c99a9196f1ba77f7b1392d1f4d3d74e99dbe6f2fff102a848d6a822063549f04

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 22:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Size

1.5MB
MD5

41626c07042f8d3ff3f4a087f257a080
SHA1

c00c75441960f06889a9d29c45f1ddf5f7cc0a0b
SHA256

c99a9196f1ba77f7b1392d1f4d3d74e99dbe6f2fff102a848d6a822063549f04
SHA512

741d3b1fe8dc4688ddebc39566c13e97662a194d821d865e74afa9a860a97c35688e89b617f02702fcbdfe42fdc37446e0d88a071a0b22429daf90cf0852b0e5
SSDEEP

12288:dUSUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8:dUSatr0zAiX90z/F0jsFB3SQk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
472	Process not Found
2612	alg.exe
2688	aspnet_state.exe
2460	mscorsvw.exe
2068	mscorsvw.exe
1728	mscorsvw.exe
2856	mscorsvw.exe
1964	dllhost.exe
2328	ehRecvr.exe
2320	ehsched.exe
848	elevation_service.exe
1564	IEEtwCollector.exe
2820	GROOVE.EXE
2868	maintenanceservice.exe
1668	msdtc.exe
2272	mscorsvw.exe
2596	msiexec.exe
2012	OSE.EXE
2068	OSPPSVC.EXE
2232	mscorsvw.exe
1576	perfhost.exe
2064	mscorsvw.exe
1884	locator.exe
2784	snmptrap.exe
2472	vds.exe
1032	vssvc.exe
1992	wbengine.exe
852	mscorsvw.exe
1800	mscorsvw.exe
2232	WmiApSrv.exe
2400	wmpnetwk.exe
1628	SearchIndexer.exe
1956	mscorsvw.exe
1692	mscorsvw.exe
3008	mscorsvw.exe
1892	mscorsvw.exe
2272	mscorsvw.exe
1800	mscorsvw.exe
2524	mscorsvw.exe
1656	mscorsvw.exe
2776	mscorsvw.exe
1976	mscorsvw.exe
1800	mscorsvw.exe
1892	mscorsvw.exe
992	mscorsvw.exe
2336	mscorsvw.exe
1956	mscorsvw.exe
1800	mscorsvw.exe
3068	mscorsvw.exe
1580	mscorsvw.exe
484	mscorsvw.exe
1692	mscorsvw.exe
2272	mscorsvw.exe
2776	mscorsvw.exe
588	mscorsvw.exe
1776	mscorsvw.exe
2200	mscorsvw.exe
1632	mscorsvw.exe
2436	mscorsvw.exe
2272	mscorsvw.exe
2180	mscorsvw.exe
2940	mscorsvw.exe
2096	mscorsvw.exe
2448	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
2596	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
744	Process not Found
2200	mscorsvw.exe
2200	mscorsvw.exe
2436	mscorsvw.exe
2436	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
2096	mscorsvw.exe
2096	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
1172	mscorsvw.exe
1172	mscorsvw.exe
2092	mscorsvw.exe
2092	mscorsvw.exe
2912	mscorsvw.exe
2912	mscorsvw.exe
2320	mscorsvw.exe
2320	mscorsvw.exe
2732	mscorsvw.exe
2732	mscorsvw.exe
1824	mscorsvw.exe
1824	mscorsvw.exe
1508	mscorsvw.exe
1508	mscorsvw.exe
2324	mscorsvw.exe
2324	mscorsvw.exe
2128	mscorsvw.exe
2128	mscorsvw.exe
2680	mscorsvw.exe
2680	mscorsvw.exe
2208	mscorsvw.exe
2208	mscorsvw.exe
2760	mscorsvw.exe
2760	mscorsvw.exe
612	mscorsvw.exe
612	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9fa93732ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5B3A.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP77AF.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP70FB.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9398.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6F08.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6CE6.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6127A5D1-856D-4DA8-ADA6-A392BC1BA3FB}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6127A5D1-856D-4DA8-ADA6-A392BC1BA3FB}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7F1F.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0c6c0e313a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030f4ade113a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1764	ehRec.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: 33	2300	EhTray.exe
Token: SeIncBasePriorityPrivilege	2300	EhTray.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeDebugPrivilege	1764	ehRec.exe
Token: SeRestorePrivilege	2596	msiexec.exe
Token: SeTakeOwnershipPrivilege	2596	msiexec.exe
Token: SeSecurityPrivilege	2596	msiexec.exe
Token: 33	2300	EhTray.exe
Token: SeIncBasePriorityPrivilege	2300	EhTray.exe
Token: SeBackupPrivilege	1032	vssvc.exe
Token: SeRestorePrivilege	1032	vssvc.exe
Token: SeAuditPrivilege	1032	vssvc.exe
Token: SeBackupPrivilege	1992	wbengine.exe
Token: SeRestorePrivilege	1992	wbengine.exe
Token: SeSecurityPrivilege	1992	wbengine.exe
Token: SeManageVolumePrivilege	1628	SearchIndexer.exe
Token: 33	1628	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1628	SearchIndexer.exe
