2e66ca6006148af46c6579d4c58a0197f4ab73a291e3c78e6e6178d8f878aa16

Analysis

max time kernel
139s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
Size

3.1MB
MD5

9430495586dfe4a24ae4cf6188e8d350
SHA1

77b756ab97064821865fa725e193c8522c12d3f3
SHA256

2e66ca6006148af46c6579d4c58a0197f4ab73a291e3c78e6e6178d8f878aa16
SHA512

6b13a10e5e91e262403d1d601ad62c4abd8834e2bbd27f088c7496c9a18e131bcf6a566dd77963571a4d10aa93db3a8da049b62f16ebd1b60cd382227bb703dc
SSDEEP

98304:aHgNDfXQ1veFPk5FaoCRrgGUDx9w7izY0a:XDfgZeVmCJWlSee

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2116	alg.exe
2912	aspnet_state.exe
2584	mscorsvw.exe
2692	mscorsvw.exe
2380	mscorsvw.exe
1884	mscorsvw.exe
768	ehRecvr.exe
1496	ehsched.exe
2660	elevation_service.exe
2640	IEEtwCollector.exe
1520	GROOVE.EXE
988	VCREDI~1.EXE
2736	maintenanceservice.exe
2144	msdtc.exe
2272	msiexec.exe
2088	OSE.EXE
2416	mscorsvw.exe
2524	OSPPSVC.EXE
2060	perfhost.exe
2164	mscorsvw.exe
2132	locator.exe
1584	mscorsvw.exe
1240	snmptrap.exe
664	vds.exe
2176	wbengine.exe
2936	WmiApSrv.exe
2592	wmpnetwk.exe
544	SearchIndexer.exe
1572	mscorsvw.exe
1908	mscorsvw.exe
2748	mscorsvw.exe
2164	mscorsvw.exe
676	mscorsvw.exe
2652	mscorsvw.exe
1716	mscorsvw.exe
2732	mscorsvw.exe
2432	mscorsvw.exe
3016	mscorsvw.exe
364	mscorsvw.exe
1656	mscorsvw.exe
1068	mscorsvw.exe
2100	mscorsvw.exe
2740	mscorsvw.exe
1688	mscorsvw.exe
2972	mscorsvw.exe
1040	mscorsvw.exe
888	mscorsvw.exe
2488	mscorsvw.exe
1464	mscorsvw.exe
2440	mscorsvw.exe
1484	mscorsvw.exe
2972	mscorsvw.exe
2136	mscorsvw.exe
2264	mscorsvw.exe
2644	mscorsvw.exe
1648	mscorsvw.exe
2736	mscorsvw.exe
988	mscorsvw.exe
920	mscorsvw.exe
804	mscorsvw.exe
1828	mscorsvw.exe
960	mscorsvw.exe
1952	mscorsvw.exe

Loads dropped DLL 59 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
988	VCREDI~1.EXE
988	VCREDI~1.EXE
988	VCREDI~1.EXE
468	Process not Found
468	Process not Found
2272	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
756	Process not Found
2168	MsiExec.exe
2644	mscorsvw.exe
2644	mscorsvw.exe
2736	mscorsvw.exe
2736	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
1828	mscorsvw.exe
1828	mscorsvw.exe
1952	mscorsvw.exe
1952	mscorsvw.exe
988	mscorsvw.exe
988	mscorsvw.exe
1148	mscorsvw.exe
1148	mscorsvw.exe
2080	mscorsvw.exe
2080	mscorsvw.exe
1172	mscorsvw.exe
1172	mscorsvw.exe
2084	mscorsvw.exe
2084	mscorsvw.exe
1144	mscorsvw.exe
1144	mscorsvw.exe
584	mscorsvw.exe
584	mscorsvw.exe
1796	mscorsvw.exe
1796	mscorsvw.exe
2312	mscorsvw.exe
2312	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2400	mscorsvw.exe
2400	mscorsvw.exe
1148	mscorsvw.exe
1148	mscorsvw.exe
1696	mscorsvw.exe
1696	mscorsvw.exe
2408	mscorsvw.exe
2408	mscorsvw.exe
1032	mscorsvw.exe
1032	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	VCREDI~1.EXE

