3ac9ecd58040e118a22aef26a9f5c6107e2b720cf5a37f7057025ba3fb565be3

Analysis

max time kernel
151s
max time network
160s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Size

1.8MB
MD5

bfaf4624265d65557f4f250e0b6b9ed0
SHA1

b03a63108c0d9ba5dfa3a0ddc4a1d42860afd93b
SHA256

3ac9ecd58040e118a22aef26a9f5c6107e2b720cf5a37f7057025ba3fb565be3
SHA512

0007c0a1841252ebb86aed9d995e8e0c6bb0be24fd3d352e3dfd04373ee621613aa00023e4cca1bbecae69fd96115d9e906f0f66a217924b4bfe70cbc9292cd9
SSDEEP

49152:fEtnrICSooGSTs5xbX022fjBxrj3ZXvYMLprznyDSga9:qrICSbGSsH8JXvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2452	alg.exe
2576	aspnet_state.exe
2676	mscorsvw.exe
2392	mscorsvw.exe
1428	mscorsvw.exe
2428	mscorsvw.exe
1740	dllhost.exe
2152	ehRecvr.exe
2080	ehsched.exe
2000	elevation_service.exe
708	IEEtwCollector.exe
2040	GROOVE.EXE
1436	maintenanceservice.exe
2808	msdtc.exe
2296	msiexec.exe
2660	OSE.EXE
2968	OSPPSVC.EXE
844	perfhost.exe
2464	locator.exe
2900	mscorsvw.exe
1932	snmptrap.exe
876	vds.exe
1208	vssvc.exe
2892	wbengine.exe
1900	WmiApSrv.exe
3024	wmpnetwk.exe
2400	SearchIndexer.exe
1076	mscorsvw.exe
2960	mscorsvw.exe
1592	mscorsvw.exe
2280	mscorsvw.exe
2996	mscorsvw.exe
1484	mscorsvw.exe
1508	mscorsvw.exe
2052	mscorsvw.exe
2160	mscorsvw.exe
1744	mscorsvw.exe
1912	mscorsvw.exe
908	mscorsvw.exe
2412	mscorsvw.exe
2996	mscorsvw.exe
1028	mscorsvw.exe
1112	mscorsvw.exe
1824	mscorsvw.exe
2308	mscorsvw.exe
2432	mscorsvw.exe
1992	mscorsvw.exe
2236	mscorsvw.exe
1508	mscorsvw.exe
940	mscorsvw.exe
2896	mscorsvw.exe
332	mscorsvw.exe
1992	mscorsvw.exe
1872	mscorsvw.exe
2496	mscorsvw.exe
1924	mscorsvw.exe
2724	mscorsvw.exe
1252	mscorsvw.exe
792	mscorsvw.exe
1828	mscorsvw.exe
936	mscorsvw.exe
2228	mscorsvw.exe
2256	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2296	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
744	Process not Found
1924	mscorsvw.exe
1924	mscorsvw.exe
1252	mscorsvw.exe
1252	mscorsvw.exe
1828	mscorsvw.exe
1828	mscorsvw.exe
2228	mscorsvw.exe
2228	mscorsvw.exe
2060	mscorsvw.exe
2060	mscorsvw.exe
1656	mscorsvw.exe
1656	mscorsvw.exe
2960	mscorsvw.exe
2960	mscorsvw.exe
2256	mscorsvw.exe
2256	mscorsvw.exe
332	mscorsvw.exe
332	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
1572	mscorsvw.exe
1572	mscorsvw.exe
2264	mscorsvw.exe
2264	mscorsvw.exe
2312	mscorsvw.exe
2312	mscorsvw.exe
1368	mscorsvw.exe
1368	mscorsvw.exe
1656	mscorsvw.exe
1656	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2076	mscorsvw.exe
2076	mscorsvw.exe
1336	mscorsvw.exe
1336	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\29e2f09bae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9EEE.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8391.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA7F3.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{EBDA9B5C-DD29-473C-B2EA-26819C6EA04E}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA238.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8ED7.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB819.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7A9C.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8C19.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000007bd6955aa5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3036	ehRec.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
2576	aspnet_state.exe
2576	aspnet_state.exe
2576	aspnet_state.exe
2576	aspnet_state.exe
2576	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: 33	1060	EhTray.exe
Token: SeIncBasePriorityPrivilege	1060	EhTray.exe
Token: SeDebugPrivilege	3036	ehRec.exe
Token: SeRestorePrivilege	2296	msiexec.exe
Token: SeTakeOwnershipPrivilege	2296	msiexec.exe
Token: SeSecurityPrivilege	2296	msiexec.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: 33	1060	EhTray.exe
Token: SeIncBasePriorityPrivilege	1060	EhTray.exe
Token: SeBackupPrivilege	1208	vssvc.exe
Token: SeRestorePrivilege	1208	vssvc.exe
Token: SeAuditPrivilege	1208	vssvc.exe
Token: SeBackupPrivilege	2892	wbengine.exe
Token: SeRestorePrivilege	2892	wbengine.exe
Token: SeSecurityPrivilege	2892	wbengine.exe
Token: SeManageVolumePrivilege	2400	SearchIndexer.exe
Token: 33	2400	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2400	SearchIndexer.exe
