 1972 wrote to memory of 2628	1972	mscorsvw.exe	55
PID 1972 wrote to memory of 2628	1972	mscorsvw.exe	55
PID 1972 wrote to memory of 2628	1972	mscorsvw.exe	55
PID 1972 wrote to memory of 2628	1972	mscorsvw.exe	55
PID 1972 wrote to memory of 1516	1972	mscorsvw.exe	57
PID 1972 wrote to memory of 1516	1972	mscorsvw.exe	57
PID 1972 wrote to memory of 1516	1972	mscorsvw.exe	57
PID 1972 wrote to memory of 1516	1972	mscorsvw.exe	57
PID 1972 wrote to memory of 1368	1972	mscorsvw.exe	60
PID 1972 wrote to memory of 1368	1972	mscorsvw.exe	60
PID 1972 wrote to memory of 1368	1972	mscorsvw.exe	60
PID 1972 wrote to memory of 1368	1972	mscorsvw.exe	60
PID 1972 wrote to memory of 2000	1972	mscorsvw.exe	61
PID 1972 wrote to memory of 2000	1972	mscorsvw.exe	61
PID 1972 wrote to memory of 2000	1972	mscorsvw.exe	61
PID 1972 wrote to memory of 2000	1972	mscorsvw.exe	61
PID 2192 wrote to memory of 1520	2192	SearchIndexer.exe	62
PID 2192 wrote to memory of 1520	2192	SearchIndexer.exe	62
PID 2192 wrote to memory of 1520	2192	SearchIndexer.exe	62
PID 2192 wrote to memory of 1496	2192	SearchIndexer.exe	63
PID 2192 wrote to memory of 1496	2192	SearchIndexer.exe	63
PID 2192 wrote to memory of 1496	2192	SearchIndexer.exe	63
PID 1972 wrote to memory of 2864	1972	mscorsvw.exe	64
PID 1972 wrote to memory of 2864	1972	mscorsvw.exe	64
PID 1972 wrote to memory of 2864	1972	mscorsvw.exe	64
PID 1972 wrote to memory of 2864	1972	mscorsvw.exe	64
PID 1972 wrote to memory of 3064	1972	mscorsvw.exe	65
PID 1972 wrote to memory of 3064	1972	mscorsvw.exe	65
PID 1972 wrote to memory of 3064	1972	mscorsvw.exe	65
PID 1972 wrote to memory of 3064	1972	mscorsvw.exe	65
PID 1972 wrote to memory of 1584	1972	mscorsvw.exe	75
PID 1972 wrote to memory of 1584	1972	mscorsvw.exe	75
PID 1972 wrote to memory of 1584	1972	mscorsvw.exe	75
PID 1972 wrote to memory of 1584	1972	mscorsvw.exe	75
PID 1972 wrote to memory of 764	1972	mscorsvw.exe	67
PID 1972 wrote to memory of 764	1972	mscorsvw.exe	67
PID 1972 wrote to memory of 764	1972	mscorsvw.exe	67
PID 1972 wrote to memory of 764	1972	mscorsvw.exe	67
PID 1972 wrote to memory of 556	1972	mscorsvw.exe	68
PID 1972 wrote to memory of 556	1972	mscorsvw.exe	68
PID 1972 wrote to memory of 556	1972	mscorsvw.exe	68
PID 1972 wrote to memory of 556	1972	mscorsvw.exe	68
PID 2192 wrote to memory of 2356	2192	SearchIndexer.exe	69
PID 2192 wrote to memory of 2356	2192	SearchIndexer.exe	69
PID 2192 wrote to memory of 2356	2192	SearchIndexer.exe	69
PID 1972 wrote to memory of 2612	1972	mscorsvw.exe	70
PID 1972 wrote to memory of 2612	1972	mscorsvw.exe	70
PID 1972 wrote to memory of 2612	1972	mscorsvw.exe	70
PID 1972 wrote to memory of 2612	1972	mscorsvw.exe	70
PID 1972 wrote to memory of 2748	1972	mscorsvw.exe	71
PID 1972 wrote to memory of 2748	1972	mscorsvw.exe	71
PID 1972 wrote to memory of 2748	1972	mscorsvw.exe	71
PID 1972 wrote to memory of 2748	1972	mscorsvw.exe	71
PID 1972 wrote to memory of 3036	1972	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-03_834c9b268971af43fc2d7093cfc98ed4_magniber_qakbot.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1f0 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 280 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 27c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 244 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 270 -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 274 -NGENProcess 244 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a0 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 29c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 244 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 204 -NGENProcess 200 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 25c -NGENProcess 248 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 200 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 248 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 200 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 274 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 26c -NGENProcess 268 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 27c -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 248 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 284 -NGENProcess 268 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 268 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 27c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2220
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2e8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2d4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2e8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e8 -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f4 -NGENProcess 2cc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 308 -NGENProcess 300 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 310 -NGENProcess 2cc -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 30c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2e8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2cc -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2e8 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2cc -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2e8 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2cc -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2e8 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2cc -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2e8 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 1f4 -NGENProcess 340 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 204 -NGENProcess 348 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 338 -NGENProcess 334 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 350 -NGENProcess 340 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  PID:2600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 348 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 334 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 340 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 348 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 348 -NGENProcess 358 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 368 -NGENProcess 340 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 194 -InterruptEvent 354 -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 35c -NGENProcess 340 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 370 -NGENProcess 348 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 360 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 340 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 348 -Pipe 194 -Comment "NGen Worker Process"
  2⤵
  PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 360 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 340 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 348 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 360 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 340 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 348 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 360 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 340 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 348 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 360 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 340 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 348 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 360 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 340 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 348 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 360 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 340 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 348 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 360 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 340 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 348 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 360 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 340 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1052

