6abc61d13cded9213dcae47aa1449914f584ee349945a2228d1400d03532dcfb

Analysis

max time kernel
131s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe
Size

5.8MB
MD5

54f2c9e4eb52fdf31a77bb74d78f94f0
SHA1

2bbc74dd967174152c48f15f2803da2f041f1aa8
SHA256

6abc61d13cded9213dcae47aa1449914f584ee349945a2228d1400d03532dcfb
SHA512

aa6b4e5daf37ee7699168f63d60eac4b1823d2d443511e3eda834c925132586ee6fa8fec1b4fc898f29dcf88eaaf2e55c156b13afe927abae851883bda6d0797
SSDEEP

98304:DNDwSlUk9KPsUxfAdNmTVi+qkPZKOBuyaoY7cjGi+pFtFR:D1Uk9KmdNmTsOBuyaopjG7

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exeelevation_service.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeehsched.exeIEEtwCollector.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2936	alg.exe
2380	aspnet_state.exe
1596	mscorsvw.exe
576	mscorsvw.exe
2288	elevation_service.exe
1912	GROOVE.EXE
2328	maintenanceservice.exe
1140	OSE.EXE
2476	OSPPSVC.EXE
1960	mscorsvw.exe
1168	mscorsvw.exe
1512	mscorsvw.exe
2184	mscorsvw.exe
2156	mscorsvw.exe
1568	mscorsvw.exe
2368	mscorsvw.exe
2324	mscorsvw.exe
2260	mscorsvw.exe
3020	mscorsvw.exe
1272	mscorsvw.exe
2188	mscorsvw.exe
988	mscorsvw.exe
2784	mscorsvw.exe
2748	mscorsvw.exe
2404	mscorsvw.exe
2600	mscorsvw.exe
564	mscorsvw.exe
1408	mscorsvw.exe
2024	mscorsvw.exe
2980	mscorsvw.exe
1088	mscorsvw.exe
540	mscorsvw.exe
1828	mscorsvw.exe
2056	mscorsvw.exe
1748	mscorsvw.exe
1176	mscorsvw.exe
2516	dllhost.exe
2304	ehRecvr.exe
752	ehsched.exe
1960	IEEtwCollector.exe
540	msdtc.exe
2168	msiexec.exe
2472	perfhost.exe
2528	locator.exe
944	snmptrap.exe
2116	vds.exe
1004	vssvc.exe
2176	wbengine.exe
2280	WmiApSrv.exe
564	wmpnetwk.exe
2308	SearchIndexer.exe
2864	mscorsvw.exe
2296	mscorsvw.exe
2700	mscorsvw.exe
2900	mscorsvw.exe
924	mscorsvw.exe
940	mscorsvw.exe
1696	mscorsvw.exe
1656	mscorsvw.exe
768	mscorsvw.exe
2800	mscorsvw.exe
1592	mscorsvw.exe
924	mscorsvw.exe

Loads dropped DLL 53 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
468
468
468
468
468
468
468
2168	msiexec.exe
468
468
468
468
468
744
924	mscorsvw.exe
924	mscorsvw.exe
1696	mscorsvw.exe
1696	mscorsvw.exe
768	mscorsvw.exe
768	mscorsvw.exe
1592	mscorsvw.exe
1592	mscorsvw.exe
2876	mscorsvw.exe
2876	mscorsvw.exe
2608	mscorsvw.exe
2608	mscorsvw.exe
1580	mscorsvw.exe
1580	mscorsvw.exe
1616	mscorsvw.exe
1616	mscorsvw.exe
1048	mscorsvw.exe
1048	mscorsvw.exe
2740	mscorsvw.exe
2740	mscorsvw.exe
2700	mscorsvw.exe
2700	mscorsvw.exe
2020	mscorsvw.exe
2020	mscorsvw.exe
1696	mscorsvw.exe
1696	mscorsvw.exe
1460	mscorsvw.exe
1460	mscorsvw.exe
1592	mscorsvw.exe
1592	mscorsvw.exe
2296	mscorsvw.exe
2296	mscorsvw.exe
2604	mscorsvw.exe
2604	mscorsvw.exe
1828	mscorsvw.exe
1828	mscorsvw.exe
2776	mscorsvw.exe
2776	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

