1bbb7f2bcc9324615dcbbec57604959cfbce716bbf4d8a7fd5861bff110590bf

Analysis

max time kernel
142s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Size

1.3MB
MD5

b5bac3ad7f835120fc5a1af43b6b5b60
SHA1

5b7a603ca49f0b99c87d10bf49e5394476b13f9b
SHA256

1bbb7f2bcc9324615dcbbec57604959cfbce716bbf4d8a7fd5861bff110590bf
SHA512

9168151eb036da34fce0987929b904f890359af7fd846a27ae89057fa107d545fad1975927c5eefea563ed93a8ccb3b7f96a47e024a364a414afacfa6c64ff64
SSDEEP

24576:KfGxypdYaHsK+fM2jEaNZBqoeW7V6tGLfHtqls+0:kGApdYksDM2jh3BqS7YtGL/Als

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exemscorsvw.exesnmptrap.exevds.exevssvc.exewbengine.exemscorsvw.exemscorsvw.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2912	alg.exe
2948	aspnet_state.exe
2604	mscorsvw.exe
2520	mscorsvw.exe
864	mscorsvw.exe
2476	mscorsvw.exe
1804	ehRecvr.exe
2368	ehsched.exe
2116	elevation_service.exe
2992	IEEtwCollector.exe
3060	GROOVE.EXE
968	maintenanceservice.exe
2024	msdtc.exe
2880	msiexec.exe
1492	OSE.EXE
2092	OSPPSVC.EXE
2564	perfhost.exe
2456	locator.exe
2460	mscorsvw.exe
1792	snmptrap.exe
1104	vds.exe
552	vssvc.exe
1308	wbengine.exe
1116	mscorsvw.exe
324	mscorsvw.exe
1128	WmiApSrv.exe
2896	wmpnetwk.exe
2680	SearchIndexer.exe
2080	mscorsvw.exe
692	mscorsvw.exe
1332	mscorsvw.exe
2448	mscorsvw.exe
1816	mscorsvw.exe
1672	mscorsvw.exe
1464	mscorsvw.exe
2616	mscorsvw.exe
2576	mscorsvw.exe
1396	mscorsvw.exe
2292	mscorsvw.exe
2648	mscorsvw.exe
2588	mscorsvw.exe
2156	mscorsvw.exe
372	mscorsvw.exe
1720	mscorsvw.exe
1728	mscorsvw.exe
2600	mscorsvw.exe
1548	mscorsvw.exe
648	mscorsvw.exe
684	mscorsvw.exe
1768	mscorsvw.exe
3032	dllhost.exe
1548	mscorsvw.exe
2240	mscorsvw.exe
2764	mscorsvw.exe
2732	mscorsvw.exe
676	mscorsvw.exe
1716	mscorsvw.exe
1736	mscorsvw.exe
1264	mscorsvw.exe
1860	mscorsvw.exe
1720	mscorsvw.exe
2968	mscorsvw.exe
2992	mscorsvw.exe

Loads dropped DLL 59 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
468
468
468
468
468
468
2880	msiexec.exe
468
468
468
468
468
756
468
676	mscorsvw.exe
676	mscorsvw.exe
1736	mscorsvw.exe
1736	mscorsvw.exe
1860	mscorsvw.exe
1860	mscorsvw.exe
2968	mscorsvw.exe
2968	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1020	mscorsvw.exe
1020	mscorsvw.exe
1160	mscorsvw.exe
1160	mscorsvw.exe
912	mscorsvw.exe
912	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1196	mscorsvw.exe
1196	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2704	mscorsvw.exe
2704	mscorsvw.exe
2420	mscorsvw.exe
2420	mscorsvw.exe
2444	mscorsvw.exe
2444	mscorsvw.exe
1816	mscorsvw.exe
1816	mscorsvw.exe
1612	mscorsvw.exe
1612	mscorsvw.exe
1700	mscorsvw.exe
1700	mscorsvw.exe
1720	mscorsvw.exe
1720	mscorsvw.exe
1732	mscorsvw.exe
1732	mscorsvw.exe
2796	mscorsvw.exe
2796	mscorsvw.exe
916	mscorsvw.exe
916	mscorsvw.exe
2408	mscorsvw.exe
2408	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