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2040

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2340

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1352

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2276

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2016

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:880

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2832

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2256

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1520
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1496
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.4MB

MD5
b0f7e760d8b8bec681a2c981d5bc78c0

SHA1
0da2c40f7dd5754db211fc07c1824afe7e060acf

SHA256
97e377b3804cfe894749d6e8fd180398481eb5c55354a3afc32357051fbb936b

SHA512
a5aa47eb241e53e548b7c99b4f295c3cdea6aee15ec114d67e1f563d331946d8d32db0f04439820de2f06285a8d9db4fa4fb135e15f55abd7749e6466bcd36e1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
1a2f41494c0c8bd0101add1d0b182c52

SHA1
af2d2275554bff016058d9cd61582570887a2445

SHA256
a652409d22ad275589cb070d2e1ffdcddfd911963c013a5fea382cb14b72003d

SHA512
0b4011e9441b39541b768c6bcbe0d89fecc56d4f80db57860f61924f191868869ec98585a193a8e30e340f1e2d862913e4df3a42187958d7dfa3a3eb40f63043

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
b5d0cc3b410ce6de64949b195eaa53f8

SHA1
ac0d1b91c311b81bb5609bfe251366468556c731

SHA256
ce65bfecb6ee3a659ee50d99f0feb78b27d64fa48a5a58a0c7ce28a65f92570d

SHA512
46130fb4088e9e8eb6b1c9ab042afe0275a4faf17ae50e6319f213e3c7e89f837389f38d4186910ca75db55a30bd78038951c5526e9d90ab754726988d85f0fa

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.7MB

MD5
d2448ae87a1f46cb4947c578ca558605

SHA1
de22ce3ae1adeda9a6def9c999ff10fde0a1e606

SHA256
30d9f9e008431f06454054d8be5c2892ca85974c00d9fc51e812444213bc493c

SHA512
29fc20855a11a64d29a20c33e33443359615edec91e05a640a6534fc6bfabb880d5ab2aeac697a1f6f03a4c0c75fd3fb83adaf9c2a87a1c05f6e137cd13cc41e

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d79ad34fd55c4e04511f16e28cd5a434

SHA1
a133bb10175a76aaeba1dcc057abac30f3f44171

SHA256
442b2c4c8d22d61d0144a2e538481aa3039aacc58c78d60a4cc1d95e427a5163

SHA512
f711479378ac6cc1b5fab9061b79ef633cd75aab8903bc3ffffa61c848cfff87926f68078444de522c81924269038d7cae7575e3d4105a0690ea09f3ddb10007

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
f4ae3ddb769dae26006280cc9ff42681