Token: 33	2400	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2400	wmpnetwk.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeDebugPrivilege	856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Token: SeDebugPrivilege	856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Token: SeDebugPrivilege	856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Token: SeDebugPrivilege	856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Token: SeDebugPrivilege	856	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeDebugPrivilege	2612	alg.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	1728	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2300	EhTray.exe
2300	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2300	EhTray.exe
2300	EhTray.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
1876	SearchProtocolHost.exe
1876	SearchProtocolHost.exe
1876	SearchProtocolHost.exe
1876	SearchProtocolHost.exe
1876	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1880	SearchProtocolHost.exe
1876	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2272	1728	mscorsvw.exe	67
PID 1728 wrote to memory of 2272	1728	mscorsvw.exe	67
PID 1728 wrote to memory of 2272	1728	mscorsvw.exe	67
PID 1728 wrote to memory of 2272	1728	mscorsvw.exe	67
PID 1728 wrote to memory of 2232	1728	mscorsvw.exe	60
PID 1728 wrote to memory of 2232	1728	mscorsvw.exe	60
PID 1728 wrote to memory of 2232	1728	mscorsvw.exe	60
PID 1728 wrote to memory of 2232	1728	mscorsvw.exe	60
PID 1728 wrote to memory of 2064	1728	mscorsvw.exe	50
PID 1728 wrote to memory of 2064	1728	mscorsvw.exe	50
PID 1728 wrote to memory of 2064	1728	mscorsvw.exe	50
PID 1728 wrote to memory of 2064	1728	mscorsvw.exe	50
PID 1728 wrote to memory of 852	1728	mscorsvw.exe	58
PID 1728 wrote to memory of 852	1728	mscorsvw.exe	58
PID 1728 wrote to memory of 852	1728	mscorsvw.exe	58
PID 1728 wrote to memory of 852	1728	mscorsvw.exe	58
PID 1728 wrote to memory of 1800	1728	mscorsvw.exe	78
PID 1728 wrote to memory of 1800	1728	mscorsvw.exe	78
PID 1728 wrote to memory of 1800	1728	mscorsvw.exe	78
PID 1728 wrote to memory of 1800	1728	mscorsvw.exe	78
PID 1728 wrote to memory of 1956	1728	mscorsvw.exe	77
PID 1728 wrote to memory of 1956	1728	mscorsvw.exe	77
PID 1728 wrote to memory of 1956	1728	mscorsvw.exe	77
PID 1728 wrote to memory of 1956	1728	mscorsvw.exe	77
PID 1728 wrote to memory of 1692	1728	mscorsvw.exe	82
PID 1728 wrote to memory of 1692	1728	mscorsvw.exe	82
PID 1728 wrote to memory of 1692	1728	mscorsvw.exe	82
PID 1728 wrote to memory of 1692	1728	mscorsvw.exe	82
PID 1728 wrote to memory of 3008	1728	mscorsvw.exe	65
PID 1728 wrote to memory of 3008	1728	mscorsvw.exe	65
PID 1728 wrote to memory of 3008	1728	mscorsvw.exe	65
PID 1728 wrote to memory of 3008	1728	mscorsvw.exe	65
PID 1728 wrote to memory of 1892	1728	mscorsvw.exe	74
PID 1728 wrote to memory of 1892	1728	mscorsvw.exe	74
PID 1728 wrote to memory of 1892	1728	mscorsvw.exe	74
PID 1728 wrote to memory of 1892	1728	mscorsvw.exe	74
PID 1728 wrote to memory of 2272	1728	mscorsvw.exe	67
PID 1728 wrote to memory of 2272	1728	mscorsvw.exe	67
PID 1728 wrote to memory of 2272	1728	mscorsvw.exe	67
PID 1728 wrote to memory of 2272	1728	mscorsvw.exe	67
PID 1728 wrote to memory of 1800	1728	mscorsvw.exe	78
PID 1728 wrote to memory of 1800	1728	mscorsvw.exe	78
PID 1728 wrote to memory of 1800	1728	mscorsvw.exe	78
PID 1728 wrote to memory of 1800	1728	mscorsvw.exe	78
PID 1728 wrote to memory of 2524	1728	mscorsvw.exe	69
PID 1728 wrote to memory of 2524	1728	mscorsvw.exe	69
PID 1728 wrote to memory of 2524	1728	mscorsvw.exe	69
PID 1728 wrote to memory of 2524	1728	mscorsvw.exe	69
PID 1728 wrote to memory of 1656	1728	mscorsvw.exe	70
PID 1728 wrote to memory of 1656	1728	mscorsvw.exe	70
PID 1728 wrote to memory of 1656	1728	mscorsvw.exe	70
PID 1728 wrote to memory of 1656	1728	mscorsvw.exe	70
PID 1728 wrote to memory of 2776	1728	mscorsvw.exe	71
PID 1728 wrote to memory of 2776	1728	mscorsvw.exe	71
PID 1728 wrote to memory of 2776	1728	mscorsvw.exe	71
PID 1728 wrote to memory of 2776	1728	mscorsvw.exe	71
PID 1728 wrote to memory of 1976	1728	mscorsvw.exe	72
PID 1728 wrote to memory of 1976	1728	mscorsvw.exe	72
PID 1728 wrote to memory of 1976	1728	mscorsvw.exe	72
PID 1728 wrote to memory of 1976	1728	mscorsvw.exe	72
PID 1728 wrote to memory of 1800	1728	mscorsvw.exe	78
PID 1728 wrote to memory of 1800	1728	mscorsvw.exe	78
PID 1728 wrote to memory of 1800	1728	mscorsvw.exe	78
PID 1728 wrote to memory of 1800	1728	mscorsvw.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2460

