expiro | 9b5362142a7a4cbb8fdd1f2d947ebedbde5289f245e3777601ff964672a1d700

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
Size

875KB
MD5

0e151bf158cee4eb0de5c8dc297b09a0
SHA1

382d97c653365402dc7b88703f01c22950a5e37f
SHA256

9b5362142a7a4cbb8fdd1f2d947ebedbde5289f245e3777601ff964672a1d700
SHA512

0e41168f3c4d757ac67ee4d03460d4b710d86115c04d9b04a8eb9550d17d52f8cc7fbeb91d29b8353ee594c545e8cc1542cf3804579751a2cc696d7b64da12df
SSDEEP

12288:GQWN/7YkrWBfWhvRhQUAIUfezD/LoN/MhVl1cJ6Q5joTeRH6R:GQWN/7DSBfWhA030Nc1ujo616

Score

10^/10

expiro backdoor discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 4 IoCs

backdoor

resource	yara_rule
behavioral1/memory/1736-44-0x000000004AD00000-0x000000004AEFF000-memory.dmp	family_expiro1
behavioral1/memory/2572-66-0x0000000010000000-0x00000000101AF000-memory.dmp	family_expiro1
behavioral1/memory/1644-91-0x0000000140000000-0x0000000140377000-memory.dmp	family_expiro1
behavioral1/memory/2816-241-0x0000000140000000-0x00000001401EE000-memory.dmp	family_expiro1

Executes dropped EXE 64 IoCs

pid	Process
2572	mscorsvw.exe
476	Process not Found
1972	mscorsvw.exe
2412	mscorsvw.exe
2816	mscorsvw.exe
640	dllhost.exe
1644	elevation_service.exe
880	mscorsvw.exe
496	mscorsvw.exe
612	Process not Found
2012	DllHost.exe
2140	mscorsvw.exe
2132	mscorsvw.exe
1412	mscorsvw.exe
2876	mscorsvw.exe
2724	mscorsvw.exe
2744	mscorsvw.exe
1896	mscorsvw.exe
1664	mscorsvw.exe
2660	mscorsvw.exe
2096	mscorsvw.exe
2844	mscorsvw.exe
684	mscorsvw.exe
2188	mscorsvw.exe
856	mscorsvw.exe
1700	mscorsvw.exe
2400	mscorsvw.exe
596	mscorsvw.exe
1288	mscorsvw.exe
1640	mscorsvw.exe
672	mscorsvw.exe
948	mscorsvw.exe
1536	mscorsvw.exe
2896	mscorsvw.exe
2740	mscorsvw.exe
2460	mscorsvw.exe
2660	mscorsvw.exe
3052	mscorsvw.exe
2828	mscorsvw.exe
1632	mscorsvw.exe
2168	mscorsvw.exe
1504	mscorsvw.exe
2768	mscorsvw.exe
2884	mscorsvw.exe
376	mscorsvw.exe
1528	mscorsvw.exe
1964	mscorsvw.exe
2304	mscorsvw.exe
1868	mscorsvw.exe
696	mscorsvw.exe
2272	mscorsvw.exe
1604	mscorsvw.exe
1212	mscorsvw.exe
2268	mscorsvw.exe
2264	mscorsvw.exe
2600	mscorsvw.exe
2760	mscorsvw.exe
2204	mscorsvw.exe
1280	mscorsvw.exe
2768	mscorsvw.exe
1804	mscorsvw.exe
776	mscorsvw.exe
2292	mscorsvw.exe
2860	mscorsvw.exe