Processes:

aspnet_state.exeSearchProtocolHost.exemscorsvw.exemsdtc.exe54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exeGROOVE.EXEalg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c380a336ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeaspnet_state.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

Processes:

alg.exedllhost.exemsdtc.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D70A27A2-CF9E-4908-BD1B-AF0115D6AFE8}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3ABF.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3F42.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4A68.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6A09.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3820.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP625B.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP47E9.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6BDD.tmp\ehiActivScp.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exemscorsvw.exeehRec.exeSearchFilterHost.exeSearchProtocolHost.exewmpnetwk.exeOSPPSVC.EXEehRecvr.exeGROOVE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006001745ed4acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a0728460d4acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{9E0ACE3A-DF64-4E3D-B77C-A77B16E98ABB}	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000435a5ad4acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

2240 ehRec.exe
2380 aspnet_state.exe
2380 aspnet_state.exe
2380 aspnet_state.exe
2380 aspnet_state.exe
2380 aspnet_state.exe

pid	process
2240	ehRec.exe
2380	aspnet_state.exe
2380	aspnet_state.exe
2380	aspnet_state.exe
2380	aspnet_state.exe
2380	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exemscorsvw.exemscorsvw.exealg.exeaspnet_state.exeEhTray.exemsiexec.exeehRec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1720	54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeDebugPrivilege	2936	alg.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2380	aspnet_state.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: 33	3068	EhTray.exe
Token: SeIncBasePriorityPrivilege	3068	EhTray.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeRestorePrivilege	2168	msiexec.exe
Token: SeTakeOwnershipPrivilege	2168	msiexec.exe
Token: SeSecurityPrivilege	2168	msiexec.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeDebugPrivilege	2240	ehRec.exe
Token: SeBackupPrivilege	1004	vssvc.exe
Token: SeRestorePrivilege	1004	vssvc.exe
Token: SeAuditPrivilege	1004	vssvc.exe
Token: SeBackupPrivilege	2176	wbengine.exe
Token: SeRestorePrivilege	2176	wbengine.exe
Token: SeSecurityPrivilege	2176	wbengine.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeDebugPrivilege	2380	aspnet_state.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: 33	3068	EhTray.exe
Token: SeIncBasePriorityPrivilege	3068	EhTray.exe
Token: SeManageVolumePrivilege	2308	SearchIndexer.exe
Token: 33	2308	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2308	SearchIndexer.exe
Token: 33	564	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	564	wmpnetwk.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exeEhTray.exe

pid process

1720 54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe
3068 EhTray.exe
3068 EhTray.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exeEhTray.exe

pid process

1720 54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe
3068 EhTray.exe
3068 EhTray.exe

pid	process
1720	54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe
3068	EhTray.exe
3068	EhTray.exe

pid	process
1720	54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe
3068	EhTray.exe
3068	EhTray.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
1184	SearchProtocolHost.exe
1184	SearchProtocolHost.exe
1184	SearchProtocolHost.exe
1184	SearchProtocolHost.exe
1184	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe
2716	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exemscorsvw.exemscorsvw.exe

description	pid	process	target process
PID 1720 wrote to memory of 2472	1720	54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe	54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe
PID 1720 wrote to memory of 2472	1720	54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe	54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe
PID 1720 wrote to memory of 2472	1720	54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe	54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe
PID 1720 wrote to memory of 2472	1720	54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe	54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe
PID 576 wrote to memory of 1960	576	mscorsvw.exe	mscorsvw.exe
PID 576 wrote to memory of 1960	576	mscorsvw.exe	mscorsvw.exe
PID 576 wrote to memory of 1960	576	mscorsvw.exe	mscorsvw.exe
PID 576 wrote to memory of 1168	576	mscorsvw.exe	mscorsvw.exe
PID 576 wrote to memory of 1168	576	mscorsvw.exe	mscorsvw.exe
PID 576 wrote to memory of 1168	576	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 1512	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 1512	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 1512	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 1512	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2184	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2184	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2184	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2184	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2156	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2156	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2156	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2156	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 1568	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 1568	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 1568	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 1568	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2368	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2368	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2368	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2368	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2324	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2324	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2324	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2324	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2260	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2260	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2260	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2260	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 3020	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 3020	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 3020	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 3020	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 1272	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 1272	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 1272	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 1272	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2188	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2188	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2188	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2188	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 988	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 988	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 988	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 988	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2784	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2784	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2784	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2784	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2748	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2748	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2748	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2748	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2404	1596	mscorsvw.exe	mscorsvw.exe
PID 1596 wrote to memory of 2404	1596	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\54f2c9e4eb52fdf31a77bb74d78f94f0_NeikiAnalytics.exe" --type=collab-renderer --proc=1720
2⤵
PID:2472