Blocklisted process makes network request 1 IoCs

flow	pid	Process
36	964	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a6401dc5ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\TraceEnter.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\InstallTemp\20240523220316263.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220317558.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3ADE.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\F942F94A19C0F79468FD2B85E5E8677B\8.0.50727	msiexec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220317339.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867.manifest	msiexec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220316559.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240523220316949.0	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220316949.0\mfc80CHT.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\F942F94A19C0F79468FD2B85E5E8677B\8.0.50727\ul_msvcr80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240523220317464.0	msiexec.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220316559.0\mfcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220316949.0\mfc80ITA.dll	msiexec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220316949.0\mfc80KOR.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220317339.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220317433.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3E0A.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5AEC.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220316263.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest	msiexec.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4DC3.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP51B9.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5310.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Installer\f775773.msi	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP708E.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA5B1.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220317526.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220316949.0\mfc80JPN.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220317464.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240523220317558.0\8.0.50727.42.cat	msiexec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe

Modifies registry class 56 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\VC_Redist	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\PackageName = "vcredist.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006900450024005b004d00310025002e0064002700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0021004d00210026005a005a006300300025006e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\PackageCode = "FA1F9ADB128EB664EAA9BA3CE244C0B1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\ProductName = "Microsoft Visual C++ 2005 Redistributable"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Language = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Version = "134268455"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
1080	ehRec.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
2272	msiexec.exe
2272	msiexec.exe
2912	aspnet_state.exe
2912	aspnet_state.exe
2912	aspnet_state.exe
2912	aspnet_state.exe
2912	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
Token: SeShutdownPrivilege	2380	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: 33	1696	EhTray.exe
Token: SeIncBasePriorityPrivilege	1696	EhTray.exe
Token: SeDebugPrivilege	1080	ehRec.exe
Token: SeShutdownPrivilege	964	msiexec.exe
Token: SeIncreaseQuotaPrivilege	964	msiexec.exe
Token: SeShutdownPrivilege	2380	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	2380	mscorsvw.exe
Token: SeShutdownPrivilege	2380	mscorsvw.exe
Token: 33	1696	EhTray.exe
Token: SeIncBasePriorityPrivilege	1696	EhTray.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeRestorePrivilege	2272	msiexec.exe
Token: SeTakeOwnershipPrivilege	2272	msiexec.exe
Token: SeSecurityPrivilege	2272	msiexec.exe
Token: SeCreateTokenPrivilege	964	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	964	msiexec.exe
Token: SeLockMemoryPrivilege	964	msiexec.exe
Token: SeIncreaseQuotaPrivilege	964	msiexec.exe
Token: SeMachineAccountPrivilege	964	msiexec.exe
Token: SeTcbPrivilege	964	msiexec.exe
Token: SeSecurityPrivilege	964	msiexec.exe
Token: SeTakeOwnershipPrivilege	964	msiexec.exe
Token: SeLoadDriverPrivilege	964	msiexec.exe
Token: SeSystemProfilePrivilege	964	msiexec.exe
Token: SeSystemtimePrivilege	964	msiexec.exe
Token: SeProfSingleProcessPrivilege	964	msiexec.exe
Token: SeIncBasePriorityPrivilege	964	msiexec.exe
Token: SeCreatePagefilePrivilege	964	msiexec.exe
Token: SeCreatePermanentPrivilege	964	msiexec.exe
Token: SeBackupPrivilege	964	msiexec.exe
Token: SeRestorePrivilege	964	msiexec.exe
Token: SeShutdownPrivilege	964	msiexec.exe
Token: SeDebugPrivilege	964	msiexec.exe
Token: SeAuditPrivilege	964	msiexec.exe
Token: SeSystemEnvironmentPrivilege	964	msiexec.exe
Token: SeChangeNotifyPrivilege	964	msiexec.exe
Token: SeRemoteShutdownPrivilege	964	msiexec.exe
Token: SeUndockPrivilege	964	msiexec.exe