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 26c -NGENProcess 240 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 1d8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 280 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 23c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 23c -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d8 -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 280 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 294 -NGENProcess 23c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 270 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 23c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 280 -NGENProcess 264 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 218 -NGENProcess 284 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1d4 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e8 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 21c -NGENProcess 25c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 284 -NGENProcess 25c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 29c -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1c4 -NGENProcess 21c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 298 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 25c -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 21c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 21c -NGENProcess 298 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2ac -NGENProcess 29c -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 29c -NGENProcess 1d8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 280 -NGENProcess 298 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 298 -NGENProcess 2ac -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 298 -NGENProcess 280 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 29c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 248 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 248 -NGENProcess 298 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2c0 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 29c -NGENProcess 270 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2c8 -NGENProcess 298 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 298 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2d0 -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 270 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2c8 -NGENProcess 298 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 298 -NGENProcess 258 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2c8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2e8 -NGENProcess 258 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 258 -NGENProcess 2b4 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2f0 -NGENProcess 2c8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2c8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2f8 -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2b4 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2b4 -NGENProcess 2f8 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 258 -NGENProcess 2f0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 308 -NGENProcess 2e0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f8 -NGENProcess 258 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 258 -NGENProcess 2c8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 318 -NGENProcess 310 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2c8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2c8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2c8 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 314 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2c8 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2c8 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 314 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2c8 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 314 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2c8 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 310 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 314 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 2c8 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 310 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 314 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 314 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 384 -NGENProcess 310 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 310 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 368 -NGENProcess 388 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 314 -NGENProcess 398 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 3a0 -NGENProcess 390 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 390 -NGENProcess 368 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3a8 -NGENProcess 398 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 398 -NGENProcess 3a0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3b0 -NGENProcess 368 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1692