Loads dropped DLL 45 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2724	mscorsvw.exe
2724	mscorsvw.exe
1896	mscorsvw.exe
1896	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
2844	mscorsvw.exe
2844	mscorsvw.exe
2188	mscorsvw.exe
2188	mscorsvw.exe
1700	mscorsvw.exe
1700	mscorsvw.exe
596	mscorsvw.exe
596	mscorsvw.exe
1640	mscorsvw.exe
1640	mscorsvw.exe
948	mscorsvw.exe
948	mscorsvw.exe
2896	mscorsvw.exe
2896	mscorsvw.exe
2460	mscorsvw.exe
2460	mscorsvw.exe
3052	mscorsvw.exe
3052	mscorsvw.exe
1632	mscorsvw.exe
1632	mscorsvw.exe
1504	mscorsvw.exe
1504	mscorsvw.exe
2884	mscorsvw.exe
2884	mscorsvw.exe
1528	mscorsvw.exe
1528	mscorsvw.exe
1604	mscorsvw.exe
1604	mscorsvw.exe
1212	mscorsvw.exe
1212	mscorsvw.exe
2264	mscorsvw.exe
2264	mscorsvw.exe
684	mscorsvw.exe
684	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3452737119-3959686427-228443150-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3452737119-3959686427-228443150-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\V:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\H:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\J:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\L:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\E:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\P:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\W:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\K:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\R:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\G:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\O:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\U:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\Z:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\Q:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\X:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\T:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\N:	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\svchost.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\system32\vssvc.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\system32\ui0detect.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\system32\ieetwcollector.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File created	\??\c:\windows\system32\vds.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\system32\fxssvc.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\locator.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\system32\snmptrap.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\vds.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\msiexec.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\system32\wbengine.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\system32\dllhost.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\system32\msdtc.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\system32\alg.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\iexplore.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\ieinstal.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{99AE2388-7DD0-4412-AA69-2125CBB68338}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1075.tmp\stdole.dll	mscorsvw.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2FF6.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC774.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD45F.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC024.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDC3C.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\ehsched.vir	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCFCD.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD21E.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{99AE2388-7DD0-4412-AA69-2125CBB68338}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC590.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBD08.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1736	0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeManageVolumePrivilege	2012	DllHost.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 880	2816	mscorsvw.exe	36
PID 2816 wrote to memory of 880	2816	mscorsvw.exe	36
PID 2816 wrote to memory of 880	2816	mscorsvw.exe	36
PID 2816 wrote to memory of 496	2816	mscorsvw.exe	37
PID 2816 wrote to memory of 496	2816	mscorsvw.exe	37
PID 2816 wrote to memory of 496	2816	mscorsvw.exe	37
PID 2816 wrote to memory of 2140	2816	mscorsvw.exe	41
PID 2816 wrote to memory of 2140	2816	mscorsvw.exe	41
PID 2816 wrote to memory of 2140	2816	mscorsvw.exe	41
PID 2816 wrote to memory of 2132	2816	mscorsvw.exe	42
PID 2816 wrote to memory of 2132	2816	mscorsvw.exe	42
PID 2816 wrote to memory of 2132	2816	mscorsvw.exe	42
PID 2816 wrote to memory of 1412	2816	mscorsvw.exe	43
PID 2816 wrote to memory of 1412	2816	mscorsvw.exe	43
PID 2816 wrote to memory of 1412	2816	mscorsvw.exe	43
PID 2816 wrote to memory of 2876	2816	mscorsvw.exe	44
PID 2816 wrote to memory of 2876	2816	mscorsvw.exe	44
PID 2816 wrote to memory of 2876	2816	mscorsvw.exe	44
PID 2816 wrote to memory of 2724	2816	mscorsvw.exe	45
PID 2816 wrote to memory of 2724	2816	mscorsvw.exe	45
PID 2816 wrote to memory of 2724	2816	mscorsvw.exe	45
PID 2816 wrote to memory of 2744	2816	mscorsvw.exe	46
PID 2816 wrote to memory of 2744	2816	mscorsvw.exe	46
PID 2816 wrote to memory of 2744	2816	mscorsvw.exe	46
PID 2816 wrote to memory of 1896	2816	mscorsvw.exe	47
PID 2816 wrote to memory of 1896	2816	mscorsvw.exe	47
PID 2816 wrote to memory of 1896	2816	mscorsvw.exe	47
PID 2816 wrote to memory of 1664	2816	mscorsvw.exe	48
PID 2816 wrote to memory of 1664	2816	mscorsvw.exe	48
PID 2816 wrote to memory of 1664	2816	mscorsvw.exe	48
PID 2816 wrote to memory of 2660	2816	mscorsvw.exe	49
PID 2816 wrote to memory of 2660	2816	mscorsvw.exe	49
PID 2816 wrote to memory of 2660	2816	mscorsvw.exe	49
PID 2816 wrote to memory of 2096	2816	mscorsvw.exe	50
PID 2816 wrote to memory of 2096	2816	mscorsvw.exe	50
PID 2816 wrote to memory of 2096	2816	mscorsvw.exe	50
PID 2816 wrote to memory of 2844	2816	mscorsvw.exe	51
PID 2816 wrote to memory of 2844	2816	mscorsvw.exe	51
PID 2816 wrote to memory of 2844	2816	mscorsvw.exe	51
PID 2816 wrote to memory of 684	2816	mscorsvw.exe	52
PID 2816 wrote to memory of 684	2816	mscorsvw.exe	52
PID 2816 wrote to memory of 684	2816	mscorsvw.exe	52
PID 2816 wrote to memory of 2188	2816	mscorsvw.exe	53
PID 2816 wrote to memory of 2188	2816	mscorsvw.exe	53
PID 2816 wrote to memory of 2188	2816	mscorsvw.exe	53
PID 2816 wrote to memory of 856	2816	mscorsvw.exe	54
PID 2816 wrote to memory of 856	2816	mscorsvw.exe	54
PID 2816 wrote to memory of 856	2816	mscorsvw.exe	54
PID 2816 wrote to memory of 1700	2816	mscorsvw.exe	55
PID 2816 wrote to memory of 1700	2816	mscorsvw.exe	55
PID 2816 wrote to memory of 1700	2816	mscorsvw.exe	55
PID 2816 wrote to memory of 2400	2816	mscorsvw.exe	56
PID 2816 wrote to memory of 2400	2816	mscorsvw.exe	56
PID 2816 wrote to memory of 2400	2816	mscorsvw.exe	56
PID 2816 wrote to memory of 596	2816	mscorsvw.exe	57
PID 2816 wrote to memory of 596	2816	mscorsvw.exe	57
PID 2816 wrote to memory of 596	2816	mscorsvw.exe	57
PID 2816 wrote to memory of 1288	2816	mscorsvw.exe	58
PID 2816 wrote to memory of 1288	2816	mscorsvw.exe	58
PID 2816 wrote to memory of 1288	2816	mscorsvw.exe	58
PID 2816 wrote to memory of 1640	2816	mscorsvw.exe	59
PID 2816 wrote to memory of 1640	2816	mscorsvw.exe	59
PID 2816 wrote to memory of 1640	2816	mscorsvw.exe	59
PID 2816 wrote to memory of 672	2816	mscorsvw.exe	60