Token: SeSyncAgentPrivilege	964	msiexec.exe
Token: SeEnableDelegationPrivilege	964	msiexec.exe
Token: SeManageVolumePrivilege	964	msiexec.exe
Token: SeImpersonatePrivilege	964	msiexec.exe
Token: SeCreateGlobalPrivilege	964	msiexec.exe
Token: SeBackupPrivilege	836	vssvc.exe
Token: SeRestorePrivilege	836	vssvc.exe
Token: SeAuditPrivilege	836	vssvc.exe
Token: SeBackupPrivilege	2272	msiexec.exe
Token: SeRestorePrivilege	2272	msiexec.exe
Token: SeBackupPrivilege	2176	wbengine.exe
Token: SeRestorePrivilege	2176	wbengine.exe
Token: SeSecurityPrivilege	2176	wbengine.exe
Token: SeManageVolumePrivilege	544	SearchIndexer.exe
Token: 33	544	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	544	SearchIndexer.exe
Token: 33	2592	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2592	wmpnetwk.exe
Token: SeShutdownPrivilege	2380	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeDebugPrivilege	1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
964	msiexec.exe
1696	EhTray.exe
1696	EhTray.exe
964	msiexec.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1696	EhTray.exe
1696	EhTray.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1476	SearchProtocolHost.exe
1476	SearchProtocolHost.exe
1476	SearchProtocolHost.exe
1476	SearchProtocolHost.exe
1476	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1476	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 988	1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe	41
PID 1136 wrote to memory of 988	1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe	41
PID 1136 wrote to memory of 988	1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe	41
PID 1136 wrote to memory of 988	1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe	41
PID 1136 wrote to memory of 988	1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe	41
PID 1136 wrote to memory of 988	1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe	41
PID 1136 wrote to memory of 988	1136	9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe	41
PID 988 wrote to memory of 964	988	VCREDI~1.EXE	42
PID 988 wrote to memory of 964	988	VCREDI~1.EXE	42
PID 988 wrote to memory of 964	988	VCREDI~1.EXE	42
PID 988 wrote to memory of 964	988	VCREDI~1.EXE	42
PID 988 wrote to memory of 964	988	VCREDI~1.EXE	42
PID 988 wrote to memory of 964	988	VCREDI~1.EXE	42
PID 988 wrote to memory of 964	988	VCREDI~1.EXE	42
PID 2380 wrote to memory of 2416	2380	mscorsvw.exe	47
PID 2380 wrote to memory of 2416	2380	mscorsvw.exe	47
PID 2380 wrote to memory of 2416	2380	mscorsvw.exe	47
PID 2380 wrote to memory of 2416	2380	mscorsvw.exe	47
PID 2380 wrote to memory of 2164	2380	mscorsvw.exe	68
PID 2380 wrote to memory of 2164	2380	mscorsvw.exe	68
PID 2380 wrote to memory of 2164	2380	mscorsvw.exe	68
PID 2380 wrote to memory of 2164	2380	mscorsvw.exe	68
PID 2380 wrote to memory of 1584	2380	mscorsvw.exe	54
PID 2380 wrote to memory of 1584	2380	mscorsvw.exe	54
PID 2380 wrote to memory of 1584	2380	mscorsvw.exe	54
PID 2380 wrote to memory of 1584	2380	mscorsvw.exe	54
PID 544 wrote to memory of 1476	544	SearchIndexer.exe	62
PID 544 wrote to memory of 1476	544	SearchIndexer.exe	62
PID 544 wrote to memory of 1476	544	SearchIndexer.exe	62
PID 544 wrote to memory of 2780	544	SearchIndexer.exe	63
PID 544 wrote to memory of 2780	544	SearchIndexer.exe	63
PID 544 wrote to memory of 2780	544	SearchIndexer.exe	63
PID 2380 wrote to memory of 1572	2380	mscorsvw.exe	65
PID 2380 wrote to memory of 1572	2380	mscorsvw.exe	65
PID 2380 wrote to memory of 1572	2380	mscorsvw.exe	65
PID 2380 wrote to memory of 1572	2380	mscorsvw.exe	65
PID 2380 wrote to memory of 1908	2380	mscorsvw.exe	66
PID 2380 wrote to memory of 1908	2380	mscorsvw.exe	66
PID 2380 wrote to memory of 1908	2380	mscorsvw.exe	66
PID 2380 wrote to memory of 1908	2380	mscorsvw.exe	66
PID 2380 wrote to memory of 2748	2380	mscorsvw.exe	67
PID 2380 wrote to memory of 2748	2380	mscorsvw.exe	67
PID 2380 wrote to memory of 2748	2380	mscorsvw.exe	67
PID 2380 wrote to memory of 2748	2380	mscorsvw.exe	67
PID 2380 wrote to memory of 2164	2380	mscorsvw.exe	68
PID 2380 wrote to memory of 2164	2380	mscorsvw.exe	68
PID 2380 wrote to memory of 2164	2380	mscorsvw.exe	68
PID 2380 wrote to memory of 2164	2380	mscorsvw.exe	68
PID 2380 wrote to memory of 676	2380	mscorsvw.exe	69
PID 2380 wrote to memory of 676	2380	mscorsvw.exe	69
PID 2380 wrote to memory of 676	2380	mscorsvw.exe	69
PID 2380 wrote to memory of 676	2380	mscorsvw.exe	69
PID 2380 wrote to memory of 2652	2380	mscorsvw.exe	70
PID 2380 wrote to memory of 2652	2380	mscorsvw.exe	70
PID 2380 wrote to memory of 2652	2380	mscorsvw.exe	70
PID 2380 wrote to memory of 2652	2380	mscorsvw.exe	70
PID 2380 wrote to memory of 1716	2380	mscorsvw.exe	71
PID 2380 wrote to memory of 1716	2380	mscorsvw.exe	71
PID 2380 wrote to memory of 1716	2380	mscorsvw.exe	71
PID 2380 wrote to memory of 1716	2380	mscorsvw.exe	71
PID 2380 wrote to memory of 2732	2380	mscorsvw.exe	72
PID 2380 wrote to memory of 2732	2380	mscorsvw.exe	72
PID 2380 wrote to memory of 2732	2380	mscorsvw.exe	72
PID 2380 wrote to memory of 2732	2380	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /i vcredist.msi
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:964