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1964

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2328

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2300

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:848

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1564

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1668

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2012

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1884

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1628
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1876
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:1360
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
56c18dad176bd28bb40e10efbaf189e3

SHA1
da8689d22d388bb213cdd458ae5a4c6114828596

SHA256
4689421a336005954a4e11c566937949f5943939a7a82d3296e3e1efba29c5f7

SHA512
6a1aa601d69b6c98b1be332047636c0b467661ce1f0668ec24b42fd3534e6ea9b7e6771626d0aa91ed2d0361ac5601d2508e8c59cab9dc0ea43b82f1872913f1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
6e7acc554d178c5ecec916481e064b1e

SHA1
e430f9eaf154baa80d1fd0a5f8f76a488c743604

SHA256
789c0df3dff5aa16660570b0ed1a7768eb0e2003044e6fc1ee79adff41e8815e

SHA512
5878cd8f007148d5aa1534d22f87bd07c35a7d44f26e656375e077589c20e8f501a9d400788c592cf8c9af5885535197dec98508f89fdf22814ee757c05a1898

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
076c7f3633b82a7e89e359c159b04b3e

SHA1
d6b55a634ff4788ac35b6e861db3edaebd923dd7

SHA256
5cab604df112a8cfcbbae960608de7f56f7d5e712f731a71ff515aad6590df6c

SHA512
20a93a70753b7396b650606386f797238f8b26a9ac2fb45b673a56684277329883e081c68712dd01e046eb0af17bd2b3d84583f347b9d2ef4e3a2b14229dc3d5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
288597b7439f3f652c1f76d94bb89f46

SHA1
ae2390a571d20cfd3ced8e55c7b25e7066f58122

SHA256
7e5c7cb4bf435bd99965070e8899fc1dd52a1f03909fecf41f29ad6efdbe7a8c

SHA512
691609997d04073e9f544340b8c0529e8546e086c72f07e09bcc9b7a3cb842a38cf61cd8af7564d6fa26c6219b4cdec6bc4b37605b4b67a3e239866678071317

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9e3c93ad292a2e1a6cda466938d2d374

SHA1
afe5ced15f10d21bc411b7adb4f802114e118c7f

SHA256
340bb155796d540bc8894fb7896a69addb2844b27336b5de144fe1e117cb300a

SHA512
91c78770c41da891a5de5ca58ffad6bd823019ba9564b340eae3eb984c41c929c886d3365800f942ae3a57cb9062247570445ce89bf1b3ad48ba4d41b773d566

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
c3347d62a49a4bde46ce32a340946e7a

SHA1
2f38c4a044ec3c6946b417d56438ef608f2caddc

SHA256
bf22aa9ceb36f94ea74f756a79fe2379e3fb7bb0a113783d1225717270f9d4d4

SHA512
f4bbd90829feb60cae9e485bc6cbceb563bc10f16c4bd571b88fee7ec7524282ec77fa5b22bd93dcad23d573d5fe6b975d93baa012dabe983f9944a49362569b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
156c09e1fb0833691f701416e41f243a

SHA1
7d6917495baaa9ccc5198995700b611ed97865de

SHA256
7d2a9c5596cf66d0eff4e8036c4b120bfe7adcbf64c393da15851c80fb2ee4b9

SHA512
52ff414e471037beec7fa73f690b5b8f111aa1a85bddc70d4970afab6e98f80c52115c65497b683a07c7498f7b3c34a3fb3f8510c333059bcb8b7f411c34137d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
0e9d1403da53ce1d7587b82b38fc3135

SHA1
7b04700d6d624b42eb3fb9e00c30e6d21880023f

SHA256
6c3ec426d9db637fe85073a78fd9d25aedece0249a6e5bf7107c146dcf0125e3

SHA512
244de6b7bb9338b8789fea7421fd00345f2ec0e8e2ec2b93282c75c70d170f67bf13d6b2b4bbdacd53748e3e23d366a2260272a29b01b80171042e98504f9c45