C:\Users\Admin\AppData\Local\Temp\0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 168 -NGENProcess 16c -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 244 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 178 -NGENProcess 1dc -Pipe 158 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 26c -NGENProcess 234 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 164 -NGENProcess 274 -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 23c -NGENProcess 234 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 278 -NGENProcess 114 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 234 -NGENProcess 114 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 284 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 27c -NGENProcess 278 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 28c -NGENProcess 114 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 114 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 114 -InterruptEvent 294 -NGENProcess 278 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 278 -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 29c -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 114 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 304 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 1e0 -NGENProcess 2ec -Pipe 164 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 308 -NGENProcess 2dc -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 304 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2ec -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2ec -NGENProcess 308 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 308 -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 314 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 314 -NGENProcess 2ec -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 324 -NGENProcess 2f8 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 320 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2ec -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2f8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 320 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2ec -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2f8 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 320 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2ec -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2f8 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 320 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2ec -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2f8 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 320 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2ec -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2f8 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 320 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2ec -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2f8 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 320 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 35c -NGENProcess 2ec -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 374 -NGENProcess 254 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 254 -NGENProcess 35c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 37c -NGENProcess 2e4 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 378 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 35c -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 2e4 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 378 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 35c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 2e4 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 378 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 388 -NGENProcess 35c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 384 -NGENProcess a4 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 39c -NGENProcess 378 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 35c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3a4 -NGENProcess a4 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 378 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 3a0 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess a4 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 378 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3a0 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess a4 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 378 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3a0 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess a4 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 378 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c8 -NGENProcess 3bc -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3d8 -NGENProcess a4 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 13c -Pipe a8 -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3bc -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess a4 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 13c -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1584

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:640

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
636KB

MD5
af5ea973af00ff29fb2ce3c865d8a911

SHA1
4bb536661e620a4be4a83a01ad4c2edc2f775800

SHA256
eee9d0c1d3d244dd2102a2bc9615cc1e62d3c24fbf7e9e6fa30b4be215dbe7df

SHA512
53395a5d4afa2404a2e7502ccb917fe4ee10bd29cd11b547ca9030363189c8516d2c3b11b912ec21645d86b85d700775b6707ebf1aa6eb56abead632ea297afd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
a04145bb930c510021eaedfd09eb9b3d

SHA1
0cc9f16e72ab560c936294aeac122d45e8043081

SHA256
0d39c569e0e6768865567f953ae5a1da8c851e26d139882dcba8d313ef81d890

SHA512
4f42090f6355975a52756482c6daf8f72f2d4869bcf42232f5e96ca9e9498a2ef65a42731675ec6bad3249ef80d5eef771a0924510d04693d5875b3b052e2a5d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir