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2584

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 1d8 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d4 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 24c -NGENProcess 264 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 270 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 264 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 268 -NGENProcess 280 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 254 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 1d8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 280 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 268 -NGENProcess 254 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 29c -NGENProcess 294 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 29c -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 2a4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2a8 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 290 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1ec -NGENProcess 25c -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1f0 -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 23c -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 25c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 278 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 25c -NGENProcess 278 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 224 -NGENProcess 244 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 244 -NGENProcess 240 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d0 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 278 -NGENProcess 224 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a8 -NGENProcess 240 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 240 -NGENProcess 1d0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 28c -NGENProcess 224 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 224 -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 270 -NGENProcess 1d0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d0 -NGENProcess 28c -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 29c -NGENProcess 2a8 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 2a4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 2a8 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2a8 -NGENProcess 268 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 268 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2cc -NGENProcess 250 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 290 -NGENProcess 250 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d0 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 28c -NGENProcess 250 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d8 -NGENProcess 2e4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2bc -NGENProcess 250 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 250 -NGENProcess 2e0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e4 -NGENProcess 2bc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f4 -NGENProcess 2e0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e0 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e0 -NGENProcess 300 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 358 -NGENProcess 35c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 380 -NGENProcess 370 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 388 -NGENProcess 36c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 368 -NGENProcess 358 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 35c -NGENProcess 388 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 374 -NGENProcess 38c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 394 -NGENProcess 358 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 388 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3a0 -NGENProcess 38c -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 394 -NGENProcess 3a8 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 358 -NGENProcess 38c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 380 -NGENProcess 374 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3ac -NGENProcess 3a8 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 38c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 374 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3ac -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 394 -NGENProcess 374 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 394 -NGENProcess 3b8 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3a0 -NGENProcess 374 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3c8 -NGENProcess 3b4 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3b8 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3a0 -NGENProcess 3d4 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a8 -NGENProcess 3b8 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3d8 -NGENProcess 3cc -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3cc -NGENProcess 3d8 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3e0 -NGENProcess 3b8 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 394 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3d8 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3b8 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 394 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3d8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3b8 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 394 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 394 -NGENProcess 3f4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 408 -NGENProcess 3b8 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3fc -NGENProcess 410 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3f0 -NGENProcess 3b8 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3b8 -NGENProcess 40c -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 418 -NGENProcess 410 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 414 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 414 -NGENProcess 3b8 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 424 -NGENProcess 410 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 420 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 3b8 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 410 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 420 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 3b8 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 410 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 420 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 3b8 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 410 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 420 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 454 -NGENProcess 3b8 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 450 -NGENProcess 410 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 44c -NGENProcess 45c -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 440 -NGENProcess 410 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 460 -NGENProcess 450 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 45c -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 468 -NGENProcess 410 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 410 -NGENProcess 440 -Pipe 470 -Comment "NGen Worker Process"
  2⤵
  PID:932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1496

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1696

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1520

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2144

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A7D99FC129FC534DD02412DDE99674B7
  2⤵
  - Loads dropped DLL
  PID:2168

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2088

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:664

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1476
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2780
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1480

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003AC" "00000000000005C4"
1⤵
- Modifies data under HKEY_USERS
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
f2d1b5c473625e0e2267ddf963c9764d

SHA1
a8e7f0cc9a1e7333d7e5c8cc7d6ad7e09f50c1be

SHA256
a7dfd86fd1a3db62ce4aec4d44e113d8c933a5d9462a73de8d022111960ace91

SHA512
db355e5150f154e44ec00bd59b868dd3e0ac11326fa34965c55f09be8cd4e1982a40f0793dfab9822a259d5e9fe0c5a9e4356c9e796ba801728875ad7aff11c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
2bafea10dd1164d8164b24b0fd892a3d

SHA1
99593dfaae1b78143a990d2a4d0d5e33624e83f5

SHA256
ffa3bb16ab1c12560bc42340070cd85db71ce6613304d03ffddf27796c64fea3

SHA512
4a6ac175bb1dd66ff72d86e6035921a62272e35cdbebfb05e3a788923364b3869eb0a01a20aa92430489d4c1df4b88fe1b7b6b488d624a69fd71ca34d8864794