aspnet_state.exeb5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exeGROOVE.EXEmsdtc.exeSearchProtocolHost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\970a1f3eae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

aspnet_state.exeb5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

Processes:

b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9C3F.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP233A.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA61F.tmp\Microsoft.Office.Tools.Word.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3784.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9675.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

ehRec.exeb5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exeaspnet_state.exe

pid	process
3040	ehRec.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2948	aspnet_state.exe
2948	aspnet_state.exe
2948	aspnet_state.exe
2948	aspnet_state.exe
2948	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exeaspnet_state.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: 33	2844	EhTray.exe
Token: SeIncBasePriorityPrivilege	2844	EhTray.exe
Token: SeDebugPrivilege	3040	ehRec.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeSecurityPrivilege	2880	msiexec.exe
Token: 33	2844	EhTray.exe
Token: SeIncBasePriorityPrivilege	2844	EhTray.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeBackupPrivilege	552	vssvc.exe
Token: SeRestorePrivilege	552	vssvc.exe
Token: SeAuditPrivilege	552	vssvc.exe
Token: SeBackupPrivilege	1308	wbengine.exe
Token: SeRestorePrivilege	1308	wbengine.exe
Token: SeSecurityPrivilege	1308	wbengine.exe
Token: SeManageVolumePrivilege	2680	SearchIndexer.exe
Token: 33	2680	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2680	SearchIndexer.exe
Token: 33	2896	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2896	wmpnetwk.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeDebugPrivilege	2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Token: SeDebugPrivilege	2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Token: SeDebugPrivilege	2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Token: SeDebugPrivilege	2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Token: SeDebugPrivilege	2772	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeDebugPrivilege	2948	aspnet_state.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	864	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

2844 EhTray.exe
2844 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

2844 EhTray.exe
2844 EhTray.exe

pid	process
2844	EhTray.exe
2844	EhTray.exe

pid	process
2844	EhTray.exe
2844	EhTray.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe
1784	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exeSearchIndexer.exe

description	pid	process	target process
PID 864 wrote to memory of 2460	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2460	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2460	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2460	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1116	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1116	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1116	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1116	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 324	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 324	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 324	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 324	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2080	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2080	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2080	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2080	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 692	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 692	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 692	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 692	864	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2660	2680	SearchIndexer.exe	SearchProtocolHost.exe
PID 2680 wrote to memory of 2660	2680	SearchIndexer.exe	SearchProtocolHost.exe
PID 2680 wrote to memory of 2660	2680	SearchIndexer.exe	SearchProtocolHost.exe
PID 2680 wrote to memory of 2440	2680	SearchIndexer.exe	SearchFilterHost.exe
PID 2680 wrote to memory of 2440	2680	SearchIndexer.exe	SearchFilterHost.exe
PID 2680 wrote to memory of 2440	2680	SearchIndexer.exe	SearchFilterHost.exe
PID 864 wrote to memory of 1332	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1332	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1332	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1332	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2448	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2448	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2448	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2448	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1816	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1816	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1816	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1816	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1672	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1672	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1672	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1672	864	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 1784	2680	SearchIndexer.exe	SearchProtocolHost.exe
PID 2680 wrote to memory of 1784	2680	SearchIndexer.exe	SearchProtocolHost.exe
PID 2680 wrote to memory of 1784	2680	SearchIndexer.exe	SearchProtocolHost.exe
PID 864 wrote to memory of 1464	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1464	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1464	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1464	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2616	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2616	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2616	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2616	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2576	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2576	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2576	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2576	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1396	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1396	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1396	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 1396	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2292	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2292	864	mscorsvw.exe	mscorsvw.exe
PID 864 wrote to memory of 2292	864	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2604