Filesize
4.8MB

MD5
4f45db2c7e5a7beef452a7d9a2e31430

SHA1
9be362d8109a5d1bef58a25af727aaa8f0e71646

SHA256
5285b99374c917a4de51a716226e90a53525eea7fe2d76b242e1cba0337e9411

SHA512
70234aaa0b68317345c08e4c5d2d4e2bf8dcd48bd851a829299c3829804425c3c4e408619e45bd7a6eb562b78dc18390d2317a65c3c09f5f8f141de823f60f36

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.2MB

MD5
8f2425ac5b5da6250fb92a2b77f17c5e

SHA1
161527dd1d16d6924842d248d39553458d9d4135

SHA256
3476b316df2d85923e08c13f03c27dd49d73bdfde3bd83e7de3e0a8df1ff4fd8

SHA512
b01e0d4dcfb410ea2a4443e12444e838064fc8461297cc0a0a394039b60d0735937cdc5f3ee6756fe7d55cde47e474da72a9c8a56e4f92760f9ea8be0b1fb0b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
c9e87bd3d27470ef0e2c96f297a2316f

SHA1
84a7295d5b381f590eac9e52c4c13c5c318c22c3

SHA256
6bd8f38f54d11de4ba9c2d44ebf6f41062cbc8955be624f011e57ed07a92ed08

SHA512
b3a880a5564db64ccf3a6e191c80a7e407a8e548506e5a1c05780e5167f578382449ba84c30256493b80307edc3ca86b9c65ab79c4df8c4624372797b80cd636

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
754899dda8be1c748f118cc2dc7ed9be

SHA1
6a4bc3c6c8751022e43e6d09e133592531a4c792

SHA256
5adfe4d5fb4a9c2809774cbc18436ecac72342b9777561e39141f6a7afae243e

SHA512
0dab7eb0e4ff1b02da798be712d2dc533bc6b892e1ca28b22e2306fde01506b8c026f0f5b6f1c468845135d45bbb9756229b3a685f7c92509542f9cbaaf10838

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
089098da6cbf61f64ae3548ed76c0e07

SHA1
01b7274c4b56ca28ef4249134a2e051c324e4f9b

SHA256
a5443a41f5e36103116816ffece7018080b4e6654c6d259b5b6cd54759ab1f55

SHA512
b9ab18f132e634b52f7c6acf0083f11fd37b7543b3d648f4db61c9eb87aad555ed15b17d65cc96a02d857268d6e392533c0cb98dc6cca6d21e9da75ea005b08f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
29053fbb61fb5433407e1c8e6e40029a

SHA1
c23c9855adb42debf94815e1cdb298c608a2a0c3

SHA256
cc667989c76a560324f8676eb5be3ff5e9fdc887e49bccfafa50e29577189fc9

SHA512
0b5239594fc9765c191809b4a762915cb628aada6f425ae24a38eb23744113d1f05eccec03ad6bd2ba21d70db99d97594cd3a486c49f6d2ccca8055fae2d1188

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
555KB

MD5
24647e447f418e18c4c0911792a973a3

SHA1
1ffe5231b538147a156b1ae5a9fd9f321c5f0bac

SHA256
4cead13bbac7482e4eaef7d2348a3c01babf1a36300ffce37985e1d6a3670f96

SHA512
c74b7bc9cb6e74554864444b49822e509a71101420c88959932ee4b0b003a155fb52bec071057725c350fb7881d04912d5867eb796b3307aa3a6081d5a529849

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
25494363d331a8de2185b42b554c9897

SHA1
012e4c30ebf98a86a5997b9ea36b874e28f39c72

SHA256
50110d5831852aca2312871258353fbd666f19ab71a38e172341ac48e2478b80

SHA512
807d41807fed92575306c75afb1dd2236a8940d4e84303f4ab4d2c0782a2ce7da051036ad8ddc20257abf7eb615b3b390e75a9be3ad1e2e3387e6fd4468730a8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
586KB

MD5
c8b334c0084f73b320bcdfcf7e2a2df2

SHA1
4dc11ca120bdd49716b587c686319313a3df03de

SHA256
c2407d79585eb9252d9fe629920b6c0704c3330ad7bc729440c3305cae3c62eb

SHA512
30b3884daad599507227cc5b8ae0d997c77fef427d5acc6356244ad08d3ca201ee30dce32d6a83b219bc5b48476d97d56230145abc3924758b1fd3b3b10c51f9