Token: 33	3024	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3024	wmpnetwk.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeDebugPrivilege	1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1808	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeDebugPrivilege	2576	aspnet_state.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1060	EhTray.exe
1060	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1060	EhTray.exe
1060	EhTray.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
1524	SearchProtocolHost.exe
1524	SearchProtocolHost.exe
1524	SearchProtocolHost.exe
1524	SearchProtocolHost.exe
1524	SearchProtocolHost.exe
1524	SearchProtocolHost.exe
1524	SearchProtocolHost.exe
1524	SearchProtocolHost.exe
1524	SearchProtocolHost.exe
872	SearchProtocolHost.exe
1524	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 2900	1428	mscorsvw.exe	51
PID 1428 wrote to memory of 2900	1428	mscorsvw.exe	51
PID 1428 wrote to memory of 2900	1428	mscorsvw.exe	51
PID 1428 wrote to memory of 2900	1428	mscorsvw.exe	51
PID 1428 wrote to memory of 1076	1428	mscorsvw.exe	59
PID 1428 wrote to memory of 1076	1428	mscorsvw.exe	59
PID 1428 wrote to memory of 1076	1428	mscorsvw.exe	59
PID 1428 wrote to memory of 1076	1428	mscorsvw.exe	59
PID 1428 wrote to memory of 2960	1428	mscorsvw.exe	60
PID 1428 wrote to memory of 2960	1428	mscorsvw.exe	60
PID 1428 wrote to memory of 2960	1428	mscorsvw.exe	60
PID 1428 wrote to memory of 2960	1428	mscorsvw.exe	60
PID 1428 wrote to memory of 1592	1428	mscorsvw.exe	61
PID 1428 wrote to memory of 1592	1428	mscorsvw.exe	61
PID 1428 wrote to memory of 1592	1428	mscorsvw.exe	61
PID 1428 wrote to memory of 1592	1428	mscorsvw.exe	61
PID 1428 wrote to memory of 2280	1428	mscorsvw.exe	62
PID 1428 wrote to memory of 2280	1428	mscorsvw.exe	62
PID 1428 wrote to memory of 2280	1428	mscorsvw.exe	62
PID 1428 wrote to memory of 2280	1428	mscorsvw.exe	62
PID 1428 wrote to memory of 2996	1428	mscorsvw.exe	72
PID 1428 wrote to memory of 2996	1428	mscorsvw.exe	72
PID 1428 wrote to memory of 2996	1428	mscorsvw.exe	72
PID 1428 wrote to memory of 2996	1428	mscorsvw.exe	72
PID 1428 wrote to memory of 1484	1428	mscorsvw.exe	64
PID 1428 wrote to memory of 1484	1428	mscorsvw.exe	64
PID 1428 wrote to memory of 1484	1428	mscorsvw.exe	64
PID 1428 wrote to memory of 1484	1428	mscorsvw.exe	64
PID 1428 wrote to memory of 1508	1428	mscorsvw.exe	80
PID 1428 wrote to memory of 1508	1428	mscorsvw.exe	80
PID 1428 wrote to memory of 1508	1428	mscorsvw.exe	80
PID 1428 wrote to memory of 1508	1428	mscorsvw.exe	80
PID 1428 wrote to memory of 2052	1428	mscorsvw.exe	66
PID 1428 wrote to memory of 2052	1428	mscorsvw.exe	66
PID 1428 wrote to memory of 2052	1428	mscorsvw.exe	66
PID 1428 wrote to memory of 2052	1428	mscorsvw.exe	66
PID 1428 wrote to memory of 2160	1428	mscorsvw.exe	67
PID 1428 wrote to memory of 2160	1428	mscorsvw.exe	67
PID 1428 wrote to memory of 2160	1428	mscorsvw.exe	67
PID 1428 wrote to memory of 2160	1428	mscorsvw.exe	67
PID 1428 wrote to memory of 1744	1428	mscorsvw.exe	68
PID 1428 wrote to memory of 1744	1428	mscorsvw.exe	68
PID 1428 wrote to memory of 1744	1428	mscorsvw.exe	68
PID 1428 wrote to memory of 1744	1428	mscorsvw.exe	68
PID 1428 wrote to memory of 1912	1428	mscorsvw.exe	69
PID 1428 wrote to memory of 1912	1428	mscorsvw.exe	69
PID 1428 wrote to memory of 1912	1428	mscorsvw.exe	69
PID 1428 wrote to memory of 1912	1428	mscorsvw.exe	69
PID 1428 wrote to memory of 908	1428	mscorsvw.exe	70
PID 1428 wrote to memory of 908	1428	mscorsvw.exe	70
PID 1428 wrote to memory of 908	1428	mscorsvw.exe	70
PID 1428 wrote to memory of 908	1428	mscorsvw.exe	70
PID 1428 wrote to memory of 2412	1428	mscorsvw.exe	71
PID 1428 wrote to memory of 2412	1428	mscorsvw.exe	71
PID 1428 wrote to memory of 2412	1428	mscorsvw.exe	71
PID 1428 wrote to memory of 2412	1428	mscorsvw.exe	71
PID 1428 wrote to memory of 2996	1428	mscorsvw.exe	72
PID 1428 wrote to memory of 2996	1428	mscorsvw.exe	72
PID 1428 wrote to memory of 2996	1428	mscorsvw.exe	72
PID 1428 wrote to memory of 2996	1428	mscorsvw.exe	72
PID 1428 wrote to memory of 1028	1428	mscorsvw.exe	73
PID 1428 wrote to memory of 1028	1428	mscorsvw.exe	73
PID 1428 wrote to memory of 1028	1428	mscorsvw.exe	73
PID 1428 wrote to memory of 1028	1428	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2676