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d8 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d8 -NGENProcess 1d4 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 1d8 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 248 -NGENProcess 1f0 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 23c -NGENProcess 1f0 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 23c -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 23c -NGENProcess 1d4 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 23c -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 284 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d4 -NGENProcess 288 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 244 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 24c -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 284 -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 284 -NGENProcess 23c -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 23c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1d4 -NGENProcess 29c -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2a8 -NGENProcess 23c -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 214 -NGENProcess 1f8 -Pipe 218 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 268 -NGENProcess 290 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 250 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 1f8 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1f0 -NGENProcess 240 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1f8 -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 1c4 -NGENProcess 1e8 -Pipe 21c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1e8 -NGENProcess 1f0 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2a8 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 240 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 1f0 -Pipe 1f8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1f0 -NGENProcess 2a8 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2ac -NGENProcess 260 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 260 -NGENProcess 1c4 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
PID:372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 23c -NGENProcess 244 -Pipe 214 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 244 -NGENProcess 2ac -Pipe 290 -Comment "NGen Worker Process"
2⤵
PID:428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 29c -NGENProcess 1c4 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1c4 -NGENProcess 23c -Pipe 28c -Comment "NGen Worker Process"
2⤵
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 298 -NGENProcess 1e8 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1e8 -NGENProcess 2ac -Pipe 23c -Comment "NGen Worker Process"
2⤵
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2b8 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 29c -NGENProcess 298 -Pipe 260 -Comment "NGen Worker Process"
2⤵
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b4 -NGENProcess 2bc -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2bc -NGENProcess 2b8 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2cc -NGENProcess 298 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2bc -NGENProcess 2ac -Pipe 27c -Comment "NGen Worker Process"
2⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d8 -NGENProcess 2d0 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d0 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e0 -NGENProcess 2b4 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2b4 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e8 -NGENProcess 2bc -Pipe 2cc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2bc -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2b8 -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2b4 -NGENProcess 2e8 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 304 -NGENProcess 2f4 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f4 -NGENProcess 2b4 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2b4 -NGENProcess 2fc -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 310 -NGENProcess 308 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 30c -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:1112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2b4 -NGENProcess 31c -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 304 -NGENProcess 30c -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 320 -NGENProcess 314 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 31c -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 304 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 30c -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 314 -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 304 -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 304 -NGENProcess 330 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 328 -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 32c -NGENProcess 34c -Pipe 304 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 308 -NGENProcess 33c -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 348 -NGENProcess 32c -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 35c -NGENProcess 34c -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 32c -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 34c -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 330 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 32c -Pipe 348 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 34c -Pipe 35c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 330 -Pipe 360 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 32c -Pipe 364 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 32c -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 384 -NGENProcess 330 -Pipe 36c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 330 -Pipe 34c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 378 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 368 -NGENProcess 37c -Pipe 39c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 32c -NGENProcess 398 -Pipe 384 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 3a0 -NGENProcess 390 -Pipe 314 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 390 -NGENProcess 368 -Pipe 37c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3a8 -NGENProcess 398 -Pipe 38c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 398 -NGENProcess 3a0 -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3b0 -NGENProcess 368 -Pipe 32c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 368 -NGENProcess 3a8 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3b8 -NGENProcess 3a0 -Pipe 390 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3b4 -Pipe 394 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b4 -NGENProcess 368 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3a0 -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 388 -NGENProcess 3c4 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3cc -NGENProcess 368 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3a0 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3c4 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 368 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:1036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3a0 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3c4 -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d8 -NGENProcess 3e4 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3d0 -NGENProcess 3c4 -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3e8 -NGENProcess 3e0 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3cc -NGENProcess 3e4 -Pipe 3f0 -Comment "NGen Worker Process"
2⤵
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 3cc -NGENProcess 3e8 -Pipe 3ec -Comment "NGen Worker Process"
2⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 368 -NGENProcess 3e4 -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3f8 -NGENProcess 3d0 -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3e8 -Pipe 3f4 -Comment "NGen Worker Process"
2⤵
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3e4 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 40c -NGENProcess 3d0 -Pipe 408 -Comment "NGen Worker Process"
2⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 1c0 -NGENProcess 3e0 -Pipe 3e8 -Comment "NGen Worker Process"
2⤵
PID:1248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 40c -NGENProcess 3f8 -Pipe 3fc -Comment "NGen Worker Process"
2⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3cc -NGENProcess 410 -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 410 -NGENProcess 1c0 -Pipe 3e0 -Comment "NGen Worker Process"
2⤵
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 1c0 -NGENProcess 40c -Pipe 420 -Comment "NGen Worker Process"
2⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 404 -NGENProcess 41c -Pipe 414 -Comment "NGen Worker Process"
2⤵
PID:372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3e4 -NGENProcess 3cc -Pipe 428 -Comment "NGen Worker Process"
2⤵
PID:1424