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
505KB

MD5
3d0a438c7f8e84fe22c686120688c8c4

SHA1
d558843f9ad9f0b5bd1bfce43a53617df8121af4

SHA256
d0d7faeec585f4489fa6e13847c0338f567d904392ecdfb56e146a5262ca2547

SHA512
83109a498be212986ac4fd3d150b67c837f555d0841484281e2a1e08ce13d8d9757ae4eb5a415970a8f4b6266b02675e9d06c48a336bba85bf98857d658001c4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1e7ac269d36bc6e17821134dc2112a91\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
de31d47f85bdc4e28b2bd55a11407886

SHA1
57b0f957c5fc6d9d4cb4a6e3e60f5b851c52b9de

SHA256
22a302202c4a78b399792182ea7005e4cd64aeedbf26401d0e8887266ea22e04

SHA512
ae46554c4f0d584029259836f99dc880bc3576732ec59f239d4012755d0fd1538da6703950707f029f7f13576e753e178b1b4b7cab8b23b28880299d0e27b35e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2515f32744625a8b3aadd786c9ed472b\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
ed243fab99aa1cd8b3fbd9e2937ff76e

SHA1
7662e42a20f49bca8e15cbb5cf01553c8d43b844

SHA256
6769ddcd4c998efcd5463985a8298fc0a1b3c02dde47a3b0715e0d8a3fe264a8

SHA512
bb5cfd94116109176094fdb52e882cdfe96655f5ee2ad436314e4f0bd46527cc435c77003c44a6dd16fbe71b94903473f68a929f2f35e363d3268a6b7863d39a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\448206bceba8f26f72807f7cfc999a84\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
f5b87d5eebc972c4654fa4638646d84d

SHA1
44757b8a748a3a155d7ac1fe8e1858df6494ed26

SHA256
aa5ffbdcb00d75cf573c9901aa286de89c6bc7b306635421fd05e33388230ca4

SHA512
a7bb2654e79f3a96570d386a1cb2ada3ccec5a74b00fb1b8ecf1e83eb5a440b327c2836a487acd742f33e78095830efbdd25e07fc5b656140b3c2c2d3060c60d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77e5d9365bbfa0066b2b596f67b6740a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
19ec34bb8650e0d401b30f055e1661da

SHA1
24c43193c977825d3c12e1d44e20f506cff522a0

SHA256
8497bd2add563011947523bc5520803d22346bc83b7b709fc59c80e4f91d5af7

SHA512
ba5a286a4ba33ff12d59149af9649f68a4e7458a7d64f222226a8a6b7432f6f15c14caac3141bb1ee799cc54a7c6ed62d31128330d294d35ddc614e4b6456cd2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
636KB

MD5
bc8187300fbd3b4c9845086da4a9487c

SHA1
9a269f5046c09f190deb766249bc992fab36ae25

SHA256
578c4a0e90e609b03442fe49c9e05b6dfea45d7958e9074be4e3fc3b79db26a4

SHA512
bc9c855cfe622646cd9ec760d78cb8723d9091b4d384a9c352914661d7289e62009e2ee4d4f5e77bc64ee9a2038d3bf8e738b19643789a590481c772a0a49c52

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.0MB

MD5
9b806de8a34a8f2d7d2b5a7666025d7e

SHA1
0184c81d55757fa3687367847b9820506aee8a4f

SHA256
3795265bc592a378672821f93180780644960776b5ecabca03b11294aa643529

SHA512
5567262c5c31603e9ca2a95445e359184ab9a588903bf99ca4fc77706b7559522bc778709fb2e2e158ec97710eca42a6d042b98069bea69681073f717a439b0e

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
711KB

MD5
d240dc0a8a000206fe924c80a3129caf

SHA1
2cf197a91767b836dd63aba2271134d07bd0379d

SHA256
46e21708f80953a86bd2ca1a535ebd5ea7ec193692ea10d598342f56b038122d

SHA512
345d0c211d6d53fdb7cb411acbf6d30d15d0b4fdf8b6cad39c7f3be10505298b818d85f600b74484e13c88d3bb2cdbf3c6200a22d3b8a181c76155f42f7448bb

Download Submit
\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe

Filesize
5.2MB

MD5
1ab34314e5df5151c97ada42e34e8dbc

SHA1
1aabe6721756ae7605900fda40c1c3086d0d8a0a

SHA256
a6029d7ee52312e252e02fa0f1655f1bdbe80ed7facee517ca72531de4cd79aa

SHA512
577dd68e003835c9867eb57226ad1f9d959bc2e9d094857ea5c27498b0e83c9a2169d77a53758efe2f93283e76edff812936a8edf1f7984ebbf7fe834b2b8799