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 254 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 248 -NGENProcess 260 -Pipe 1f4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 268 -NGENProcess 1d8 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1dc -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 278 -NGENProcess 1d8 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 27c -Pipe 1dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 280 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 270 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 27c -NGENProcess 1d8 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 27c -NGENProcess 270 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 1d8 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 290 -NGENProcess 248 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 270 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 270 -NGENProcess 27c -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 298 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 268 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1d8 -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1168

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e4 -NGENProcess 210 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2864

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 25c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 264 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 244 -Pipe 230 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 26c -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 27c -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 26c -NGENProcess 25c -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 284 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 28c -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 25c -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
2⤵
PID:2076

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 294 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
2⤵
PID:684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 284 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
2⤵
PID:112

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 284 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 29c -NGENProcess 27c -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2ac -NGENProcess 210 -Pipe 1b0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 210 -NGENProcess 284 -Pipe 25c -Comment "NGen Worker Process"
2⤵
PID:1204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 2b4 -NGENProcess 27c -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 210 -Comment "NGen Worker Process"
2⤵
PID:684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 274 -NGENProcess 27c -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2b8 -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
PID:908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2c4 -NGENProcess 2b0 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b0 -NGENProcess 2b4 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
PID:1068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2cc -NGENProcess 2c0 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c0 -NGENProcess 2c4 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
PID:2240

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2d4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2b4 -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1176

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
PID:1616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2e8 -Pipe 27c -Comment "NGen Worker Process"
2⤵
PID:600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:1204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2d4 -Pipe 284 -Comment "NGen Worker Process"
2⤵
PID:2296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f0 -NGENProcess 300 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2604

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e8 -NGENProcess 2cc -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:1708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 308 -NGENProcess 2e4 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e4 -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:2868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 310 -NGENProcess 2cc -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:2876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 318 -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 318 -NGENProcess 310 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:1664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2e8 -NGENProcess 30c -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:3016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 320 -NGENProcess 2e4 -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:1592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:1700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 324 -NGENProcess 320 -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:2772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 308 -NGENProcess 310 -Pipe 274 -Comment "NGen Worker Process"
2⤵
PID:1164

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 330 -NGENProcess 2e8 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:2216

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 320 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:2624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:1980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2e8 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 320 -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:1036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 310 -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:2580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2e8 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:1472

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 320 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:2608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 310 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2e8 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:2420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 338 -NGENProcess 320 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:1548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 350 -NGENProcess 358 -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:2684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 310 -NGENProcess 320 -Pipe 108 -Comment "NGen Worker Process"
2⤵
PID:940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 35c -NGENProcess 338 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:2868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 358 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:2860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 10c -InterruptEvent 310 -NGENProcess 364 -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:2900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 340 -NGENProcess 358 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:1940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 368 -NGENProcess 360 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:2216

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 364 -Pipe 1ac -Comment "NGen Worker Process"
2⤵
PID:1272

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 358 -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:1088

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 360 -Pipe 10c -Comment "NGen Worker Process"
2⤵
PID:1560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 364 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:1548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 358 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:2172

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 364 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:2984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 358 -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 360 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:1708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 364 -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:1652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 358 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 38c -NGENProcess 39c -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:1204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 388 -NGENProcess 358 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:2752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 384 -NGENProcess 380 -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:1068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3a4 -NGENProcess 39c -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:2376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 388 -NGENProcess 3ac -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:1980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 360 -NGENProcess 39c -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:2700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 39c -NGENProcess 358 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:2948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 394 -NGENProcess 3b0 -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:1500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3b8 -NGENProcess 388 -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:1156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 358 -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:1068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3b0 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 388 -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:1664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 358 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3c0 -NGENProcess 3d0 -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
PID:1672