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1768

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2844

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2992

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3060

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:968

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1492

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
PID:2440

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:3032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.3MB

MD5
f2c244567ea8664d89f60a7471db2702

SHA1
be9fea506126407bec522ddf18582ece64815441

SHA256
79cb3e801c2d274976249b2a3febf3a4688858d38e97d9d5cfff46d41d17042e

SHA512
94f337588dfc9f6f4302dea6a06ca2833c1cb0ece2d5b8787debb85cf1e3ca2a262195c4e914804fd3efe326e1bc88a9afe6a5f44ee6149e845618181f340d05

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
8.4MB

MD5
cb20ab440f238897507016a5a7c831bd

SHA1
b1382d427cfc7a511e0296b784b12244d837df56

SHA256
b7febdca648ea9cbcdc589577998bd67e8133135c0520fbeb2ab96e5ca2a92dd

SHA512
f2a16197a8c01d969cf444a34608fc809159e50334be371a898a512c67201f94268c7eeca853949623dca7898822d7aff9e9e66730e98c3d312500aafae9f29c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
f16e939262c6df934852ffff4bb1c3cb

SHA1
8971cbdfee2fcc687362801ed9dedd6b98b1592b

SHA256
7a651dc84eb0e4c1ed59682f0e50732806a7a13aa2582a1ebe3044523517cc0b

SHA512
f54676129fcd1625eda1ee987a8eac43c64fe85b89ab8702532348939b41270eb3ff38487298ca7f3d25e32558d183bd6f75c38142577e18501fe9692b32b7f9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
d909ab5d70c8e862f2c36274b6a957bc

SHA1
f3311413ad4c41bff28e0aef301efdf6857d670f

SHA256
046de3a39dd4f03b8a177718e1eb77fed4489e35fb00238193110007fbbedae1

SHA512
f2fb80c0b1d0aa6ba8fe1653e846f169654e59347044e3dbb55c7b18465c6c944fddd876a700f4529f0b32b7030157444388aae88fb825870f70eb18a25b9ae7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
f3e9c5483f7a3a6169401646ddc7f07b

SHA1
abebe57b706b4c41b91757e49c9e7ee543bf2a19

SHA256
61d6bae5a98388fd882ed2c8ddb3f7dface26ad25edcaa61adfd42d4029e8a38

SHA512
bd75bc7be39dddc8b7d4241ca9f8b77bae119ffce58f955c5c7a832cb89fb0f1212411402cea156e27fe2788261494c2e1f9f0fddd0cc6af37649175165da20d

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
91cdea04e73a6ea13b0b4b0ce2060c96

SHA1
41dca091aa4782157654c6daa6b59b60436efb19

SHA256
23eb181296199cd4989d986da10628f543346f49a84668195a1928d8d7eb2172

SHA512
3a5af3377971bff9d20b8f62874a49ffd3247e1e8fc1ff25fa2b930b9105bd5a08542a6ce6bd2626a7358e6c2275584f103be595beea10e96bc9538238492b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.2MB

MD5
34120dbd6b1a3878bc1820bf5ea87118

SHA1
f7398c045d0b6b43019918e9570e3decd632cb9d

SHA256
4a6b952c91540669a7889d8dd177836a18cc44483f619122d3901ed6418a751d

SHA512
ad112e07281b1601ca51ada4e5323c3c2183fd86cd2802ebaf9c1a6761860fc14c68a782f05af410f1d4e12569431bdb66352b74e30d302d42135573e8ac9a37

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
4d18004f32dbbb9d1516ce7db6ce1d74

SHA1
d6ea8ca81ed890c25e6db15658a4a734c3c38788

SHA256
e0b45d5d09b84519d39866218db4888ec10cad55c4f6ae74c08335fc56d42095

SHA512
fe79c37cea43e05393112662ba879186f34705af471bc6de5e65166adc39b1e6c0538d76dbc6855356ee4cc0d593acfce3cd3e3d1094d7f6b94ba422d53507ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
626f19da2c213f346acb28ab5bc60a7a

SHA1
5f7b1e5161a45e8beb11e0719137cd0a20caa53d

SHA256
083ce79e31a5ecd6f43a5976590b06a7e087704a9defcfc1fd7f1d8996c86811

SHA512
bd1a373ba174ec3a7bcdc285ac7ed573d568a6bfec0740ff4808ada788e2933af06d899a3c76c704ee3a2e76e426c24e5dba987743d35977965812563e2d562a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.2MB