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
620KB

MD5
d36e14d45947461e080b6f8700d3abc6

SHA1
e032afb9a9c5c6b6cb6c5389a296e0aa8cdf36ce

SHA256
e834c9020aeaa2d9151dc8214200fc56c0c1be21679c5b1113aa9e81a3989792

SHA512
15daab883304012316f6a1f5603ac3c1159f7fb1429fff299f8c67494b130af31632a58b83ce09c8c6526e06dc9aa23a35604f294326c7b35c8dc0559c47e10a

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
532KB

MD5
d098d5b0d4f5d18c74f9b7371adc2368

SHA1
be1b2b0ef2303d55c2ee73dc5e8f3a7b76df900b

SHA256
d09f7c5867daf637a95c286c261a9d49a6a0f29189f205bc3b8cf8f6f3ea0931

SHA512
997f21042f79ee24e641ec537a52da976ae00b8814e0773bd54230c23e9da6bb8e238eb17501d732999b8117a50e5281ab3c7565daa72c7681cebbad7de660ee

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
573KB

MD5
b94ef7cfc969b6dbfc39780ddfa8f27d

SHA1
2cfea22c14617827955e797352ca854d3f9db25b

SHA256
1aa3175981fdf8cf6a073f988c186d3978a2961975ca38d1456d4dec8aa89f20

SHA512
dbf3bda60ded6c772be76a15ecc8617e1bc0d7498d5bb7ba3c7844b3f46815332a99867785b988e45a8911b9f53b298cb66d4efd1cc97685075277c4c863dc2f

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.1MB

MD5
042f6e361c52b568f4b2780265859c5b

SHA1
57e716e9d7bfbc55ac02a63eb58729552a3a9df6

SHA256
3bfe918b081e2ba87f914213e77a4b3a40178e82a59ac0723d6cfe966a274d0b

SHA512
b1c0336919d65a78b166f2a61ae53c587d901ccb5861338c41764b350e95f09e9e1d1146a321b9200ca3980f72486e9840d074b41a4058881d43e88bb88176cf

Download Submit
\??\c:\windows\system32\ieetwcollector.exe

Filesize
605KB

MD5
d13f54a375851d36b427a833bc316d0f

SHA1
b56489c4457391a56c78b367eb238f1109437506

SHA256
368ad226c52a6036885b70624064a83102a8445e69098dba4231c055d1aeb516

SHA512
7e5350be2beebcca28b5f4716e13bcd5a2411f50f1d0d90fa60d74f5a0166e22bd94b5ab6224ffe1bf1262227e93a4ea8e7b5e544311f07d3d67d7cb3b5a7f93

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
634KB

MD5
ea637be7c50546f513f2098e3124cce7

SHA1
0cde5234248180de5c745500439db785cbc302cb

SHA256
fec16b65b5cbd076be0de36e66a26443b61c521995a746a1bbfe7d14a0eb8423

SHA512
50635eed21f3c32796656b552474ac8fe80588ed2e9f1da0085bad8422fa9f319479770450ec249e0e9798e994033b7f5a813fda2c08fdf5de1bece0c42071c5

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
621KB

MD5
c81b3ae70c6b305315276e6ef907910d

SHA1
a227c5314e7776115062afefcdf717cac5df0b61

SHA256
997cb2af5fda8ef87785e5bfc11db05734c11fb398a52727da368bc248a69c43

SHA512
1e4cbb916439784dd954eba35051832d7f1c5f976252d53683c3506ffba77edde44842c0a5ccd574668bd198c8b7c41c5094599de06ed8b1078c977622c13685

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
510KB

MD5
e386d057e5ed7f2dd574d4d4d2036dde

SHA1
648138ea1ce202f2cc2869a2fe227708b8c5e38f

SHA256
f718601b102d8f2aa042fe14b735a6987ffcda6d712547c1bc123a364cb2bbf6

SHA512
8eb1531684ce16e69ec7dd117987d5c146d207e8722991e0f5e7701b841c392bcf0da64029db42f7f6fe3715f4d9f174a794af9af2aa27e8bf929acff27c930e

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
536KB

MD5
06df6f6e15c3de6ceec93318e57fe896

SHA1
48857a4ac1eb2cc3e628b0174c5d518e90d4893b

SHA256
5b6ead114112a7b798caa648accfb21e41818331177da3cc22f0bdd85d821ecd

SHA512
293d9b9196598b546c18ae392c713776a483922f70631a15abe66541dba584269a1f6ca4a14b21ef8fbeb83be437a37687a88f0eebcb2e89d416de0526192491