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
f7bbddcc23266066125b85bd05f598b1

SHA1
16a221481f390f3e4bb8e0e0c799ddf5c18ba4f2

SHA256
8b476c6d347e3cd65c519244a313eb78e863e4dd1d4281c2290e1ebab1c8256f

SHA512
edb810d3143c951e3e63ff0fc15d2175b5e217df354d347abcdc9b3d54ab4a76026ddaab0f06b10700de6f01853f282e40a9a74e12014fcbf75125340cd23cde

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
2ed8799d0591830fc0398d6831e2404d

SHA1
3ce82ac041647cc57c977b5b75870652e87da273

SHA256
3e3db48a87b6b8ebf62a79c06405d9e9f96e564f1645546a937c0d5df8549309

SHA512
737e91c3c13d3e5503f0dbe20f6b7535697e3960b7f021ff826b2ffec98ea0d6f2c0c8feac0190ee7c2debc662714dd4d1775d26051c6416bf51aee92565556a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
fa901a9206fda55a04bce1d213f7c031

SHA1
f2d009b0263a1ab77573cb8a46800cadfb933ae5

SHA256
47456fa621e808f66fa1a634f48bf36c651a6a6e3456951eebc56d2a464f3732

SHA512
382d3daee7610a2cf1b03e11a0f30ac58ca609d2cc813f9247514d6722172900b80041166f42cfb5c939a95bfd1dc3f8a7db2f98e755267b9eb626bd739e219b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
bea15daf37dbbe6f8be245a15a89809f

SHA1
e8c57fa9a129fef05bdd3d6cad4d19b38f05d1f4

SHA256
ffabbd09641c2144333086c11f0df725b192c634a2d9da9781229761873569c6

SHA512
5b01c61cf8283b2759fce6ca7917c87f52e4e120af728588ecbe10b4847a691ce7436cc3e5a21812f12c4e70e24e1977b9f8eb425ae5a2fd6f5c4a9727513c8b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
0c90dbaa6651136da129ea759e2feb83

SHA1
16b42c44aae2150bb45189721ef732c4083e9af7

SHA256
5ef347f06124b4138d6bfc2d4177dc0c995aa892db4e592fc1ad7ab6b1a49a6a

SHA512
cc21a0857c2d2cd682e5ec89a27cfecb18cdc86b88b829e972350d6020dd12bf8c144f324bb19f0d8edc4e4df89571c5f7cdf74d7822d14cbeea5b3be20690c1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
4ecba842d9f80978b96cb2a6d3d4dedb

SHA1
6f2a760d360733a6c35ebdeb6197b1ca0b893321

SHA256
8d01cdf6ebfe2df9fd2e4733a2589c9ed38e068e757d9fd678c00dd8b3eaf3b2

SHA512
3ba15855134615c554fc1baf73470805aa914685980f387ada4e301ffd711f4fa895a231a56d3719d51d0cd67e6c514a08bc462ab644c4f2ff508bb30bc850e9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
ecceb0a1560c0dc46e849283c28062ba

SHA1
7c8232f1f09c3bcb50c9ef8f54cd4b83bcd8b78f

SHA256
3439d7bff39503407a45e196624ed223f88650c29f96b2d7950270f59a3fb075

SHA512
b5136e09a0b787f72f6cfe246fd946a55bf26de5583897d438c1da3fad267ceabf7c085cc2773f574bedb3b8bc207e67334ea70275cbf40d4940bfd1cfdf84cd

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.5MB

MD5
41b467c3aa27d50a80e7b6cad8e2b5a4

SHA1
8b7ecf30e119f8bc0aded37b1144205d3694b1e9

SHA256
a93d4e558945986b2467657bb442e4b1fbd0f8c46e0c7c5af83f071bf651cafa

SHA512
cee034f43a88538b8d89232faa0bf3f077e1c0bebd969cafc23400f56ce7c021fa7209c18a76638dee4a6fe014e845925f880dcc6532dfd156c50c19e9d280fc