MD5
fa20c7a3f2d9fdf848929bc7682aeb56

SHA1
1126fda498d606f6cf67d01e6137375851f81d0d

SHA256
4901f5c1b6521497e137550c7950d32bfff717e325e7c9b658ee7a700b720c42

SHA512
4b6a8af3deaed14a4d8b76e6f048c2494e6e207bf4881163e89533afb054824f2e43eb6f8ca79b493ffd02f245d365b5a88e4b0a461bde2af53584ce57808356

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
97b31c2c7be06f8e2c4aa8a08d9c8c38

SHA1
f3cecaf1508483114985dfcd1efb65b71bfb69e3

SHA256
dc690ab4138f24792241097b04dcb44586d1192592e08153a2154694b0fd5db5

SHA512
50913ed4d0aa198dbff95c3481e9d60bcb27d6c45997fe5376cd7da30d9853eabd887c99e13fee242da72bc22c9f34fe6314ec5c4bbe6985568fde2c735e5be0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.2MB

MD5
ecfb77bc039d29e389dbf6317037491b

SHA1
b8b575990a6724edbe3b8dfbc76cb7051c5ed9dd

SHA256
a47022a62cf45687cbd49da58bd981ab3fec07817077bc93e63c167a09567c1d

SHA512
a2c74ff8a3e5760f2862fee434d7022ea772323b2cdc94fef269d0307c36dcfb34dedf79961338c67e4b6c2228450907c4454e8e217ce8c4d762a3ac6310c49f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.2MB

MD5
ae8a3892cdac7a08ca122f69ef317603

SHA1
2b645e5c8948353ab7c0724a34c981aadd31a00e

SHA256
abba840a8683e6f8b896f49c282493e3f0eea63db375943e04a53ae258b18b0a

SHA512
a3d6898b2d410d4614d4e7621f351790c47892dedb9161780dd7fd864cf7bb4f0a42f0af73f5fa8327039f3fe3dd0c823828184546f274ba226b54e82fa3c918

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
67cfc0a2f257b02c0e8cf74355300c82

SHA1
ed14a32a71205085b2b50a93dd76bfc2010c74b8

SHA256
7c465d2c9efa1a9f23e5fd8468ea645ccf51a70804f58ffcea24569bf88d35f3

SHA512
0b1f01a2535d44928796c648750e4ac5c4555573c7b5e996a2ecbd23a21a063f7e44820e6c76511a7e723490249e016e385700af8b98a07e8b9bcc424b6d73c9

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
4ccebcb8c54b246beaf8f287985f1a59

SHA1
cdd1cc5f5a0b80d015bbfa8623de364a16411edc

SHA256
082c89716452cca78f6b01a84d173054b3c004ce14c3ff565bd5cbe753ae9027

SHA512
3d8ba4ab1325892ef65c74a69b5f90f974c3407a25239e7181505b46bb3b72de06ed74b984919b86cee861038688565cad59021ac8f45f87d56df6f4fe96852a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
cd55b4e1b3673bc1bf58d9b5b4e7f001

SHA1
335ac21d84565bef4f105f0af950f60755dd97fb

SHA256
e97174c30a8ff8fe74ea019215e36b92ce3a6335efaca9a390337c10c1a6c3a6

SHA512
0ceb83e71e4ca4a1480306377b18a642e76c5a04ad6fea3ed0fb1bd36b512c0c704e3bad4c6380b5d4948918a4b2d29ac1d8b4e1199e3627873d39e6b221d1d8

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
83813c510dc70180a4b0030a2caed9d5

SHA1
3f12b4811e71ee66526fc98c24dd84b0f630582b

SHA256
1a533be1719a160bcceefc7a2dc54da9fc21a372551d49385bcc828691cb4578

SHA512
cc9be020a622ae9b223220bdd9c51cd56d37f2151bb036c1cf1e3097ada9e210d59961a2d3424b5bc051ea6af93a9598d25465f6c0af1d22dc15ea6cdc977039

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
87b1e860b79098a2d654167b4c935c9e