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
b86a719aac3c0cec258121d99b3191e0

SHA1
92de8257999dce3c75b2f490ee9619d7c22d3fee

SHA256
e3a48e566cb96fa205afa032428a7ea0a2741a44233380ab4bf80d3b853d8392

SHA512
c350b9ebdd87b6387509c172d175371a56357a9c9f448f0b911d7653c6ea17dc7f72706c0d7d2e0e827443775ec7b91bb3315a0674fb73c1d63a90caca7be5c7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
65a07dff5cf84c1c490944992faf6b5d

SHA1
dcded7f0baed97e9b2d6f60a90cec599d6799d3b

SHA256
e188c735416dea2d4194d4c5280eed12135106cf606e4556046af9159674175c

SHA512
8d73960281f140c4270c46f34eaf2617c14c09415b51947e60ce4cddb4c9a26d9756702b8f4c936ffd639c82d0ef1b910e6bab7153a6ea1cd0ae611fa5ebde09

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b40247d093249083d5c57085b5b0b285

SHA1
334b5c6514b5c56f45f13d895c5d9861dd65d530

SHA256
705b11052da3a75bae5d3dae7d302de9ef288743224b99c9e941036cd283e287

SHA512
2bedd69b6cb55dc4928c8ff7eb92863d7bdbe4d2922b53ee7d38ee1b2dcad2aee19cf564792441aee2c51c53b4e87d99b81fb831618a543320085f5be9326923

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
79bc360912168374d13274f21b92ebee

SHA1
943cae67249608711a654426e14b3ac24b57b8b9

SHA256
6f0c6cdfea7b9ccca4ecad12d02bfdbda55b14123be121b8179f691ef6fbb3cf

SHA512
3167b6da799bd4b80f5169106eb36ce1117798ff7fe8a9f83c911f24625ce6bcfacc7f76c5d2847d52ec2255362f5179fcc0a9a0693490a1427150e515941431

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab581F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi

Filesize
2.4MB

MD5
b31b234cb0f534069ba32aaaeacd7b2d

SHA1
d6f90459f8bdbf7e75cc85affe9b137dc5e304e2

SHA256
b5a652a1025f194f59e1349a1f26709d7ff7760067439b2d52d988a55d9340f0

SHA512
138cb14f6018d3bddd78012c5b36a591fe70d1b2b7f9d3774230639302401be57e1a4d6098c66a83c47e67138ac6dbe79f64548e4c317bb804a4e9a3ffdf94ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3802796dbbc94ed6d1a4df62faeee65d

SHA1
32e62000d47e6aaec7b8a28b90226e4aaecf24bb

SHA256
c761b8e9ac9bb8d732875a488324c26555930bc24818bbbdbcc4d7957e1b8c29

SHA512
b196174d3c98baa525bbb9c28ebfc7fd1bf5213294ec56d3fc713c1b7db5914fefef058a1655ebc2ad4510700d5fe8162868b67ce274dc7213c7777d13003878

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
d09c4ca50b622129cda3709a7ef2b428

SHA1
560991b440f0146f4ca7cbee3752ba79b6f029a7

SHA256
451351879f2a088df023e9c1ab8c7c106cc881a026ea36197b939ace2d20ff5e

SHA512
c5e8d7da2835b1b08778353f7d00fcbfb9ef1f4e8b2bb8f31512905b26c022ce24512ee40b5eb37533fa8b694b633b614faa55ba2e0e6b245ab53f0bbdab32f3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
781ab0816907646bdaefcad7433e1a64

SHA1
d7534e914735e8235779649b06eb9c5563fbe11b

SHA256
4b7d8bd3f0a81e773414932476a301f49f3b6da5806d7225f29169a48c2abc14

SHA512
06c9265826aef59e420f2127c5115fb01efabfa3afb80fd6a913458f21e6cea1e41d610e9b4e5b963a39171e26e4aff5659ec6a294507075a48119b3e343fc5d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
c55cfd218057858b8e724b2a3c14eb7d

SHA1
dfcbf8db3c6750bc5a891104ca7da02ec84042e5

SHA256
7dc1c343ec10c71abd2a651e7fc25ccbdf4d7333c3b729d726756864ba76f32d

SHA512
5cb617c8839dbe5c57c943df98359fd662e726b7393dab5617647c8089eb01560e385cc5ef7c593a6858cc8b984140d1bedcf2e02183442fcf7bc30f4c2c454f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
5786933321f565f769ca8ae7ea447341