Download Submit
C:\Windows\System32\vds.exe

Filesize
2.0MB

MD5
60d0eb423423cd2913f459fa126180f6

SHA1
9213fa903c7ef7c4cda894187bf9b09ba819d3a4

SHA256
29e36a196bc3bbe25636c315594ea6c9cb46bf8cf57cc3dac2ad6fbb8fd053bc

SHA512
22611ce8da78edd334b9ff4f27f59c11c42998e98a129faf6ef483d2c2494e77aa168c677261b052b32df7722124b58a6b6ca1a5360dbce19d34e36bf61e9d89

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
852738460b9766a0a94ad89cdb16727c

SHA1
0b427d6c997561ec604ef64300ad5ee27a2a3813

SHA256
ab1a0bc033062b05e6154af27f5047e6919d0e7de3845818af5fddaf6e8cbc6a

SHA512
42dc41d77e36e7cf56fac32b29d49011e642ce621c571b00bccda1a5a489cc2a03b16120b388cb9e15a82ffb4447ab48baddf2cd947e40eb8cac581cdaf6128c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
3ce4b76f8b483e67b317b991bac50a2d

SHA1
bef6178d8b2eb9984074ac6ee8b096be9c11bdbe

SHA256
068a795045b4777ac34054c348542f6e3f95babad66a41b217df2ff6c9e18e75

SHA512
98cf140da58990936c6ca6654509f93426825ca4ce146343f3b1a761f8c96cd2b2d335597e167889e73f2d3827b2ab68dbc2c7f46df71018f85988e76cf4d3bf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4f62f497e44f08e771cf521fce716a4c\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
2c5d0729d7446d101b0c94467518efc6

SHA1
a79b938f0161329bca84a94605ea0c3258013549

SHA256
994651887c9f4fd4dc99efca91bded3aa95b62843c1e8c7ef11cbdc18878c833

SHA512
70fa08690fdcd4050fd9e2ae8b8184222299efe015d2e93247399fc349af686edda813ffd1c08140d025e4eae81544402115c2e27c9cd13a6065d4afa2c5ef11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\cdb8dde7135fe396c0f49bf5ee9d2afb\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
bd466309818630d87a3a3c1bf3d9b864

SHA1
054cde1b6394f4f4b741dc05b78ddb232f0e6582

SHA256
7401e80641df7e42ce9288778231ad1c31d047bb1f43bf4ee6836a6bdd7587a4

SHA512
a301de2dcfd5212e4bb46d5e401e1937228cdb3b7e4647b2ec2d0c746367c2d48c70c18fdfcfffe2f30e9954021910a47c8510516a0909867f5a250c4e2d4ede

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\cebfd48f1d971adbb01e763016504298\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
4e289767696d3990edcb4f2788326429

SHA1
28cdf20f1aa77806f82039ed47be8bfe1cbf9759

SHA256
723b0a7483f8cd3e248b4664be15c5358979a602e6d689d979210a9edda316bb

SHA512
474104aaf76ddec4fe65763167629b21643e94ddaa1ad586f705dfcf81493928378e71d2efc278e0e51ba08a6d89cc8579d7e19cd8d6fd768f0246f78d4a5929

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
98530551e674d4ee15313a51bbd5a21f

SHA1
b520d44be559d0355b787f00a3b2b8105e3f6d0e

SHA256
8cdd3168d417dfcb5c9a88bd8f87637a89671493d010e3f88c5200887d307642

SHA512
c54c11ebf22ed12e45614772f4ac9ce61c853050df1b8879d47f897cd8e13e48b6ed8838b8686795233b7297ba904000ec3f4563236b8f4fa75f1575fbddf81a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
b9ddda73bd3122bdbe5c285384848a39

SHA1
78587f3b69bb7ed390f49d9c79e41367c840b1e1

SHA256
97087823d5da0c8899e6df643c8bf302f476e14dc366050524e742c72a51d880

SHA512
442eae323c1adeacfac8359db296478f2459da3e494aa94057b125d6fbc8e6b28d7ce5b7f333ef956ff7a4276d0fcb0fd1af4bfcc17749eb81654536ffc0a33a