SHA1
457f01caa0b19f87b5022127acd35a5ce7a12db9

SHA256
b7fe54cf683823cc343f2ab6be7bb62d15ee25b82e79a2354259bd4ecb58a459

SHA512
2b6c6358df97599b34b5bb1bffa42c74fa9532ebc8310de57b33356bd9b12a12a55de5d3e03e5ff4e9a187a6eacfddac2ea5566325e1a65c093693502e39d613

Download Submit
C:\Windows\System32\ieetwcollector.exe
Filesize
1.3MB

MD5
1435f7d9307c2e287459b6284de3698e

SHA1
45024df93189b16347f2ba5883c8939ea562a09c

SHA256
0ef2175fa42aceaf343b1e5e09c84c88b0f1b4622e81fa41a486f26a934cf427

SHA512
c43c8185727ce8cc0b19cda44691237c9dc0e76331b4dda5923de0b7d6cd47654c5ca39f2b56b9bd0e3620dc20cc62713e40c285e5765fbfe2e1551835d9efc6

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
b9233cfc863623cf694bb09956edd01d

SHA1
5620015304de2dceba7cc296c75078c736765c90

SHA256
f6ea0a71e53b8f5f2ab280ee7dbb297e154fac114f876c26e5583b6b086b1f6a

SHA512
e6e01aaf9a4ae2d0861abbee8340f71ce158458389acfa053a48e8b508bdb2b71b30c26f68deb17ccccfd08a0a2cb99eb508a1950a6f18dd74893291bd51b4d1

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.7MB

MD5
807894feaa89c71567bf6106a4e7be68

SHA1
eb1d1cb0f71c1ff0c9b92df71422841d562c1a9f

SHA256
82e760bbd4e9c1bf3e41a2888ce332f736e9219cf5e049c4204f0549dbecfeea

SHA512
de3152372c92e9f70a4dd6dd91ae20b3c62dc8c49204ec546289104e16fd8021c4d5f670c6a8080ef62b7bd4833cfb5b3abbf38e2253f0ecc7a11a678429eb10

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
b74cdaf9114cac5182e031aee6f95974

SHA1
7e6d9ae15874af9ea6e82b660ae02d1276126b6e

SHA256
20873f57a3d709e01423c44e08983c313b511eca6c9096209db46d7b7a8c2f91

SHA512
1ac6e1211b05680981708f557e4334b35f7dbf934d1c03af87ddf3e972ecc8364d300330b938bbba81c8bf5ed6d0b7db0a3408592398d75b4c7f9c488d5b7ede

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\36c36ecba49df8b9e53df57de0be201e\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
026c23f2948de46351e701b5e9d2961c

SHA1
24a78697460b9b0c939f0c63c2168bc838c04bda

SHA256
9231f4995ca69fa223269326fe853fe9c87cafbf0c044c997128be2707344188

SHA512
9d7b1049ee90a94d5c631683f18c93a4f98d4282a97922531eecf886a096bd8bdc83265b40b7938e87d8c1a550c98f402a63405755037d63dfc33dfd0570a341

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll
Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll
Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c4f8ab5fc75e8acc863a8470e1eddc38\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
4c1293e089b21e4b0b2c4d09b9f9172d

SHA1
be6f779d8c25e5ed5a7481bf8650747fe6578205

SHA256
5ad8d1720446e1cc597211659d2ebc708df0c17ebe47f15fc48ebe025deb9409

SHA512
b305c70f8bcb3d7eff72812b610c2dc6c2608387e37699309195c45fcbb545972ef255c24a11ace85cf53d579cb57bbacb07c3731c1ffdeef6cd4089ed3e6311

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e4b77a7504681ac78d93b5287536f9fd\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
a3dfec2eff36bfb73a9326203e24088d

SHA1
6ffad1d7315e07aac4ca121a2fb48d33fcb755d9

SHA256
b8a0fc2c5fb4efadf942554d7644b4934ec31a197d3573cef50255060b3b1670

SHA512
900f48f4ac9332a37280430a3ab7f3c4b491bb791647615ea210c56dd116d3c85e3e404ff57ad0a5fd98d0b15160fc7a8da6150dcc9d778dbfb239a718c03369

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\eca609ad30ec53ce860819964030b978\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
665af2ac229289a30edec73980da1d36