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3d0 -NGENProcess 3bc -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
PID:2140

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3b8 -NGENProcess 394 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:2776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3c0 -NGENProcess 3dc -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
PID:1980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3dc -NGENProcess 3cc -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:2396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3b8 -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
PID:768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3b8 -NGENProcess 3c0 -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:2076

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3e8 -NGENProcess 3cc -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:1036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3e0 -NGENProcess 3f0 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:2900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 358 -NGENProcess 3cc -Pipe 3dc -Comment "NGen Worker Process"
2⤵
PID:2104

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3f4 -NGENProcess 3e8 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3e8 -NGENProcess 3e0 -Pipe 3f0 -Comment "NGen Worker Process"
2⤵
PID:2908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3fc -NGENProcess 3cc -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2288

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1912

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2328

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1140

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1176

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2516

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2304

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:752

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3068

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:540

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:944

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2280

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
- Modifies data under HKEY_USERS
PID:2256

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.3MB

MD5
8c35110866f76b1c02ecea97dcbb46ed

SHA1
f91cf6a2a91eeb895243a39194afebdcf0de8e9f

SHA256
e544628d5b4a3e55b3d04082185d35d09f81737f48f59850cfa62b9b2d72e64c

SHA512
f567d6636d630f54f0eea4f8373bc37f30e5c45c2a7344803f901004840ad3b48d95a0de2ccc2499b7f8aea2eeccc19b9a905c53dda0af1d4a7cb3ae9331f77e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
6bc38aff0e847212976c45540499aa18

SHA1
f4d9ddec89c034da17de27b924d870124a025330

SHA256
9d96f387b1ac7169e85b55e33be3ce3abd0cb933ea74ebfff489231b08ef98c6

SHA512
c238026331cfcc22d407d5c25d6974f529e2fd70f9a99bb20f692ca9dc06ab1c292f48bc14818d039638c865771be82a2666e90ec0a50d1a4515e5b6b24e2fbe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
2b219207b2fc8e80ab69895493345e07

SHA1
fe10b8299a05757a856508fc3ef19223feeecc3c

SHA256
30733ea9ffc08f4ca01b59dec5dbe9f5c0c846b6ebaf98fae4c56917fd18b08a

SHA512
428900649675f014406f578467fda880912032f76b693efb6065ef3b87eb9704ece808c09017b3ed40a80a834b76c4fd845b6fc3a5398bb4313d31462898e924

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
04271bc92674a0db982a4825784c92ad

SHA1
f12b21cda50c295ea9b1a51bc9424b884331806a

SHA256
928ff8b15df6e637df091f52516a57d642ade365acb5cdac38453b2303a7bb82

SHA512
824539cf1cb4c4e7e46f67c8a7fa56e6099384cebe1841e3d927e446e51e91ff35f1010f766790b5d599ea7a2cbe4e1efb276078d7fdfd48a59797a7c2ef6c6c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
be11de890aaff5df251f57a27b889d67

SHA1
7802b388b3531f052de557b1eb113862c2b6cd14

SHA256
4b6ec6e65f81a46f8edf04edf5e5803a84ade34763fcf710f6bc9f4e7188aabc

SHA512
b0ebe9a23644919379083a7d59540fe32779f5a49e2e9938076fb3f09e45097f5febc3ed96b94759ee4fefcadc921866e32719f5a9b6e14fac56a84912041082

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.3MB

MD5
d9ce8a4112f7a535e68fd4a5e48b3ff9

SHA1
c149c74c29958ff7bb167c073f1b460915d27e5e

SHA256
1f96d4d4335419301a6fa69ac9338dff1b77a228ccb7e028015e40e63d24d01f

SHA512
80a237c64f9ad274bd951bf06cd85c74482e87b5a05705e16996bb53d53673de4531932691587fd7ab5ce4822728d85a0c0c1f5eaaf3b8f856159fb17f83ed68

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
91a79585248e0fa48d2d5ca8a67cce22