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
dd0f85323c837c3dd94ac1cecd4c7f91

SHA1
45299ab8f05848bcb6143a5d572d76dc778907c7

SHA256
b4b39fe7804f17e8c768eb3b3db00482c68d9f03973418d6cf4c0c2859e60be1

SHA512
7bf2bb7067c2229eb75380cbd4367eaa548d9161faa7ddde855f924937f15dcd017c0745d3ac41a87c29c26b20606c65ae6313135ed72d3a6b851a8af1a9d9b9

Download Submit
\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
db452e433874137b663de6396abd08bb

SHA1
d781f5587187324f4c5daf95f3763c9a9f32e80e

SHA256
63473f2e6e15c5979400a15471f6deb7e4b3146e02c27596a089d7e0989a1b6e

SHA512
01724a4d5309dfeafbc690bb1fc93bf5845a469aa79f9681dfc65573d05b01f06da72b5303ce4c4a58201d20a89ac62d62ee4154c6ca7ad5f46da1f35562087b

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
559bc88c412ad0f7d71030c021bdd8e4

SHA1
c22978cb4641c2caaa7a65ca92e54920192b1d4e

SHA256
4488cb4e20d2aefaecfee6bff7b50b1a3f811ae651b0bc3d55580a3ecbdae1f2

SHA512
ae4afbd070b8a1df9d78386c15928451acb333d3a528c135d82d8b0a5d4e1dc36643c0d172203aff09fe26d1e5b043b6a0f09bb276643ecb951268b197e602c4

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.6MB

MD5
a348539a6e0d5e0e2c0de14cebc23beb

SHA1
c555115fbc94d932b0fd93af56e86def0dee664f

SHA256
5bc9fa88c1c9eb170f3c37b3a5796e90c63bcb1e476e21c9c3524571005e86a7

SHA512
8d9a12c6b160ee6cee49eec662f6b55dbc75b947d44859ac33232376d52344283c3ca5f0273fd5fa5cb248a4523ae8191bff2e40fe94ef8ce9ad412ada76a0dc

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
4481233748f7bd44b2de4ee9e929f70f

SHA1
4313769d900db64d23441ce1f7892c97d8cc6245

SHA256
cf8a98a699b8a09c02e115b859b27e199bbdc9b0720b0648d4314d91a3feacda

SHA512
1acde3e088a71fb47d47a5866c1d7ef12b186ea893165de2b42c81dfc4f9585219e25b6005d5a42256942119481f7c79b5afeccd7049198db8628a20baef3f17

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
9faf2f66748eecb5e5ee3f52eaeef7f2

SHA1
04378fb58c338249315bcb174731ed23b1cb6d93

SHA256
848a0282fbf144297caa8318cf8866c33c9297302c784a061ceeaa4652989067

SHA512
7b8dfb0575441d8a6351e6cd707b6aabd7bbcc73f382da02b931779597c62800c79e5e64b536281605cb5068e4845ee921400c50dcd2c7e43ee92c5ff8346cce

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
6344c725f0194ebffea07da87f0b7e8c

SHA1
c726dedfef9256908a40f7ee28fb84927321d3ea

SHA256
130e77aede034b899be5bebdff641eabb909f158507e79aaf0feed8812e41a03

SHA512
5982b05bebd797f5f91da9bc1ae31d0a88db468412476f6a127edeee256ab34ca300e58d68178d7e94e3479793a6600938440e396b4d7ad75a11e934e5e7ee6a

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
79eea95bd82ba8417f43b0ebbbb2cacf

SHA1
4f1aae0681657adf2b403f161ebacb46cfc9fb50

SHA256
c5877b955fd8f6c5f0409cf4542eb28ece67c8696846d9fb4f530a12b2a4fe19

SHA512
516f5f30f78d4376e95e3fecd2dc7321879a61d50d87b556bd66c2de1b84b70b3429adb45f081bb29b33e02a07a3866873dbfb4d80729fa4bbadd74319a0fb03