SHA1
f0d19393886a429f3095665ba044d20e81069b91

SHA256
6a0fd8ec3ab43abecc8913e901fbbceac84bfbf5c72712c238d9877d8e7187b5

SHA512
02dde30add007d491d74b37dfaf55555143f94c742339435601e7c280f48fd24441796e039eff9302adbce946b50035c6798c1462ed4de0f8d881b7c6af2935c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
0cb7fa009b54a358dc80faf0043ce8bc

SHA1
a015daecdeba864d56496f91a4c9b2cdfb50dc04

SHA256
f810d75c2587d46e65c00b196bae86b1cce58629e118c21b22b11217824d98ad

SHA512
46d184db261c881b80ce1b8f97173ca2dbc30ff5beffbeb1f4016fe8e81529de0b99dab2c15938d3aef25b1aeea37ecaa216e3f5c771a38564149a59d3630563

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
1.3MB

MD5
631c72e6448c5b993bd757de0585a41c

SHA1
2d827a988990fdd67f0ab246e0a60a483c758b66

SHA256
a8e984526256e206d72dfd506e5342c82f649d6a681adb4ab793d40dba0bc4b7

SHA512
3b388e379029e03db7903ca96c83ae97d3bec294e00d20b6984d86038525d4b33049662a9a5df6da1cb1ec18685c08e03ee1bbd93e132bd01abbf96b5934c773

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
79cb6d70bf36e0369dab178c2cf6bc5b

SHA1
f8616b0824f6ac2dde1f4a3de4801dc855b662af

SHA256
d75c3a1e531213be3ea8cfaaf76ba78ce7056553d26172ee14966896ac3845b4

SHA512
f70b36cd8a0422e378e6503ea313d595c9caf45a829873a1239e18df6f1309ab7f8a550eabf14ba79abf4328cb4d6ac4376faeeb5ccdf851871433884f79d138

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
690d5ccc02f248a31ec335ee807202c4

SHA1
a8e1b26ca43a07b6fbf962bd6ee16974b739834c

SHA256
81bbac20f08a5c63688482551db45d7953082182360b123d4df2a9ee564a8ec5

SHA512
099b18571b4797bc3249b86bc230fd08afb46e9cce9b076dd9d799e9059dfca2970779f85ac4069066968adbf1444e5521fe4458cffe58bbfdbe4fba18ec66f9

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.2MB

MD5
f0307560964e56bbe3b11dca93878584

SHA1
c825b3e3a29cd98561eaec6fde5f84af1e74411e

SHA256
d588c2e09f9141005c15f69b7e1f3675004bf111072287ae837dba2b4a89226d

SHA512
dfb281e0841098283071ca8cb00a0fb1603d63f2092e8438ff90e72d63ff544978b5f37b05f1c91cb8ca589be51622f90d824c49df78a2ca5948112677062b4f

Download Submit
\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
3a3ec2413ccdb95b14234e64d959aaed

SHA1
ef03eea50b2f85a290ccb73ab32b2f49c87a36cf

SHA256
223a0c7d103d5e38bb949fdb0e225e30e38238b7a8b3ca1ec4cf294ea10c1c53

SHA512
b406ce0700fe3bd24f6e5a4b0f8e8784afa372614d9d60dde58011320561341bb91fab9c33de0291e03928f4126e64f1b0ef9355dcbb62a2fa3d76d2ecd4f604

Download Submit
\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
a6b86340de58e72c2adb6373504a6cbe

SHA1
eccbfc8f90770cad3ee6d9e05612d49c27071550

SHA256
5cb0efbda58cafa3932ca502df5aef35220caaf1358c1c5b36c4273ff05831f2

SHA512
4a1a1e51f5dba5816785d2a05cb9ea7020faf8c486b2b9ce93cc29ed80a6889443df9b958355ae5f58d13602b4e783af6e789bde963f5386bbadeeff82c916f4

Download Submit
\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
9213c1d833c1429f6a93af78a856229b

SHA1
0ddc252e798d81ae13b321e35b414db172daa747

SHA256
430c75d623522da74ccbd007500e352da429d118a4644afd80da73fc8946d072

SHA512
e5507ff846d855a45b1ee661dff6f8dd8943ae41bec53061dfcc8dcbf69e61ec3d50e79e0bcbc1e6cc6749a0e7bb31d7caea3474ca8632a40862ee6d5ea73ee1