SHA1
8e2431da78b8a860c2cc8882a2dc2e0592a3334e

SHA256
6550ef2524306983bb91d6146d0e1cf16388da1c6c78aff3d6b57c744499add6

SHA512
75a7e04fcbd7cc5c1d0012952e615e861c64871c10b784418dfcb39c26972c867d4507871251be08e9e236782396b7a823efb69427c6e2de513c52d675f2f2ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
2fbb672c11f94644ee40e52bc05001ec

SHA1
88d2d6a41549a0ebf48dbe5b1cf301fb4e4ae799

SHA256
4c1eaa424fce268a0cebe6a359af8e010c75a74ed693e6034d319a71bc35603e

SHA512
03ebfe6716b447c1ef2f5fbf9c69545264533cd3956d6db5b55b10bbf72c4d17feb30b778ba4d3b2bb63f4fd278d5a6799783c168badf657d2ca62668d3c1c0a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
b95b635ad7335c87a42e7adfa7f1319f

SHA1
998ff650a66ecbfdca934039e3f01203afdb148b

SHA256
b2a106bc2765b11ca9a2a9372cb4d21b9de5252683db5a77aa5d658c8e1785c0

SHA512
c29a29f96af00146524a5b78d64ea6ceef67fe76935c51f7e7f56252d5999877bf8f12a4e32714d1e94205f0f8045790575171733d63560bd6d591a663dc650f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
505694007d220cb628c8406d607a68e3

SHA1
a2215353df433d52ed0a835cc82e54488c8f1e00

SHA256
b77fe1f8dedb3babed16f445361b4cdcd015fec3b2c911dc7e692d465c833319

SHA512
e2fdac8091a54a8843831482aa9b42cb9a4011d6c8529e46be7362f3f6ca11cb15985b3518f1dc5f504db84a13fd47fc40670308d4af35ab4c2aec6bae7a068e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
d7b6e57d8dd869f10de85e828d28ee83

SHA1
afef39e42b61027a95fa06cbc4e9dbe89d8b27c4

SHA256
2e369598764da1e32cea9616819884da9208596a5d2c527d4c7ad9d46daad822

SHA512
a451923f13183e7f07c01c0df2d4123ce4dcd6f275f5a1f1bced29035e44e3a0353f9f0204932c357536f9423957f179bc6fb5e2d3cf63977c6c56943a4a79cd

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
38652a03e7ad9a7b706d683f87b9c6ae

SHA1
5467dabda8ddaf1a7da4b4533dcfc7c9015cbd7d

SHA256
01accf58a39a38ec42cf0607f89edf29135aa1f44c14a00bfa35b9c52d1cf561

SHA512
9567d103ca1663b4b3324e93d554e013a883c4887c7fe7bd52603af10f76792247193e87e0ec9748e2eaa189e175032033de57a79e274b76dbbc545012fe9ecd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
c3c203aeb602c0fe3c6f783decc33af2

SHA1
4bd23d88b54e3a35b967a10b7119a37ab79363e7

SHA256
c4aeb603eae6826bb607fee79072a5f11b862a20e0c73901cfd08125e9b9921e

SHA512
659216f2649b5e8206e5ecfbd7441c89d06a286872c77ffba374e1a8e1ff7c21d9b40b6ca884cf8efc02e593a52910b9dc0284e7b907553324767d89ecd495d6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
9b9ab01bd936e3febd303676bc24d5ba

SHA1
a60b884eee00d0abd7829670ea19b38f8aef48e1

SHA256
afc5bab0d213b6aaeffc921f787131e3d9cb8907d081e6f4529fb65edd27ee3a

SHA512
b06ca67a4d1758508b98491e3a6a16f9c43c05ba509ad457a53af03287de60022f55bb704fd7fa9bacd895dfbd091c1a4d01429b5e7a7e615c0db877c021cc9c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
0ae12bb52c0d710cf1ddfca25dda43d2

SHA1
f193c34286560b04fd33b1cf13220ac63730494d

SHA256
cb36026a1909cb218e1a33bdc5dd906b0cd540d3ff6808cf655665222f40fbf7

SHA512
450763653f2fbebe28e143ea6dce40b07f5be764097e773d0624cc966d2e33d03a4e1f0b74b852c44a5208376eed0b1cfb4e0c0ebc7f233e51184be781ded7b8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
5196a640f3690972b4dcff1e6ff901d3

SHA1
65862c96d25328ed7dd0fb89706d7bffd42aa0dc

SHA256
0538a0d6aafc41539adc6181457c0073a2fb6eb8252910d018bd5dfb6bbe53fa

SHA512
30a60e5c91e6ccb350ce8ab6332c5c8dfc7444032e50e05e200e9b5c969096b4831aae1edd3d008472fd8fd82d2b4f5f0e95eac3bd92558d05aae49d9337cf6a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
e84393c1afcedd518328ddd7d74779ea