Download Submit
memory/848-271-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/848-156-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/852-396-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/852-382-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/856-8-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/856-1-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/856-90-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/856-0-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/1032-356-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1032-570-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1564-818-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1564-168-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1564-284-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1576-287-0x0000000001000000-0x000000000117D000-memory.dmp

Filesize
1.5MB

Download
memory/1576-420-0x0000000001000000-0x000000000117D000-memory.dmp

Filesize
1.5MB

Download
memory/1628-840-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1628-434-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1656-645-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1656-631-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1668-330-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/1668-199-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/1692-543-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1692-461-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1728-981-0x0000000001F70000-0x000000000210E000-memory.dmp

Filesize
1.6MB

Download
memory/1728-979-0x0000000001CF0000-0x0000000001D7C000-memory.dmp

Filesize
560KB

Download
memory/1728-984-0x0000000001CF0000-0x0000000001D78000-memory.dmp

Filesize
544KB

Download
memory/1728-983-0x0000000001CF0000-0x0000000001D00000-memory.dmp

Filesize
64KB

Download
memory/1728-982-0x0000000001CF0000-0x0000000001DDC000-memory.dmp

Filesize
944KB

Download
memory/1728-208-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1728-980-0x0000000001CF0000-0x0000000001D94000-memory.dmp

Filesize
656KB

Download
memory/1728-985-0x0000000001CF0000-0x0000000001D14000-memory.dmp

Filesize
144KB

Download
memory/1728-978-0x0000000001CF0000-0x0000000001D0A000-memory.dmp

Filesize
104KB

Download
memory/1728-977-0x0000000001CF0000-0x0000000001D0E000-memory.dmp

Filesize
120KB

Download
memory/1728-976-0x0000000001CF0000-0x0000000001CFA000-memory.dmp

Filesize
40KB

Download
memory/1728-80-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1728-75-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1728-74-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1800-393-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1800-446-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1800-613-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1800-592-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1884-436-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/1884-304-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/1892-572-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1956-435-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1956-509-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1964-113-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/1964-226-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/1964-107-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1964-114-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1976-662-0x0000000003D20000-0x0000000003DDA000-memory.dmp

Filesize
744KB

Download
memory/1992-591-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1992-380-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2012-381-0x000000002E000000-0x000000002E19C000-memory.dmp

Filesize
1.6MB

Download
memory/2012-249-0x000000002E000000-0x000000002E19C000-memory.dmp

Filesize
1.6MB

Download
memory/2064-297-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2064-379-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2068-84-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-60-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2068-54-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2068-392-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2068-261-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2068-53-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-301-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2232-407-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/2232-749-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/2232-274-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2272-573-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2272-594-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2272-209-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2272-277-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2320-260-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2320-139-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2320-796-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2328-129-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2328-241-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2328-921-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2400-421-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2400-815-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2460-68-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2460-38-0x00000000004C0000-0x0000000000527000-memory.dmp

Filesize
412KB

Download
memory/2460-43-0x00000000004C0000-0x0000000000527000-memory.dmp

Filesize
412KB

Download
memory/2460-37-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2472-344-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2472-539-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2524-632-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2524-609-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2596-227-0x0000000000520000-0x00000000006B9000-memory.dmp

Filesize
1.6MB

Download
memory/2596-347-0x0000000100000000-0x0000000100199000-memory.dmp

Filesize
1.6MB

Download
memory/2596-368-0x0000000000520000-0x00000000006B9000-memory.dmp

Filesize
1.6MB

Download
memory/2596-224-0x0000000100000000-0x0000000100199000-memory.dmp

Filesize
1.6MB

Download
memory/2612-20-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2612-120-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2612-13-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2612-14-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2688-155-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2688-26-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2688-33-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2688-27-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2784-458-0x0000000100000000-0x000000010017D000-memory.dmp

Filesize
1.5MB

Download
memory/2784-333-0x0000000100000000-0x000000010017D000-memory.dmp

Filesize
1.5MB

Download
memory/2820-179-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2820-296-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2856-91-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2856-223-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2856-99-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2856-97-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2868-192-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2868-196-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3008-541-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3008-553-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download