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1017KB

MD5
ca8c656baf1b4b86ddb9fdae51941495

SHA1
b0f9673e90b68c6a304d01041159f34c8cf39d38

SHA256
00aebe65ad68459dbfe177031ab34531b3bb443471669a295afb78ec2be2ede8

SHA512
3f53de13cd61a5a214d2a3706403b62145b8f8e1d3bafae17e07e7fa6c3ee596d2a3a06e52c1127c4a980aff03de64cddc99a9b9cee57f2ac79768d3178c9124

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.0MB

MD5
90102933576c4a001524432bd7cea56d

SHA1
0b68aa5df8f043fe2ba9dafb531c568821f007f6

SHA256
6c39a94b7b7e1c7ec765f546d53e824699a66115069fd5060b4f1d5f417ef841

SHA512
2f321ed54708c5798037bd06e3a5648f58a2abd431ec0b909df0f1bcb127a9774d70659b3d3647a7dcbfa146a91a438640002a6933c9e9919de00482b16bb8c4

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
694KB

MD5
0421dace4f75bda6f8163c49d51449cd

SHA1
cdb3bce1378905b915ca5b6e2ee1ba5dba0fc944

SHA256
ab4cb7a31080094d93eeca6f348a845d2d7d918fdcd648cd33ad9c2d637b2bcd

SHA512
157630846bc28990413d314c5d2cba6af2ed6912b8d9676d0ccc93eb02cf9fea124e5b77f97907ddd7cdb7b4793fac069e4c4d91e5e3f9c8f389e4d4859a7eb8

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
1.9MB

MD5
1d47c27ecc18ef4fc59ef922be01f965

SHA1
ef399353fa1e97f5e62f07bd79264d205db4bd4f

SHA256
9b9409fee990f9e096f3671bec23e780d013fe4c23971765bbabd326e4b59302

SHA512
2faeb1c13a959624d69811c654b0e70c4c37c7d1b20c16173f51596172c03b84221483e0a9d075d8c83b7ba126157508ebbc70990f6e1275db09141c18493d8c

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2278849e30174abe6bd96f7aba7c1e55

SHA1
58801cb9128570749b934b1899a0b029ba88451d

SHA256
73b1c501d2371b3749ae9768eacfe20962889410d674a11abce64fdbf6059300

SHA512
651d1041e9eedec15bbb96519642b464477c80d28f4bbe3a2d9734902b81806017b71b231471abc82bea07cade414e41463f7359f38abd4f43a77bab72613bb9

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
578KB

MD5
4a67776ce8252cefff1c3cdf2c2f56bb

SHA1
2b0e21e672cbfd495b080b6bd81917c3c57682bc

SHA256
d676507b151a0ef9decd048caeef747ef5b8d7306c00d3c34c37b1103a2973e3

SHA512
56e4cbab0bf734b997882c941bd560e83ba9419fbc47ec33a772dbcd33f6391182526915e3aa9ddd15e2a2165796b892fc8b1bbb5161e165d001ca03740848b2

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB6B2.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB960.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBD08.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC024.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC2C3.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
memory/496-190-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/496-180-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/640-75-0x0000000100001000-0x0000000100002000-memory.dmp

Filesize
4KB

Download
memory/640-72-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/640-246-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/684-453-0x000000001C120000-0x000000001C13A000-memory.dmp

Filesize
104KB

Download
memory/684-454-0x000000001C450000-0x000000001C466000-memory.dmp

Filesize
88KB

Download
memory/684-457-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/856-475-0x00000000007B0000-0x00000000007BE000-memory.dmp

Filesize
56KB

Download
memory/856-476-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/856-474-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/880-160-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/880-185-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1412-335-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1412-337-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1644-247-0x0000000140000000-0x0000000140377000-memory.dmp

Filesize
3.5MB

Download
memory/1644-91-0x0000000140000000-0x0000000140377000-memory.dmp

Filesize
3.5MB

Download
memory/1664-401-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/1664-399-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/1664-397-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-404-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1736-1-0x000000004AD05000-0x000000004AD06000-memory.dmp