SHA1
a355f4f86757ad19f2bcaae5cd476d610e80e7eb

SHA256
d862c227ba28422095262c722a99ce4200d0ada956518fee2ba790a6fe371b68

SHA512
746a2c47dbaed01ca19d2128aa0c7cd7ba5a7d6afdfaa023a40b746823956686cd0d10c5b6399f791f3cb2915677c239a6ca3649fb0cba1d24be3b34348edb1b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00657a56e362b1c9a25932f9da79d994\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
44f34dc09dae533e9069d168a2a2a05b

SHA1
f22f6eaf23a2d7de143b9ed8bd4f4a1b54295914

SHA256
c6a6a0ca3da46ff2acce99e5e5062a6adc78439c16993a1a934e66370c0993b1

SHA512
0fb8df764e2db8d38df8dede935a45039b5da710145011e82958490321e70c1b6646207000555acdc99c8461c6e4896b332cf96de3d328b701cb5fbdd63b6c43

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\15d6a5ec01cfa5eec00bf0147a3a269d\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
53f2e70df04ffd9b8289ff6121e9f9f9

SHA1
1a0ff5433c5e76f5afe89e34fdf3d71ba817d51d

SHA256
0299b8be77a2bbb561457e95e9d1a4f09b91cd9d0d347af13c694b5d4ccdc1c3

SHA512
2e9f8d51ee3f3513c990834213e3a1655f00389e9fb098e8ec966acf1977285782c0ab3c7d5b46bf0db63097f935fe4d93ccdd3032187f92d7ba11a730ef1915

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bedc9c8545270d97ca29c192cbc2c5db\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
5ca01e76ee2c50651a9de8a9858cbab6

SHA1
72cb563ed2aa4a8431a5c532ddae646b86657fcd

SHA256
a8b7262cf07ba32786bf85233988dd5cf6db3cc5daff6d462681488d98d9c267

SHA512
b2db0f7e5c7e9f862acc09f1ef66584d703b8517a26b735fa5a0391240e387bd73a1336d22a9e0b475af62cf253480f76c759431e313731844e0983bd6648db7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ec877036a9b77897bafb97f262b1403b\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
68e79753f617637553fc4a75ee7213fe

SHA1
855e452a3a0348ec1271d0c93480d982b1d39869

SHA256
02d6d0c5a9acc55a5da59f8b093a4b474fbac01aafbf9e5c5eaf72ba08a2947d

SHA512
6c7bfe3e952bd380d9913cf948438e9773ab96e153d194072e5c08d3987a9eaeacd213142eb80e11a32f04eeff671a4a1d451b7ac70f1c73cbf7d45a451edff3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
790cfc3645daab582f672171edb61ef0

SHA1
635642fa6a25256c8c91990e3341e1a6f77e05d8

SHA256
224b102d012a2f346cccf326b6dd9708a4352f9754acc1c8fccbf7a099d68b70

SHA512
11a5ee9c2f0e306a206e6310d76edc0ef267110f7ecdd45e95520a09a99f1230542d390ae83347b6c32a7304781b0c97b223947b8f24f0354ce700be9ad08b04

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
bec5785377d9997b8a96b729f6cb4126

SHA1
6fdac3591464e5585f5a6d1adab1561d5c2608c8

SHA256
7e4bde2debbcfe2107606b80b0a1675ca040a75fa6715e599cd3b9787b473c5e

SHA512
75a0e8e36c5f92b7aa897628885f1b3784ae094c1dc602c8e161dfdea697feb63e8186ce797150a16d9fc50b0e67da49b2cb8d002f9276bc2dd4ed569825eb04

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE

Filesize
2.5MB

MD5
f031c0d2b460209b47b91c46a3d202fe

SHA1
95040f80b0d203e1abaec4e06e0ec0e01c507d03

SHA256
492826e1aacd984a00dd67a438386e4de883cc923cb1f25e265525a4cf70ed7b

SHA512
18840649d19c5310d274bac69010514872a554bb5ecadb4af5fa3667ad1a6bf9d644b31393edbc1b60ace6eff907c79c078f8213948cf90fa4d1529c68ccc629

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
c26c9057cf9fad6fa3d362898946ccce

SHA1
440453251bb951deb4fd15d6d76cc477b6316576

SHA256
53435bcff10a114de2000a01db57a9ab1476cda502984b3b4df4468b05f3260a

SHA512
0788588a0882a6b927fbc27d715543bf816d580c48340a52efbe3818982ceb6eb3a5139d533867b1c92ea342e35d45e1e642caaa575c186293b7f0d8f80f18e3