SHA1
09d3412a0012f9d5f4c02f88c7972f90e75c670b

SHA256
549e5330c650ceb95748d9f8b573ea09e1ce2fab0279bb2703b146e7887204b2

SHA512
602ce6a09e30a455ba495c3422a580c74a05c70d8cd6bdb38476ee8ffacb351510a4947241ffa258c576257e0661e728bd3805523f0843e6b0c9ca9740e05190

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
0cdd4f143a2ce44e8c3260d2675baebe

SHA1
d52f3ad14d8aa3febefea561f1148e835938fbde

SHA256
2948606c03988f2858f5635b934967cc7e21bffdd0403e2a64afd1d3f6643a5b

SHA512
f030052f7c5743ca70eccd05c742cd8afaa9d24e450f682bd91a813f9daf13caf0f1b46397c35c2bf5db11e84422b9dcdbd3b943ae517a0c6d018ece4b22146e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
0068a4101a6a2c64a4a8b205bf9e85e3

SHA1
aff44fb484d7c20d6097b97dfc65a598c0bf055d

SHA256
5e55309edd0dd6a507f255ddf0471c06ce1fc1007c50316a9476acb43b3047e6

SHA512
31c680b47c0e43ad9db191371eceb14392c4b0a470a8e0bc32a81f511a88f0592d45bfec983e65cc1b6c59592f72135cbc71fafe38003e50dc6c6114af92dc06

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.2MB

MD5
f0a4b5a62f605f61720a481373bb674d

SHA1
2c5f2af3f0edbac3cdfae2919127aa718637492a

SHA256
f8f6a6dd42dfd2185fcd05b3ad81d782625c7af7aec324fd9bea3c1fa4e3afc0

SHA512
c9ea76925a11f03e7acf91d63499c33547dbf8c9f4c4b5eb16e21c332a17b46ead39be17a10804d6bf95ccc791c6ed70ed5a7c94601cee145a3dd4d2599a8baf

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
89458d1fbf1550cbdf0d3e65521274f7

SHA1
198d5543ebbf818a7ee89089c9a3b36ce0c7e94b

SHA256
a0c22089243f1d5ccb84b156fbc315d33ff27e3ffeb8fef73055881dce45a86c

SHA512
361660b611d53d714decfb2786bb22d0f1972e52e50fd3cbd45c6fc228ab221d0921406887e970fea4e6ab32dc872c0e19ead8c0517b05f2becb9da49b0c7cbc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
7f58b4c49ac2d93cb95ccb7d4b4f9610

SHA1
2ab0499312e131b2f713ba6304593ef876f3283d

SHA256
5e2c73310c02ec3af5ae3b6f172bc99f12c5c2b19c9448d8dcc2e09d6bb8ce57

SHA512
14130e00df846e6d770e6889112a535a0fe8537aedd2bf5a8564b31c2408df5947c00187bc929b80639033bd98f274516948f66ae0fb5aa7fc0569df0bd97bf1

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
ac49ee36499836db4f5e07a52e40761c

SHA1
4790f84b21c061ae44b6b870263e23465a52b8cf

SHA256
b7a2ed8abcbc1f36e81ee109ab0ccc063ddcaa0021eb30c9c9e1c41b77f1c6ab

SHA512
d2eabf703b9ff2825c035fdb69523e9c100d01cc706700c8a54dd6ce3cf0cd82b1ace47c62b886fc66cb88892b11fdc5d15c4bb420a36bdf63e45adf4052d074

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
09f00fc28b81db8c22c1f6afa47c4390

SHA1
96a8075a855505286729c5175a80a3dd2cbd5dc1

SHA256
59f691be7407b4fa87c985d9729f5d14139174a764c0fba46aa915f51fe531ce

SHA512
4a48b06670fcae34a81feee72b4a3265f38063b0bef363c27e936e3dfa44296bafd5610e215f6a2a08475977d7aa71ce9f1f8db81de23fdd68525d35bc958c67

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
b9a91d27a1ed2e1016979c3f700bb96e

SHA1
7f147632ebc053e68b32988064c5458402f00b58

SHA256
d530efd7529eeba203de961f76cd6bbb39729b8ed059fda510451151d7afcd9e

SHA512
e24a1cb4ac31795dcdb14dced10dd2ab7f634f0130e782913a8f2713a6ad1fffc4f3d635acbeb9776be76508627b85ec17d3c6ab44f6f673f9f0b671d4382dd8