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1f0 -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d4 -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 270 -NGENProcess 23c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 24c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 280 -NGENProcess 1d4 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 1d4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 284 -NGENProcess 290 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 23c -NGENProcess 1d4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 23c -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 24c -NGENProcess 1d4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 29c -NGENProcess 28c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 284 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 1d4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a4 -NGENProcess 2a0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 220 -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 254 -NGENProcess 27c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1e8 -NGENProcess 250 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 224 -NGENProcess 27c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 250 -NGENProcess 27c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 294 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1c4 -NGENProcess 224 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2a8 -NGENProcess 27c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 27c -NGENProcess 294 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a4 -NGENProcess 224 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 224 -NGENProcess 2a8 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 29c -NGENProcess 294 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 284 -NGENProcess 2a8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a8 -NGENProcess 29c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 2a4 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a4 -NGENProcess 284 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b8 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 29c -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2c0 -NGENProcess 284 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2c4 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 260 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 260 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 260 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e0 -NGENProcess 258 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 304 -NGENProcess 2c0 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e8 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 258 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2c0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2c0 -NGENProcess 308 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 308 -NGENProcess 2fc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2fc -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 318 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2fc -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2fc -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 314 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2fc -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 208 -NGENProcess 340 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 2d0 -NGENProcess 348 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 338 -NGENProcess 334 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 350 -NGENProcess 340 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 348 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 334 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 340 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 348 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 334 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 340 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 348 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 334 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 340 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 348 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 334 -NGENProcess 37c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 388 -NGENProcess 318 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 37c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1740