SHA1
0974137e8bb65f5b896734a778716d6aa6c82844

SHA256
0ec51afbfef05ad019b540954f82fccb0cd8eda7397317484d58e74e23ca0dca

SHA512
8ad9aebfe780d1d9f656946e062b36c94d17096078f2a7a400ffc8bac65dc308674f6a184c535265d6fd49bf3e98be6a1a6f2a50c83da04d80feeb75700b1d9d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a21c3eccda2107612c78105ea98bcfbf

SHA1
f742cd7473a2bf41a9a9b0021ee2f4d2a4775773

SHA256
abcd608dcc83ad44b0966d2f9df2aabaec23aa9eca2193322773c27eb4efb5c2

SHA512
7ea7fed6c0e001b34831dd5317114527109e1f437837c40d03a31b0e6749b7c4a20483ef65ba9e4fb46dbb0129be05bc3fdf3f7a1249774f6ed3a18e6a8f3c7e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
7f99d41d68e5d04c64445bc20acc92c2

SHA1
2165e3688fede807505f57959f8f0aef61b8e58f

SHA256
61b89f66e3556c01bd6dbba457c9ef235fe6916122daed968c327cadcbc2ceff

SHA512
9a3d57c06a87db5e73f19a0ca7e221ff5c6ea9207e488bfd00a9677c6a32859c5197269887e9e718a1f54fb6a25460e622f157e819461e1e1676f203512964c8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
32b8a0a749e7b36464d80367f3944608

SHA1
740834872f3eeccf6dcca369ced02bce955cfcaf

SHA256
7b38595bae22d474a9acd3184fc9f64d931c6a22943a780d30ec0e83b06b31f1

SHA512
7e099fbbe7842a338e6d0f5e663f5b3c0a932c3dc95f5062f9767dfa8463780250bc4871600abe67fd63998d67100ae7863a969a903c94c1dd3aedb332e4a3ca

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c31c6042c737b409c8c68cb74e82d58b

SHA1
37da1a5beb2a7dc717ed93d90bd43f35365acbf7

SHA256
c5f410a6f61163d00a95243118b7be2408088f5ce973e14368232cf330747e5b

SHA512
cd7562ecdfa6b78c8c680269d71afd3968b4b7c9aea07e83b72164d0074a5553ca91b7be966422c0d8a6e70e746a119f953cc691d3f8748f61c888d00a5d6b66

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d10c27f59dfdc972c4de635687df4614

SHA1
3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

SHA256
71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

SHA512
4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
af669a9065da582fe5c4e94dc600e2e2

SHA1
52611e8f0a4fe646df81847aec0430c5735031b9

SHA256
56c1e574b1987d8642b12baab847fc3db47a6506f0950b56b059f3c7f7b1046c

SHA512
48c1b312755cc3aaa6cfc080c53c3ca1db93ff7c04f18171f6952de46b9389bd8915802778c6aeb21a7c71e4889e61e9f60efaa7a2d231ffcf7a77871fb7fa3b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
554d6a86d10fa00cb16870acb6e495a9

SHA1
c57931e6ba313115b1e03e2f5faf8f85e99d2a27

SHA256
91100bb319cc4b10355ef922fd9a437d9a279493c64bb08ca8d8dd260f134416

SHA512
01a62c6057483e7357a482118ea41fe698b8b4cba4af7abcf0d91ecbccddecd6c063c87b1001f027b0abde86a0779baded8472774088a80e241e58ee33454e6e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
d4761684fec972e61f304f74fe11e630

SHA1
0779aa49a0a54b7e7fa7352498bc9172b33a3e36

SHA256
83ddd5a3e1f0ab5e54a4354fa3f457609d72873550cdcf1c9d17d860f8e18cf0

SHA512
0ba0b932203b5f18293ee2eb48af02d2182bb5ca59b08cfa54bec3fca10010fde6a6af9d1082060e157bb886a1f5e47c7fdcd433bacbd459b02a68c9021d65aa

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
d71234672417bb382b64b34f8a80a378