Download Submit
memory/324-278-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/324-382-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/372-657-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/372-640-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/552-249-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/552-461-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/692-389-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/692-440-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/864-180-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/864-69-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/864-67-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/864-73-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/968-163-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/968-171-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1104-434-0x0000000100000000-0x00000001001AE000-memory.dmp

Filesize
1.7MB

Download
memory/1104-235-0x0000000100000000-0x00000001001AE000-memory.dmp

Filesize
1.7MB

Download
memory/1116-277-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1116-263-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1128-283-0x0000000100000000-0x000000010015E000-memory.dmp

Filesize
1.4MB

Download
memory/1128-524-0x0000000100000000-0x000000010015E000-memory.dmp

Filesize
1.4MB

Download
memory/1308-479-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1308-253-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1332-436-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1332-463-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1396-568-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1396-583-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1464-531-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1492-279-0x000000002E000000-0x000000002E14F000-memory.dmp

Filesize
1.3MB

Download
memory/1492-193-0x000000002E000000-0x000000002E14F000-memory.dmp

Filesize
1.3MB

Download
memory/1672-512-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1720-654-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1720-673-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1728-664-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1728-682-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1792-232-0x0000000100000000-0x000000010012F000-memory.dmp

Filesize
1.2MB

Download
memory/1792-395-0x0000000100000000-0x000000010012F000-memory.dmp

Filesize
1.2MB

Download
memory/1804-100-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1804-108-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1804-112-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1804-107-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1804-113-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1804-196-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1816-494-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1816-480-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2024-238-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2024-167-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2080-415-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2080-378-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2092-282-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2092-199-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2116-136-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2116-216-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2156-622-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2156-638-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2292-588-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2292-580-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2368-116-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2368-204-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2368-115-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2448-470-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2448-460-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2456-300-0x0000000100000000-0x000000010012E000-memory.dmp

Filesize
1.2MB

Download
memory/2456-226-0x0000000100000000-0x000000010012E000-memory.dmp

Filesize
1.2MB

Download
memory/2460-266-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2460-228-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2476-90-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2476-84-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2476-92-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2476-185-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2520-46-0x0000000010000000-0x0000000010141000-memory.dmp

Filesize
1.3MB

Download
memory/2520-77-0x0000000010000000-0x0000000010141000-memory.dmp

Filesize
1.3MB

Download
memory/2520-47-0x00000000005A0000-0x0000000000600000-memory.dmp

Filesize
384KB

Download
memory/2520-53-0x00000000005A0000-0x0000000000600000-memory.dmp

Filesize
384KB

Download
memory/2564-212-0x0000000001000000-0x000000000112F000-memory.dmp

Filesize
1.2MB

Download
memory/2564-287-0x0000000001000000-0x000000000112F000-memory.dmp

Filesize
1.2MB

Download
memory/2576-569-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2576-543-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2588-626-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2588-610-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2600-685-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2604-37-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2604-31-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2604-63-0x0000000010000000-0x0000000010139000-memory.dmp

Filesize
1.2MB

Download
memory/2604-29-0x0000000010000000-0x0000000010139000-memory.dmp

Filesize
1.2MB

Download
memory/2616-525-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2616-550-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2648-602-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2648-598-0x0000000003E20000-0x0000000003EDA000-memory.dmp

Filesize
744KB

Download
memory/2648-589-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2680-301-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2680-564-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2772-1-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/2772-6-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/2772-106-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2772-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2880-248-0x0000000100000000-0x000000010014C000-memory.dmp

Filesize
1.3MB

Download
memory/2880-181-0x0000000000610000-0x000000000075C000-memory.dmp

Filesize
1.3MB

Download
memory/2880-252-0x0000000000610000-0x000000000075C000-memory.dmp

Filesize
1.3MB

Download
memory/2880-179-0x0000000100000000-0x000000010014C000-memory.dmp

Filesize
1.3MB

Download
memory/2896-296-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2896-542-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2912-127-0x0000000100000000-0x000000010013D000-memory.dmp

Filesize
1.2MB

Download
memory/2912-12-0x0000000100000000-0x000000010013D000-memory.dmp

Filesize
1.2MB

Download
memory/2948-16-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2948-140-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2948-25-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/2948-17-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/2992-141-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/2992-227-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3060-161-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3060-229-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download