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2152

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1060

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:708

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2660

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1900

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2400
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:872
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2384
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
c38028e0888ff616b231c18582b39d6f

SHA1
d756dc91fb0a3eedc03aca767ffc6f85127ce4fa

SHA256
2f49cbafd3f9e47ee27683a4598835bab0ac509c24cc9554c7389ef5cc067e18

SHA512
aa53e20a6f56b548468e86fff9a3ed6e74ce60e398c032719f0d14b0ae9841f30ab3c5d91cd35a0d2f22db34c8ecb80b77bfdc37beb59758591ad2444eb8ad14

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
dbce46922808ee460fae7cc0630a831c

SHA1
6139acce4082b334db1a05668a63154fab7f3714

SHA256
b77285b4dfd3e637bf3cfe82e42dc18e3093c676ece537dbc1f157b2400f9fe4

SHA512
bdf132f6b7a1957593197645c1e9f635ea44f8a494696fad583b32e8125bb30ca3701637474aa36d0f8748356a2d547008f759b989e76486fa258a087dbbff0e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
7f2c58aeb74c0d10bbe719160db91274

SHA1
325d6237ee7340137d71fdf100d0b7bae075cff1

SHA256
ef81f07b5db25e0e19c623d0be7d2244db8b07aed6a0c2644451628c59652b71

SHA512
0c6d4d7e8b723e3d67cecac2d25b6e758e5223514ef03124bf78ac44139018197840389ac952e99ca7631f6a389f4679ba5c6ce1f84016c3c3d1d4a789bdf280

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
769a81db8e36a03c35345ce009082b69

SHA1
506bae58d830f20ee192b7adc83dd39c37f7d656

SHA256
31103aaf740d91622ef81b5fc6cfca93de07323fdd1de12219cee032bb2efcef

SHA512
34070bc766d035a275e4ba1d837b2eb46939291e8a796a8c95172106d36ff1a0946847d271ed490a2fdcf25fab347c1ad60e495ed80297211584bd6d0bd0726a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
34d8cc6c378981c8ef51cae136360bd9

SHA1
f111bb56cff1a6f7260334390a8089eaddb19752

SHA256
7ec1649b1e416b1a14119218b28b0d2a87aa7e1ebb20b2d3b6d3fe94188d7091

SHA512
85fb097b7f8a64339aa3e82895661f72884eb1806ce68933146ed43636ce3b3e828d0268bd7c154453e64735c003e0fed1c0095357c3cd75645cb04f0b7617d9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
e74ad7405b779c525d7296131e8aa4d2

SHA1
62ad45426fc057921b971ef50c93864855ff3b23

SHA256
68f64d6588e6864f19488e4e036698e166233be8a6bdfdce30a13ed5ed7a17b8

SHA512
96ee7ee78ef2c1f6e220a0f33e2f2dd47861f72cffdb75e98c3c24bb5adac50b6c14cdc3e9f1109115bb5f151c3d1c2861463e3ad26f8c385a482a4e531a2784