SHA1
2768020af38a6e36e0faac0a76860cf160d211be

SHA256
d6e636f4399bbf206833d476700656e151a301493a203da0c6a7183007dba7a6

SHA512
4c297f2c3f72f744fa3c41d4041cf11c7402987290f348a602df8d8cc54db982d715bdf725a7fc1cb0fafa3d701724a0c0c45c975795c591511a4740c2718d13

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e8cdc8b9b52f5bb677a24702924cdf23

SHA1
fb5675ad6c0f29a438f3102da0b060f6ef17c527

SHA256
fc5b50127aa153f59d60f074c58c74a65a9c071820451558cf102089c5021fae

SHA512
4e2c82ae1ad58e7c232142decf6c9ed5938d332699974ce9c4243af4c7115340f0243be9c832f7da1d9e1a74bb60d4b9d2c5ebabb2a17b8f1dbe154eb8cf0b9b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
c0d50e20162fc97bd78492799fb15240

SHA1
a46482f97e39b56443ff54527efcb86ae8b5b13d

SHA256
7160c1160df62acf188d782c44af6549ea6630e79333512b4a7551039641d659

SHA512
fb11946b5df86984e0763f417b5078c66b4fe26c1e5093d2dc467737b33f7910a49bdffa44821bb0274a7e758e1a5f55b6b7375e850c41a39acef6b5e16fefda

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
42f30643cd63600bf9fd21d8b3dcfa90

SHA1
f2369343f254c25cade70e61492e0a44b1e011fc

SHA256
889cf131d2cae77f9e04e8e209d7e7d2066d8b1918c121b5fc77ce9ac6448870

SHA512
aa9c5c52823bf67bcea0a3e1b2f99c6df3f6f428bda974239868ba7e0f13715e3e6e75e1eff4b9467c199ab72b1bcc8b70f0a5dc32aa9951727f48c284121975

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
e1a500601f41e3f8d0b1798f5d980db2

SHA1
1a75a544e56d321e531b13341aa2d95e1d8d28af

SHA256
a133402c7f1331d2ad001149bb75b2907391fec426b62ce9e1814c27bc2a9cb2

SHA512
28252bd531fd0bcb884d263e9fd9ad727187a4bd8d186b40463f3b733ce0ded1035eafc60fc47d98c975d8172b8c42cca1a028fb0c2100067534815ee09da050

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
682dfaa37e4ee7772d14f2ed89dea37b

SHA1
4500e888f960098d17caab5224327f6b56a6d331

SHA256
deca2fe87a3ffdb3a8749a9242fcd492af50d026c692aed297cc27b3513dc335

SHA512
feaa40b0f59b035d9914332e3e276ac5d4512b5477d0d73bd6e07e26a45e6e9b09ab06fbd007958db249804b14d309b5b51f8a0376e197c76cb6774ac4b7e7d8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
82146b7743dd674b5087c170a012d12d

SHA1
6b7df911f2e86c6a98088eb451d3c652fce525fb

SHA256
6ef8de92e40dd7b38fb2734e53019549a2e42b1db342b4ec889b2c691eca7cd4

SHA512
68b55bf58fbc6aaf1e18a981d10fccfb174dfa19b206025a45cb6ab8b40514d3635c9a9ba12593b6bc7b9e3c453f37029bb4aa375e4da9d2ae74d2cb0e254da0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c98c5d8b5976fe2e64b4fc54295dae07

SHA1
f8efdddeea789b573287e94b424231e4c57bbf60

SHA256
d7c6df48849f4013abdaa9b16bf2ece4fe091a5eadf48fa4e6c2d9ac657d8efe

SHA512
cbf81954586ffeead928bdf60e25f619e9f1b9e0d2c6ba76ae1cb540e961224b9bdd368b755075f815e909ccdd60b58cd7bc8b8fa788e3cea7d10e9fff72905d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
ee5d0fd79ac9e74d4b34886c6ed7282c

SHA1
613eb151c55c9a377fbac2275ae230c6b48fb056

SHA256
ea35f219967335adc74faccd7cc491c2a6b5d519a20f7868dbbc2fa554cb91dc

SHA512
7008dad08ee617cd72a3d3dafb897c066e2bb7b7116fe5e2b6b558b460bb6df73efc02070d5559d068c7f9ccaabcd7ed6fe9880cf62e3e3b34f90abc71ee2a90