Filesize
4KB

Download
memory/1736-44-0x000000004AD00000-0x000000004AEFF000-memory.dmp

Filesize
2.0MB

Download
memory/1736-0-0x000000004AD00000-0x000000004AEFF000-memory.dmp

Filesize
2.0MB

Download
memory/1896-388-0x000000001D3C0000-0x000000001D3D8000-memory.dmp

Filesize
96KB

Download
memory/1896-378-0x000000001C6C0000-0x000000001C708000-memory.dmp

Filesize
288KB

Download
memory/1896-387-0x000000001D3C0000-0x000000001D3D8000-memory.dmp

Filesize
96KB

Download
memory/1896-380-0x000000001CC00000-0x000000001CC1E000-memory.dmp

Filesize
120KB

Download
memory/1896-379-0x000000001C710000-0x000000001C72A000-memory.dmp

Filesize
104KB

Download
memory/1896-377-0x000000001C6A0000-0x000000001C6B6000-memory.dmp

Filesize
88KB

Download
memory/1896-398-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1896-376-0x000000001C690000-0x000000001C69E000-memory.dmp

Filesize
56KB

Download
memory/1896-375-0x000000001C680000-0x000000001C68C000-memory.dmp

Filesize
48KB

Download
memory/1896-374-0x00000000032B0000-0x00000000032C8000-memory.dmp

Filesize
96KB

Download
memory/1972-32-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/1972-67-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/1972-33-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/2012-200-0x0000000002D30000-0x0000000002D40000-memory.dmp

Filesize
64KB

Download
memory/2012-211-0x0000000004360000-0x0000000004368000-memory.dmp

Filesize
32KB

Download
memory/2012-266-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/2012-193-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/2012-194-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

Filesize
64KB

Download
memory/2096-427-0x00000000031D0000-0x00000000031E4000-memory.dmp

Filesize
80KB

Download
memory/2096-429-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2096-426-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/2132-331-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2132-334-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2140-332-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2140-329-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-459-0x00000000007B0000-0x00000000007CA000-memory.dmp

Filesize
104KB

Download
memory/2188-460-0x00000000007D0000-0x00000000007E6000-memory.dmp

Filesize
88KB

Download
memory/2188-464-0x000000001CEE0000-0x000000001CEFA000-memory.dmp

Filesize
104KB

Download
memory/2188-465-0x000000001CEE0000-0x000000001CEFA000-memory.dmp

Filesize
104KB

Download
memory/2188-473-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-456-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2412-45-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2572-20-0x0000000010000000-0x00000000101AF000-memory.dmp

Filesize
1.7MB

Download
memory/2572-66-0x0000000010000000-0x00000000101AF000-memory.dmp

Filesize
1.7MB

Download
memory/2572-21-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2660-409-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/2660-425-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2660-416-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2660-415-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2660-411-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/2660-410-0x000000001C4F0000-0x000000001C538000-memory.dmp

Filesize
288KB

Download
memory/2660-403-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2660-408-0x0000000000840000-0x000000000084E000-memory.dmp

Filesize
56KB

Download
memory/2660-407-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/2660-406-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2724-349-0x0000000000810000-0x0000000000858000-memory.dmp

Filesize
288KB

Download
memory/2724-347-0x00000000007B0000-0x00000000007BE000-memory.dmp

Filesize
56KB

Download
memory/2724-350-0x0000000000870000-0x0000000000886000-memory.dmp

Filesize
88KB

Download
memory/2724-364-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2724-355-0x0000000000930000-0x000000000093E000-memory.dmp

Filesize
56KB

Download
memory/2724-348-0x0000000000800000-0x000000000080C000-memory.dmp

Filesize
48KB

Download
memory/2724-344-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2724-354-0x0000000000930000-0x000000000093E000-memory.dmp

Filesize
56KB

Download
memory/2744-365-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2744-372-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2744-370-0x0000000003160000-0x000000000317E000-memory.dmp

Filesize
120KB

Download
memory/2744-369-0x0000000003140000-0x000000000315A000-memory.dmp

Filesize
104KB

Download
memory/2744-368-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/2744-366-0x00000000007C0000-0x00000000007D8000-memory.dmp

Filesize
96KB

Download
memory/2816-56-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2816-57-0x0000000140001000-0x0000000140003000-memory.dmp

Filesize
8KB

Download
memory/2816-241-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2844-430-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2844-438-0x000000001C540000-0x000000001C554000-memory.dmp

Filesize
80KB

Download
memory/2844-443-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/2844-452-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2844-442-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/2844-436-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

Filesize
48KB

Download
memory/2844-437-0x000000001C490000-0x000000001C49C000-memory.dmp

Filesize
48KB

Download
memory/2876-338-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2876-339-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2876-340-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2876-341-0x0000000000840000-0x0000000000888000-memory.dmp

Filesize
288KB

Download
memory/2876-342-0x0000000000890000-0x00000000008A6000-memory.dmp

Filesize
88KB

Download
memory/2876-345-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download