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8472ee60fe85fcd742a20324152c8e94

SHA1
6a105c3a40a66aa817ea08111fa69ea39f59dd24

SHA256
9a270251dd6dad36dfa136eb1bcb418d2c4ee1639eedea61fa0c6469552a2dbe

SHA512
f94f543aa835caf6d683ab0785eac81e2865a4c959c923b14dfa5f542ce5e0e3942424d09b2f1c299fcd1287337726996f9e4088987b2dc2f072bca97843f177

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
09c7613f3d53341b8c991ce56106dcad

SHA1
55e3db7ff8ae16c8e3a1962b4d714d6ebda5a3db

SHA256
46d20bdd4b0eaaed8257b28f29f69637c068d6c2562d07ad7e0afcfae94a6579

SHA512
b7353d7fb180c55c70774089e969d098d5edf3d4ece0c7f8c3f0fd5e1b3db3b912829df89bd715011faa55335e6f2361d346eab33886123dadde772fc2409bee

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
d67d740063f043b5b311c1dbc90d5083

SHA1
81cab75959aacb60dd75df95468b3a7ef9cf3dc4

SHA256
5fa44eba7a06db8bd514f4f137f8160493329f84f42f73d8142e1ad16026999a

SHA512
b7653cd4c6d8c4d4bd493fdb4ff84fe081d028faeaad210cd8f644e9d0dc85d2d2fb9e25cdaff8c3ffde9a64f538a735220300e6af24e083bab3e3a3d2211cda

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e8c05210af5e360d8561162c3357ca91

SHA1
0c7aa20e10635fc9199c7ebd43d437c28f93b7f2

SHA256
3d7f1a7254001e45f98e88b2dc86d17b39ce18baa22270f3577639995513d64c

SHA512
b1670be1ef9cf7cc19a024a92cd1ec2eeb821687aff17a003f4467bb1ea4da0f77b77ce0cd24139b6a0aeb89d8f8502911dc5992fbadd3f8dabef099180b837f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
d5f5ac63c2b4dc197186b325a099216c

SHA1
43a86f9e3c8c7f17b0191362c12042fbbe6eb2f4

SHA256
3a09dcb349ddea82a27e2c91cd32ea56bba4ea45beb04b078c32c49c15de0d66

SHA512
bee7dc74f841f26d85a5e2fd74992569d54c74eb6e8ee1cde136fade89487dc466efdd81a5041befb6e09388d1e59cec3ebadea5012c4ec5b52fe69ee18aa783

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
30667be7f6c5b2fd0a04d820a35ca6d2

SHA1
d75c9433f77100d29a65971b891d1b57cdeb05c8

SHA256
d395d3b2cb5ed025618d97089a6c4f0fab4a5279c66235733b16a07ce74499db

SHA512
39ff3d36bacffa1c5bfaba701f1765109b216d20231d27949eaebbcc850a54bbc07d0e4c749cdd572657979b02d73e02e48ce75e585f56e7f21d4ffc7b939182

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
10eae1e22fe02dae1ce5c2013032f453

SHA1
a2e9ad8b56359e888e55d7ec64c91b80fe8f5357

SHA256
5912c78a972c9390a02dc0059019fe69f5a558abd7cf8aff6c5ce357a257eace

SHA512
ac2bcd6c15e7fae6ccd5888df31e4c9db047ea4c1e71fc67782ddaf705e62542de286cfe463ae5379f61f5bd9469a555789c2d323bb34192a44bb27300f81ac3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
662d799707b1129c04a24e6b73d29514

SHA1
46a2e96978f9dfaa347882bf56c72a702a1bfadd

SHA256
33a173019fa25714bed1b6b4de14e9a7ae3cdc55168bce2feefb17f60bbf6da5

SHA512
a2bdc940d32efa7bb2f4e0abfa834ab217afb3b93f9be74d40098de52f47e8b2b824bf342a0ec5e2fb0cb3cc33f9c1aec088d9eaa6a49ac8ba93a0001f8ff3be