Download Submit
C:\Windows\System32\dllhost.exe
Filesize
1.2MB

MD5
5871c307e67cf80898ca8c45cd952f5c

SHA1
f92d33774485c8ed731ef63ba4f5045753da0538

SHA256
93f89874f7d6185415135d1f48efdc87f216613aef76168c9fe2e0b69e2aff6b

SHA512
62a524470b6653c62a3dae72f27b3d88df5d343be800fbc26f6f91aa26c59f1ee8b70446a196123afb9cc56852cd3f086bf26313a503c19874a1bd3ee1c18c0b

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
2a40939cd53ecd88fe53a7688399036f

SHA1
ee2c6743bcee988c7f98cb48eceefe43aefa3cdc

SHA256
ce217bd8fb224b1dc499a43359a45311b12afa89a47212331c11be394d40734d

SHA512
dea67efd1a97d0059ec275c2fc606e0c3fd0e313af228a655bd5c7bee04a1f4c1b2713d465fa1dd87664e6a95afe539cf69b45181428fb1c86aa609a46a6a140

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.7MB

MD5
0dffe7f63e475f0fbf6adcae93593e14

SHA1
d98c479eeb5a958d76e17395734e228e50fc4bfe

SHA256
4851c8dd1707cee824666f69d178f7d1af88730403659f18b7b93a52f492eeaa

SHA512
ce6cfc3064a9c4ef74386c456088b2db3d00669721570af1a2325cbd301876c5f9fafde5465420ad22d6b71ce5de0c3998c4ff80a118ecbd3262f30d3194f972

Download Submit
C:\Windows\Temp\CabAEC6.tmp
Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarB01F.tmp
Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll
Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\07911c8a412249e5c44242b799ade4dd\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
305KB

MD5
b9cafb5a0b64386e567f1909130f2cf1

SHA1
19607518a184d555f85a72d5f545920edf45e5fc

SHA256
2fda9d479fba85b2e040ee8404b6d84a0a201111df7855ece81ba4cc353abb05

SHA512
3aff06b9178b8e53f240a3263d61d5c42223318d53ad82f60443b3f1cdd4b8c31391a9ed02df9952ff3178389780538de6894ddd39dcdf773629539ac6a966b7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4aa3bef7f23561e36d8195fba9d8d09c\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
122KB

MD5
b1a5ff50d4debbf5b8d3bbcfab62598a

SHA1
f482293cc76c6b2f53b01d5e98d9da0939f7da00

SHA256
142b3b1e54f5fa2d96c2b2a7b951bfd0bb9dbeff48302868cdf5790967f9a0ba

SHA512
9eb78c976d356f47e56b8a9804309db09571b075bd64de5720698786912e3248ec92386494346df0471cf225e19ec78ace1bb5d6c53bf788208669e81db6fef2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a4f56394f651165ad1374937bdfbf663\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
221KB

MD5
6835a281516f023aa1e0b8a40bfe9061

SHA1
ac8f518867d05a759da2ebf03184357c3726597b

SHA256
a97df7db3210faa86e63ecd872c4674e534f50e71c58f78326746eaacb33312e

SHA512
2f240fcd2de23d9065237a01d7de67dd4ae208c22e4ddb327db643be2c2c2953e93612d750d6e98052d3e8f55dc4dae90794792b9bbe5114a44ebf66bc8689be

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e3a4d28c9216d57326aff39c53b738dc\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
271KB

MD5
565ae13dfd08980aed7bb85c8d1cead8

SHA1
920df46d7caa93bc84dfe7203a00326a46e62006

SHA256
20f1f0d7f10195432bcb5d81d9183186562bb3f0466f5f80add8752ff77ba8ca

SHA512
320044397b8a294ff46f4c6f832fd3c7c7efca52a1b29d34edfe1a3c07f9989f378370012c97322f1fe5520e547f5256e08b9b3ff3f9df3c840ff138060ca7d7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
d32e2a45594d1b0a5ae03740ee4b08f2