Download Submit
C:\Windows\Temp\Cab6317.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar64ED.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\34871f5fb727cc5ab1fbc5658a9761e9\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
2fe65d86f4cb97292443597b34743032

SHA1
ec2502afbe1caaea7ac18b9846ba6ea3e040775d

SHA256
b4bb6f0553426aba13835671ed959625b3f11d4a92e598a98a446d1d9add6441

SHA512
21425f2f844f930fa177a1dc1f26ebe32c65fab04b4436238031dd5a35c0a85e06587a6de251f5cc9e4184af41547fa0c7d748ff31ce8d41f21c0e79c824f598

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4fc763c7f60f1d86811dfec2c8f02a12\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
90b99dc54876a2884fe91d64112e743c

SHA1
2a9e30075147fb589c1a3c40016cf106bf92e3a4

SHA256
bd0bb0e05cc59a0bc56974c02a32101f5931908f61dfc30fa3f71c69cd21b4e9

SHA512
1f6fc4a6ca4573071948b21d0c57b99f0b1919a729d9223ad9e8bbd2221d3a27017f8f774301feb746544ca88aa593772976c310faf5023660a5f731dc459710

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\7b4cd7f7b198782c875ff99050af89a6\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
fcd89c48c837445bd07ee43f0c572403

SHA1
71734935a6f396960e6cd2efcf4a9758f9c200fe

SHA256
206fa78756e120f4fc2ef0f06272f1d46519238c698c328fc054a522a4a72a6d

SHA512
25fedbe7ac849d0c150458eebe8e4b499966aee545bfbf4bb9a00685856e7f88768ef30eb2c4339eb1a60e260b1453e6e788b0e9dde52b8d2da67556ac2be642

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\cab96b112d7f28344e797f2831011273\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
383e297fc11e441e5854596ae3cf2c39

SHA1
c0e7b3cfe620881df17718a752323fe0e1eb11d7

SHA256
6a4a8b20ffe9e9ace9044044fd9212699e645dc2015bb9b8114e920666813a98

SHA512
50dfe180c902e779f30ce82e18deb02410ad1993e9e9dd9ecf56e21138d219da888ab2986326241ff1732aff03e8c0fe1351b2a0e353834a8f1d7881573e94f2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
c0b0debaebcd2c08d935b8f1a84bb9bb

SHA1
b4ba98220b490d08a9b2a792dd27f6be0ec4d05d

SHA256
d6ad65c422f4aa1dc86e883cdfd3fd3ce71be1108281d45ac1cc0b8df51aabed

SHA512
c450572bc33bab17c6621bb5787e6090d98f9f1ab45c66bcbc5033543e73a5291f9ccfbefaf76ee528939848e1239df1d683e4519a7b3ccffafa3a2eacd29cb5

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
8a5ca76c53a58adbf496f5758c920853

SHA1
2ccea8a9c80c7fd026b1cea089426eb37f4ce4fc

SHA256
28411f67a0fbc86e258956256c4b19bc0e90a0ac1f92745cfa8d88dd66b7e60a

SHA512
00b00da2f8c77a91371c027e0d1ab40c542940a172f265f458541d43412d46035899fe7bd730cd77608e862e4be4cc9f0a2c76f815ced6c916e2e3db42699c0c

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
66bfc258e0af381843ee936a519412bb

SHA1
077f3ae9d330e8df6cc40610a17ab0290c147e11

SHA256
efd31607e7c42c70626fd6d6854a025510dd07724d401dd3f9ac1a6721e148c7

SHA512
34efb9550a4fe06041689d07db7826d9521ae9caec0a58a6abd8db0b6aa6d5f5074036a17ebe4d62f540db5047ba27ad1a74f2356720cd16c576f3fab93faf8c

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c13c5f799b41d5de40e3f5c78347cd0a

SHA1
9a16faae3423fa2dce7767e8cceb9aec05ceab36

SHA256
0fd7577c6803908af29b554ed742c2244eb046d7d960a7f857a46d614a4ff263

SHA512
f6dd22a00d0e09d89348c305019c1194341d05b80185094f196b2bc1bd5ff97283e7def4a73895510bb25ec351212e075c60c8185aab82d56d3e517b5ca9e9f0