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
adc7a73e4929f02675abd85cb1a25ff3

SHA1
050739bbb455f3f410e0e39225dbfbf81187b6ed

SHA256
cf645995e4a146a8f65b726e86cfdc58ffda0ff1f3424789e7e5ff5fbc1f3500

SHA512
2b5dab00193dafa66203d29f12c461094017782c21d39ba278cf2bacf1defbca3b53f980a8b5b4e54dcd8621bba66d6eba896a1a3caaed56c67050145674dabd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
11c933384104acf16da7a33b03504da7

SHA1
376c38234a550df849ca39846c9b22fb8329bb37

SHA256
78677ddebdde7d30856f4d559561dcbb1d5f738d9c17edddc272448ec6d2bf76

SHA512
48186de95223120f55469d217487f7e1beb6f410093b6d6f4482603e53bbcf86aa72df5e1f899ec49c24d968690c1c6d74fb069681d24e036d64faf12445dc8b

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
ca90d079c48d19fe2a86cba35c1c73c4

SHA1
6fc0b7b8073d9e27ef97ef5104665e8e2aec7d03

SHA256
52dc0aacd645872cd7a8dd19e8dab96f066c313f504c63e42d6c57a236fe697b

SHA512
81b9a52ebee01c5ca4ff6aebe48e5658662f37a8798040f0fc3a56b2a057dd28b18fa66f4bcc4025e43aac043aa76bffedc0db95b4a1f6cb4bacc334988b0102

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
c0bd878454d526a605578af68a75f86a

SHA1
ad6689bc350645f571157305fc64141557162eb0

SHA256
8a54bb857b2fee974208250f05b4060b4b22f5a09b4cd6c185956993b6acbb6b

SHA512
8d5e9774dd78bb2ddeed641f472b117dcf15a2087b32d0fc2743f64b7c46d7e61db2359f7b38293635dc9655d25f39a7e1d87ff51fa488f0dcc8ec8a8841ecad

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
1b020bdfbba311e023c27969340148c0

SHA1
f88c535961d178605fee541dc9b119dbfe5b2f34

SHA256
1922978a3717f776209125255effd9d773c00074cc5d98950c14650731a32dcb

SHA512
2625acd1dd22554a4802fb30aaa8ce39dfd38e4eba6dd2e648f3a65a6aaffd1615b596da160f982d195fd11883b6df1a4e24bdd84ec0b1b788302785987d4767

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
4dff67c7d3a708e43c29705533f870f2

SHA1
859b2779082d99efa9b9cffcc1e44636395cfc4c

SHA256
885e7f43fe2a0fbbd8b9990bd454d9adf8c990ab331b125c705acf108ddfb645

SHA512
1fed90f4aa3ba96b27bf6a146e8113d0356f029af6e591f099261b93712bf2b1959d3139e85e48cca4014a5840df4f9712efeb855347993facd9a6c89336cba5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
4e55a2ee9c11c705a064591df7de1ce4

SHA1
9ea36f3aee49f1134f58b724c71ff249517376d3

SHA256
c1ef0c000984bff7ec4f190c8dddbbd0cd1514421d9bad90cb3a343803a82258

SHA512
600e194302bc99ab7a64bb3d6d3b8d01dcd6d5ca27102a6eafd8569103113cbef4e3628ce92bc938ee12fa158503d37d8dc5d0457434a7769f2a725fb2182fc6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00cf0faa3d37faa0ea2d240c1ca307ef\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
75c84340d765d73eac1c743a31b6571a