SHA1
240657de8ac2697eab7b9c7dbf968d3cd5353052

SHA256
74e42657c373adc1246448c964bbda4d17bc46ed2ad4d2c865bbfebaf90d2dd8

SHA512
416cc4d64f5397f7cb0187d84864b2ca5edf291a40f6dace1689b9025d92675cd91f29fe395d599a7f142fed17e26d0bd5718eab002802d527b547e89701f2f4

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
1.3MB

MD5
2c334235b3ef0b273986b42ec2274ad5

SHA1
a594345ae5190a0af27a290e8b598124ca8614b2

SHA256
547c5039b072325cfacae1244ce19c8c1667b70e9d2681e0d89afc0dc06b4d1d

SHA512
fdb946a5f78d1f87fbae1626ae145ff3142e822b66b1a52c9924c636bf59c823898abc630bd085faac457421a01039fbf186069493e86166b2039e73029d22e0

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
5ac79f5e612ed02dd019cd3eb3b711f2

SHA1
d9787cd532133bbfb4a703d7979ca9a354a1d2d5

SHA256
c13ee32dd0ec6c02a0c48aeee29450ecba723316831527af705b3003c2d3bbd3

SHA512
c6a38ef6eef9cdaf0b27414e97404b3f6f3d03aa6ea154ef614d5050049fb90239270b2dd7fdf8c2814e319a34084007c4838edf1acd65e0f70d73649f3e53f8

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.2MB

MD5
8eb53db80ab6b7c18cb99e021ad944d0

SHA1
1c3bff9a004c0d8e0f2a9692beb90dc7c27701d5

SHA256
35b1281440fd10d2b3589b7b02eaf6b51518ec1dd7dfcfaafc7eb503d1fba953

SHA512
b912410d976325cd86fc9ce2be4d640d0d57dfa9b16e4311b35f267a9fc870e7cdefa672922ac88c71982afbdd8cdc8858ab6d441b72ccba0b49f57a55aed3c7

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
1.3MB

MD5
c7880f0f40a535d810e81017aa72074a

SHA1
8e0b8d383b016fa3a69bc7744290e448caebc041

SHA256
21eb3758cf6387dedea86697f05fc4bffd55c5e1ac8447cc8eabd07c1d206439

SHA512
6753ce85654d074ed7b63a0b90c6cd8c231e705f7b7403f543bdb742440d748212ea39396588a8c2273d7e6290f4af01a9c396f8c07479a1781f3dcb7eb3c655

Download Submit
\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
13f662257e086145f7f99a854cb33743

SHA1
1d144b15e2696deefd3912f086d3db1cc3650e12

SHA256
b4e61e1c36a8bd7a7adbf249eb4487faa3ba00110f69c830d7a72651d1f718e3

SHA512
02024c26fc729b7f1c7f8b887bc52d9c491b418b44b4864504e215d009e8d4d65f53812fdf98ba33674a14b9d93648668e856cfdcdac1eaf83f6846d3021052f

Download Submit
memory/576-72-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/576-66-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/576-267-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/576-73-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/768-1028-0x000000001ACF0000-0x000000001ACFE000-memory.dmp

Filesize
56KB

Download
memory/768-1031-0x000000001AD90000-0x000000001ADA0000-memory.dmp

Filesize
64KB

Download
memory/768-1029-0x000000001AD00000-0x000000001AD16000-memory.dmp

Filesize
88KB

Download
memory/768-1030-0x000000001AD20000-0x000000001AD68000-memory.dmp

Filesize
288KB

Download
memory/768-1027-0x000000001ACE0000-0x000000001ACEC000-memory.dmp

Filesize
48KB

Download
memory/768-1026-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download
memory/768-1034-0x000000001AE20000-0x000000001AE2C000-memory.dmp