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
249552146121766ec333ad0d7ffefb86

SHA1
0ce4293897e143aed84311e5f8a7311155a284a5

SHA256
088201eb38d976951167bce0e73e1cce11ee5f46a3f15b565a23631a4bba1a64

SHA512
21514f47c6c4adfae87a1941b8b8ab1be1711938e85947900a75e369873c8168c537df7bfae9b828e09c9a781bb2aee8a19c54b1b14afc8c808b7c4fc3777916

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
451bc28865c1fac7f967039b1a6ec4a2

SHA1
4775c77b345ce4f7dec297b14968935d1894389e

SHA256
d62ae36a12825407375d962ab9826bb076d35fb5cd5b3b11a9571895352879c3

SHA512
8edeae78298487fa39c7a1d10f8e4bb1fa5bb5e9ecd80d935701a081a14e4b518498cea53a2ea22eff9e0adb3798843f07716abff983b10ff6d139c51195c42d

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
fb7f194b67c60554bd2b0addb9d881d3

SHA1
5f9d9b69e11acaa0e7976482c64ea33c940dd885

SHA256
b8bddc058ecf4b7a3c5e0da5d85b89ca8d298ffa64d2e6e8ea0c4a9c229f65ef

SHA512
71cd3f1987c81c8c229bacf280bd3ab12ca34bf1b365905b8718f7b719a67f3c1bbdc0796eeb66a481adef8203383d389aaa8cce39689e8e94276770853faf4f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
257d897db9b5a0f0d6f2b232a503b254

SHA1
326ef1b965f4634c068986bd23ecc89a8125879b

SHA256
13ef2a5c0a0a9f83616dc3393a2ebf75168df49fdd2b6227db9e2559947d888f

SHA512
30984f546e8982d6dbc0dfdae67c83d7afade299f972bcf2924de800c56520610e6aadc11263e26d84d4531bbd13ec101b59f2b0ade779616721035aafcf4e6d

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
7555b8cf1c39a4af5f1465fa61fcefba

SHA1
bcf1593809ced637ffd20c01d25788ba44fcffc1

SHA256
3fcbaf6976e875ea72c9ea74a68318aa847ade67a73dca5c1a2264073599cb9f

SHA512
cab2f179b51302a8ab7a13280d42501633e867321e8542cb1ba204da6535d4b2b0b0f633bc77041c9cd0c34b91dae0a8428664ae88998399f0819392239aa516

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
33d748879daed0d30374a299d5ab0ef6

SHA1
db9c1a069d7bddc55a2156d423840d9e00cc7869

SHA256
714df1a91dcb1f58df79a8c0d84e0269cc974f685706097d93e23e4539932651

SHA512
2453865a49a411da49758276beaca20d3e5467b70b0315716dbb76ca99a0498e816ccbf4b7c4373f2390a0f654b8dfe67d22659dc190b99bdbc6949ccec66f73

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
7bd728a282e8d185c8fa4a8b99a2fb01

SHA1
c9cb467961ef5a00660a79553b0cd8dbd79f3391

SHA256
953418b237a8aea8b4348af8d6991029697f6fb450bdf9bdaa10a8e08115d9d8

SHA512
cdd45cb1e7b43855feb08278cf7253e47e0ea910c1884b349cf96414879c86ca47f9f56b9111f1cc9b3350a61c0c36e5c46336526dcd9f496194f8d7a1b0483e

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
f4401632885fd7587cd5bb9c5aeefda1

SHA1
a85485e48a57aedd4459a73e3c53b18421d1c1a8

SHA256
8e8ade26b406a5727ade9261f41fdf35c655aba953e05d9aac6ef042738f1b0c

SHA512
4035289af5025ffe10154e4fa8e97c7e422eda6d6a3fe5cea760557090749ec44c9df25023410526ccb5b89d471742d3815234fe89f5d5b2ff2c847d1646ee5c

Download Submit
memory/428-196-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/428-78-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download
memory/428-77-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/428-70-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download
memory/840-205-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/840-234-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/880-243-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/880-357-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/1352-160-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1352-242-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1368-406-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1368-434-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1372-281-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/1372-566-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/1516-414-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1516-353-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1604-1022-0x000000001ADF0000-0x000000001AE06000-memory.dmp