SHA1
52aeef700a52b8e687316f42816eb9c0599354df

SHA256
b72a1f7da8b3c3dc95c2252319f6f3e71c81ed8bd59a5b31bd2861e14c364459

SHA512
9a9cdbc3a103e733150fae265c594dd7378ca402521387e466732f2431472a6a0e6cb4dfe02fe9f5b975a1739c685471ad2a4dddcdf6f12c4b5be469832fd5f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0a2885db576e5f18a3ab8e0ba7576964\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
599ae94f34b6d42a867d57975af99238

SHA1
625777b2d08dc4c81ea760759c2679b02c2461d7

SHA256
ca1f1d6ab1299ee3911f5783c00862bcf878dade57cbb44fb97935c15f2c1927

SHA512
f5a8a26835676b052bcc0bfa7689a8d0d8cf16481a85c3fd6ac14cc375250887948e7a28a48bbeba93246016607c2526a90386209b10e25fbaa90c644216f463

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\22fa5700014b22e9726180c15ec113e1\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
8d6a0f15a09f24c802341881cedd40ba

SHA1
98760645e5ef880e151f224fb752c170575d2db0

SHA256
09aa4b87e12364fd80f09c4d6397bb76fccd8d0ca152608bfcab35f3aa369a01

SHA512
8b610e73117e5f7f682a7c5a09e24d6fd31779c17177061a5282cae42f6ff34571e1ce29278121bfd8e15751a7081e4a70ac7615ccb83a86e94777fb849c7394

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7cee26056524be1dd2faa3f0dfa47def\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
f4cf9f6e426bf816faeb4931f1326d30

SHA1
da745ca7dd5944342e5b38623d7a85f71abdecb0

SHA256
e580a9034ae00a29e82bc8152a54237b5bba0d7cdb256970bb932a550b3203c2

SHA512
be61d2118665244f0a9df6f9d6183ec42c18ab4cfb7446f646eae12e28904d27273e5ce3ba674207e9399d31168b07996ae039c33beae72e683299fab48ba01e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
d04c509de115104cf1c9c9926a135a7b

SHA1
9e49065ceeec261952c133c076c48608e89f63d4

SHA256
a5f828a90775c6c97227636934bb455972e72997197410e0f61038198b6263da

SHA512
82fd662d438de616c6509f595b6fe532b70d2814379227d46297b2d92e494fcb9ca5f775f58d4e574fb94d2861cd91f8981e23b6939da8fdd50095f12c758357

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
90dbc09a2572bd954cd0b7ee3bec9b36

SHA1
14a3b890ff4953160a43f9dfbb0c6c7370e40f15

SHA256
cf72cee316ddcab41b5a2161b0639353b972d6cd4b5acc8563a9ee74277b69f2

SHA512
5ff9ba18712cc3d64b5afdf3ee99e28b508079965b56b1534d0f120aa4684cd035a3ac51b08c31ee0d48490f5152685033fc8cac4c923ef0ba6e04a845139303

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
1fac5265a9164934acda6b11eaf70612

SHA1
a30a4005d337ebdac7fef2d9db1d50aea8d4e627

SHA256
ce0d9c0cf45fd77a936f9730d074bc9e05815951dc82cc3bd2c1295262281971

SHA512
66f5871050f0e556010ab37ad8fa343c7a8f6c5e991ca2bfd8ff08ab551e718bfca0a93a26a8051fbdf12410a51f531989fd1550ed444137fe76e64658f465dd

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
ca661cbeb4d5383e0b4e7e2e4585abad

SHA1
8fc1561370b18a1e1708da8d40f9633678b81b6f

SHA256
e09454339891cb584eb7342a9b3521d4bddafd203182f2318ff91286cd5098d3

SHA512
caea309897f1b7b92722f77c70cebfe11442b19664cd387811ae65de5cae60d60ba0600ab07dc10d7bbd02e865e9a531db0e68b33f0cccb8fcedfbb4f73effcf

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
3bc18369f2a32f8a3053bb3c305b1e48