Filesize
48KB

Download
memory/768-1033-0x000000001AE20000-0x000000001AE2C000-memory.dmp

Filesize
48KB

Download
memory/924-945-0x0000000000E30000-0x0000000000E3E000-memory.dmp

Filesize
56KB

Download
memory/924-946-0x0000000000E50000-0x0000000000E5C000-memory.dmp

Filesize
48KB

Download
memory/924-948-0x0000000001930000-0x0000000001946000-memory.dmp

Filesize
88KB

Download
memory/924-947-0x00000000018E0000-0x0000000001928000-memory.dmp

Filesize
288KB

Download
memory/924-950-0x0000000001A70000-0x0000000001A7E000-memory.dmp

Filesize
56KB

Download
memory/940-968-0x0000000000D40000-0x0000000000D58000-memory.dmp

Filesize
96KB

Download
memory/940-969-0x0000000000D90000-0x0000000000D9E000-memory.dmp

Filesize
56KB

Download
memory/940-970-0x0000000001A30000-0x0000000001A4A000-memory.dmp

Filesize
104KB

Download
memory/940-971-0x0000000001A50000-0x0000000001A6E000-memory.dmp

Filesize
120KB

Download
memory/988-429-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/988-416-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1140-125-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1140-358-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1168-182-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1168-199-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1272-391-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1272-404-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1512-271-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1512-236-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1568-302-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1568-314-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1592-1066-0x000000001ACE0000-0x000000001ACEC000-memory.dmp

Filesize
48KB

Download
memory/1592-1065-0x0000000001B00000-0x0000000001B0C000-memory.dmp

Filesize
48KB

Download
memory/1592-1067-0x000000001AD90000-0x000000001ADA4000-memory.dmp

Filesize
80KB

Download
memory/1596-234-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1596-53-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1596-59-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1596-54-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1656-1014-0x0000000001AB0000-0x0000000001AC0000-memory.dmp

Filesize
64KB

Download
memory/1656-1013-0x0000000001880000-0x000000000188C000-memory.dmp

Filesize
48KB

Download
memory/1696-994-0x000000001B6B0000-0x000000001B6C8000-memory.dmp

Filesize
96KB

Download
memory/1696-985-0x0000000001900000-0x000000000190E000-memory.dmp

Filesize
56KB

Download
memory/1696-983-0x0000000001880000-0x0000000001898000-memory.dmp

Filesize
96KB

Download
memory/1696-995-0x000000001B6B0000-0x000000001B6C8000-memory.dmp

Filesize
96KB

Download
memory/1696-987-0x000000001AD50000-0x000000001AD98000-memory.dmp

Filesize
288KB

Download
memory/1696-989-0x0000000001AD0000-0x0000000001AEE000-memory.dmp

Filesize
120KB

Download
memory/1696-988-0x0000000001AB0000-0x0000000001ACA000-memory.dmp

Filesize
104KB

Download
memory/1696-984-0x00000000018F0000-0x00000000018FC000-memory.dmp

Filesize
48KB

Download
memory/1696-986-0x0000000001910000-0x0000000001926000-memory.dmp

Filesize
88KB

Download
memory/1720-18-0x00000000030D0000-0x000000000369F000-memory.dmp

Filesize
5.8MB

Download
memory/1720-0-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1720-8-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1720-7-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/1720-28-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/1912-101-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1912-93-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/1912-301-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1912-98-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/1960-157-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1960-185-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2156-283-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2156-300-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2184-286-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2184-268-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2188-402-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2188-409-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2260-380-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2260-359-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2288-82-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2288-90-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2288-281-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2288-88-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2324-329-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2324-357-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2328-115-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2328-111-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2368-312-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2368-332-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2380-169-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2380-42-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2380-49-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2380-43-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2404-474-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2404-463-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2472-20-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/2472-19-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2472-23-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/2476-376-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2476-138-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2600-491-0x0000000001AE0000-0x0000000001B9A000-memory.dmp

Filesize
744KB

Download
memory/2600-483-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2600-503-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2748-466-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2784-447-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2784-428-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2800-1053-0x000000001AD80000-0x000000001AD94000-memory.dmp

Filesize
80KB

Download
memory/2800-1052-0x000000001A950000-0x000000001A95C000-memory.dmp

Filesize
48KB

Download
memory/2900-931-0x000000001ACA0000-0x000000001ACAC000-memory.dmp

Filesize
48KB

Download
memory/2900-930-0x0000000001900000-0x000000000190E000-memory.dmp

Filesize
56KB

Download
memory/2900-932-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/2900-933-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/2936-156-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2936-36-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2936-35-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2936-29-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3020-377-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/3020-392-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download