Filesize
88KB

Download
memory/1604-1020-0x000000001AA50000-0x000000001AA68000-memory.dmp

Filesize
96KB

Download
memory/1604-1023-0x000000001AE10000-0x000000001AE58000-memory.dmp

Filesize
288KB

Download
memory/1604-1024-0x000000001AE60000-0x000000001AE7A000-memory.dmp

Filesize
104KB

Download
memory/1604-1021-0x000000001ADE0000-0x000000001ADEE000-memory.dmp

Filesize
56KB

Download
memory/1604-1025-0x000000001B350000-0x000000001B36E000-memory.dmp

Filesize
120KB

Download
memory/1604-1030-0x000000001B6B0000-0x000000001B6C8000-memory.dmp

Filesize
96KB

Download
memory/1640-21-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1640-124-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1640-13-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1640-19-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1684-749-0x0000000003D70000-0x0000000003E2A000-memory.dmp

Filesize
744KB

Download
memory/1916-240-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1916-125-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1916-116-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1916-122-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1972-184-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1972-60-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/1972-55-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/1972-54-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2000-564-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2000-431-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2008-278-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2008-329-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2012-835-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2012-365-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2016-280-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2016-164-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2028-667-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/2028-0-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/2028-6-0x00000000002A0000-0x0000000000306000-memory.dmp

Filesize
408KB

Download
memory/2028-76-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/2028-8-0x00000000002A0000-0x0000000000306000-memory.dmp

Filesize
408KB

Download
memory/2028-1-0x00000000002A0000-0x0000000000306000-memory.dmp

Filesize
408KB

Download
memory/2040-88-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2040-111-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download
memory/2040-95-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2040-94-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2040-875-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2040-210-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2040-110-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/2120-314-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2120-673-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2192-843-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2192-387-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2212-229-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2212-244-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2228-831-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2228-228-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2228-109-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2228-102-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2256-395-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2256-266-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2276-176-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2276-162-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2300-983-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/2300-986-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/2300-984-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/2300-981-0x0000000001A00000-0x0000000001A0E000-memory.dmp

Filesize
56KB

Download
memory/2300-982-0x0000000001A20000-0x0000000001A2C000-memory.dmp

Filesize
48KB

Download
memory/2300-987-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/2320-637-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2320-303-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2336-834-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2336-137-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2336-247-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2548-47-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2548-99-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2628-1006-0x00000000018F0000-0x00000000018FE000-memory.dmp

Filesize
56KB

Download
memory/2628-1005-0x0000000001890000-0x00000000018A8000-memory.dmp

Filesize
96KB

Download
memory/2628-1007-0x0000000001940000-0x000000000195A000-memory.dmp

Filesize
104KB

Download
memory/2628-1008-0x000000001AD80000-0x000000001AD9E000-memory.dmp

Filesize
120KB

Download
memory/2628-347-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2628-325-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2752-27-0x00000000005A0000-0x0000000000600000-memory.dmp

Filesize
384KB

Download
memory/2752-35-0x00000000005A0000-0x0000000000600000-memory.dmp

Filesize
384KB

Download
memory/2752-26-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2752-140-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2788-352-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2788-768-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2832-256-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2832-378-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2844-62-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2844-38-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2864-569-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-592-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2896-182-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2896-193-0x00000000005D0000-0x00000000007D9000-memory.dmp

Filesize
2.0MB

Download
memory/2896-294-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2896-313-0x00000000005D0000-0x00000000007D9000-memory.dmp

Filesize
2.0MB

Download
memory/2904-211-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2904-333-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/3036-969-0x0000000001B60000-0x0000000001B76000-memory.dmp

Filesize
88KB

Download
memory/3036-968-0x000000001ACE0000-0x000000001AD28000-memory.dmp

Filesize
288KB

Download
memory/3036-967-0x0000000001B40000-0x0000000001B4C000-memory.dmp

Filesize
48KB

Download
memory/3036-966-0x0000000001B00000-0x0000000001B0E000-memory.dmp

Filesize
56KB

Download