SHA1
b9d5552aa636dc65edfeafb315db008b697f9498

SHA256
ec3a8aaac7be850d3bbc46b424ac4c2c333cadc9639c7dc37189522f1a9f8b7b

SHA512
2007a8f071b51cdfdee608d02b485f366ff18eb813c56cfb52ac7051665d2341e6d3d5a57889a948f6e7417f454956298a695e7b9883ad3b6c6502129b21f63f

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
a591fd435f0480a22704f65ff59e2750

SHA1
ec8e8cb3437e6fce405aa608525130f28c55b1be

SHA256
6df4e9aca4d8ea4ded9bb5de6592812d83997cd20f90ca417b3e371e943f588a

SHA512
93611e1b47e866189766b920b9e7e489b3830671aab5d3850979b4fbfaa6003d4ee1f72692cadc4d09a2501b9ade1b6a3e34ce8cae9daf394be13d8b5b8deef4

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
58b2a76d5f2a4a40f164d19353ea715c

SHA1
dd3cf6d4432c29acbcc4b9da7ea2c8690d59bf6c

SHA256
b51a478e6ce515d0d063a4c8543a9370700e8759eff0797ec550234878f3b1b6

SHA512
c694ebcb3dad7538b3e15ffa8bc517b86696dc132cffa31c18eeb2eaa392768e084b2ea4f7fd8c81b91951c86a4fdd31978f2bd71bef588d5ce01d74a361f3eb

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
f203df2ac9c6e2bc641c485f09e113c7

SHA1
45c347128e701c4f9217ad9bb6d951b6ab0cbd91

SHA256
cefe0c59c9f88c7758e9920eefd17eb350b5c96d33f7136bc4f800e97a763102

SHA512
7e0429f01d6b2dcebf4cb6fdd0292a22729ece858fadb5ebe2a09976071dcd1c1ee4424ecedf37cab208a00888a8fc4777927846995052ef792da44d3efce641

Download Submit
memory/708-251-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/708-152-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/844-237-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/876-255-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/876-514-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/908-672-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/908-661-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1028-724-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1076-328-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1076-308-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1112-734-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1112-721-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1208-259-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1208-536-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1428-70-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1428-187-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1428-66-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1428-64-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1436-183-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1436-175-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1484-552-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1484-533-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1508-559-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1508-583-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1592-460-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1592-487-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1740-98-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1740-105-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1740-97-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1740-197-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1744-618-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1744-629-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1808-63-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/1808-6-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1808-1-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1808-0-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/1824-737-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1900-276-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1900-573-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1912-640-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1912-663-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1932-473-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1932-252-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1992-779-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1992-758-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2000-246-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2000-148-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2040-235-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2040-165-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2052-604-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2052-581-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2080-227-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2080-131-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2080-769-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2152-209-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2152-120-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2152-114-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2152-113-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2160-601-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2160-616-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2280-517-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2280-472-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2296-188-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2296-275-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2296-192-0x00000000005B0000-0x0000000000662000-memory.dmp

Filesize
712KB

Download
memory/2296-280-0x00000000005B0000-0x0000000000662000-memory.dmp

Filesize
712KB

Download
memory/2308-755-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2392-108-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2392-44-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2392-46-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2392-52-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2400-615-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2400-295-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2412-668-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2412-700-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2428-191-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2428-86-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2428-80-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2428-79-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2432-752-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2432-766-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2452-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2452-112-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2464-247-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2576-147-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2576-16-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2576-25-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2576-17-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2660-293-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2660-205-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2676-29-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2676-30-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2676-62-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2676-35-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2808-179-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2808-270-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2892-272-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2892-558-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2900-248-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2900-320-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2960-465-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2960-342-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2968-294-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2968-218-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2996-516-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2996-705-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2996-526-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2996-689-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2996-701-0x0000000001AD0000-0x0000000001B8A000-memory.dmp

Filesize
744KB

Download
memory/3024-287-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/3024-597-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download