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
0a81513571b72c9e580ca239c7af3c04

SHA1
87f82225244e9efa0edb27830fdfb44c43f2485a

SHA256
cbf8d2d6b639af02da79f420b72bacd48c7cd3e4db56d0eb5528e6597fce1023

SHA512
15a027503f85212c3b01b02ad5c51605c02994f8e5e5955e5943f333e1e6b578d3d54a1326b5201d275cdb1b777d2b0850ce762742837f74735241173ef54293

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
7999a1570bba66eee60f0c03b41e3ded

SHA1
c6d57edd62b74b4f8844fbcff57e7d17b8597501

SHA256
c23613a2122a328170df7ef056bbe07cd1f8908dacfdf2c7f50dd008eb50a5e6

SHA512
e5b18252473b005e7807ac80f5ec93dd65bd80b4d3ecd77c679743b065064f9c05491bdf9b42edf581119cd2ba6224cdb51793784db069f63e5adb59134a00e0

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
55f501fb8d2878aa8ae4eb4fd38f4372

SHA1
e882a91f827db6575dbb81f91f6c4bdddffd5c8e

SHA256
db4fe88dea3deaeae945c878610bb47ea5fd3155c381467c820ccac3c6eba3ae

SHA512
a9b035864c86ccb121c71ccdfd36ee09f4fe7a52246d3834d835b54903d61f56340cb5391788ef9033d6d848aca395b267de75c2538b30c444a94dcfee9805b1

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
eff801f520c13017535792af235786cb

SHA1
660bb5a05dcc3daaa5fdc21b4537b11861c183ac

SHA256
b95a6d40e91a0aa106fc3383e02ea785b32618588357c3f6ee8c58295a98bb8f

SHA512
6bcc506d260c4753fb6cb3bf1384fbde204efc216863a956e7c4167ffb76665443b899e55aabb5a04e1e253a35bb3bdc95c6a509a9932baf885ee1e3dcad02be

Download Submit
memory/364-619-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/364-639-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/544-338-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/544-615-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/664-302-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/664-563-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/676-567-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/768-114-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/768-237-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/768-99-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/768-105-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/768-113-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/768-108-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/888-753-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/888-746-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1040-727-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1040-749-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1068-682-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1136-0-0x0000000001000000-0x0000000001320000-memory.dmp

Filesize
3.1MB

Download
memory/1136-6-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/1136-1-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/1136-107-0x0000000000B20000-0x0000000000E40000-memory.dmp

Filesize
3.1MB

Download
memory/1136-81-0x0000000001000000-0x0000000001320000-memory.dmp

Filesize
3.1MB

Download
memory/1240-298-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1240-536-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1496-115-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1496-241-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1496-738-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1496-112-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1520-293-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1520-161-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1572-456-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1572-428-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1584-295-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1584-436-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1656-647-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1656-640-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1656-642-0x0000000003E30000-0x0000000003EEA000-memory.dmp

Filesize
744KB

Download
memory/1688-709-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1688-724-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-593-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-580-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1884-89-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1884-212-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1884-82-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1884-88-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1908-478-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1908-449-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2060-427-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2060-264-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2088-311-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2088-213-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2100-679-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2100-696-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2116-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2116-126-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2132-294-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2144-185-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2164-534-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2164-278-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2164-285-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2164-521-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2176-579-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2176-307-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2272-202-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2272-209-0x0000000000520000-0x00000000005D2000-memory.dmp

Filesize
712KB

Download
memory/2272-301-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2272-306-0x0000000000520000-0x00000000005D2000-memory.dmp

Filesize
712KB

Download
memory/2380-208-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2380-59-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2380-65-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2380-60-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2416-272-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2416-239-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2432-614-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2432-606-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2488-764-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-252-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2524-337-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2584-28-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2584-29-0x0000000000490000-0x00000000004F7000-memory.dmp

Filesize
412KB

Download
memory/2584-34-0x0000000000490000-0x00000000004F7000-memory.dmp

Filesize
412KB

Download
memory/2584-73-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2592-605-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2592-325-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2640-277-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2640-140-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2652-564-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2652-571-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2660-261-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2660-127-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2692-44-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2692-51-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/2692-45-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/2692-79-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2732-590-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2732-597-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2736-182-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2736-177-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2740-700-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2740-693-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2748-484-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2748-527-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2912-16-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2912-139-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2912-17-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2912-23-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2936-312-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2936-589-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2972-729-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2972-723-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3016-629-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3016-616-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download