60ccac65bcba21179c9319cacc6ff49fb0e3aed835cff89f8307e59a2d9a3050

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
Size

1.1MB
MD5

17b83decb4d3a794fb6fd2a4b1ab9c10
SHA1

5205c13ddd0c8b0a1235255d8b703c6da21eebfc
SHA256

60ccac65bcba21179c9319cacc6ff49fb0e3aed835cff89f8307e59a2d9a3050
SHA512

6f15eb70e870f051ce842b536d01c6ef80dde3afc06407f493f7133e2f3f3a80b35891f41eee7e899187d3ad1591e67abf164d116d2dc840a8e0bb15e9d3d0af
SSDEEP

24576:+Si1SoCU5qJSr1eWPSCsP0MugC6eTtvS9quyZXaumgObRWKQHfd5MEcEvbWQb:eS7PLjeTiqLXaR8/dJTvd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
3028	alg.exe
2796	aspnet_state.exe
2732	mscorsvw.exe
2604	mscorsvw.exe
2512	mscorsvw.exe
1540	mscorsvw.exe
1424	ehRecvr.exe
1628	ehsched.exe
2084	elevation_service.exe
2220	IEEtwCollector.exe
2768	GROOVE.EXE
2348	maintenanceservice.exe
1476	msdtc.exe
2312	msiexec.exe
3036	OSE.EXE
2904	OSPPSVC.EXE
1780	perfhost.exe
2116	locator.exe
2740	snmptrap.exe
2432	vds.exe
2176	vssvc.exe
496	wbengine.exe
1204	WmiApSrv.exe
1696	wmpnetwk.exe
564	SearchIndexer.exe
2760	dllhost.exe
2388	mscorsvw.exe
800	mscorsvw.exe
1124	mscorsvw.exe
2480	mscorsvw.exe
2140	mscorsvw.exe
1676	mscorsvw.exe
2548	mscorsvw.exe
2180	mscorsvw.exe
2376	mscorsvw.exe
2592	mscorsvw.exe
696	mscorsvw.exe
1496	mscorsvw.exe
1936	mscorsvw.exe
2652	mscorsvw.exe
1124	mscorsvw.exe
1712	mscorsvw.exe
912	mscorsvw.exe
2080	mscorsvw.exe
2960	mscorsvw.exe
2104	mscorsvw.exe
1640	mscorsvw.exe
676	mscorsvw.exe
2608	mscorsvw.exe
1184	mscorsvw.exe
952	mscorsvw.exe
2620	mscorsvw.exe
1060	mscorsvw.exe
2588	mscorsvw.exe
2516	mscorsvw.exe
1388	mscorsvw.exe
2816	mscorsvw.exe
2596	mscorsvw.exe
3064	mscorsvw.exe
1564	mscorsvw.exe
1884	mscorsvw.exe
1548	mscorsvw.exe
2632	mscorsvw.exe

Loads dropped DLL 57 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2312	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
744	Process not Found
476	Process not Found
1388	mscorsvw.exe
1388	mscorsvw.exe
2596	mscorsvw.exe
2596	mscorsvw.exe
1564	mscorsvw.exe
1564	mscorsvw.exe
1548	mscorsvw.exe
1548	mscorsvw.exe
264	mscorsvw.exe
264	mscorsvw.exe
1552	mscorsvw.exe
1552	mscorsvw.exe
2856	mscorsvw.exe
2856	mscorsvw.exe
876	mscorsvw.exe
876	mscorsvw.exe
324	mscorsvw.exe
324	mscorsvw.exe
1740	mscorsvw.exe
1740	mscorsvw.exe
1500	mscorsvw.exe
1500	mscorsvw.exe
2032	mscorsvw.exe
2032	mscorsvw.exe
1164	mscorsvw.exe
1164	mscorsvw.exe
1504	mscorsvw.exe
1504	mscorsvw.exe
2508	mscorsvw.exe
2508	mscorsvw.exe
1872	mscorsvw.exe
1872	mscorsvw.exe
1908	mscorsvw.exe
1908	mscorsvw.exe
2708	mscorsvw.exe
2708	mscorsvw.exe
2552	mscorsvw.exe
2552	mscorsvw.exe
2164	mscorsvw.exe
2164	mscorsvw.exe
2528	mscorsvw.exe
2528	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2e05f9db2ba452c3.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8298.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7F7C.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP86AD.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP84E9.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBA1B.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP89B9.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8881.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8037.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8131.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP846C.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{04D47C99-90CA-4361-B88A-FA727B03A3DA}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006052544b6fbcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2056	ehRec.exe
2084	elevation_service.exe
2084	elevation_service.exe
2084	elevation_service.exe
2084	elevation_service.exe
2084	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2028	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: 33	1724	EhTray.exe
Token: SeIncBasePriorityPrivilege	1724	EhTray.exe
Token: SeDebugPrivilege	2056	ehRec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeSecurityPrivilege	2312	msiexec.exe
Token: 33	1724	EhTray.exe
Token: SeIncBasePriorityPrivilege	1724	EhTray.exe
Token: SeBackupPrivilege	2176	vssvc.exe
Token: SeRestorePrivilege	2176	vssvc.exe
Token: SeAuditPrivilege	2176	vssvc.exe
Token: SeBackupPrivilege	496	wbengine.exe
Token: SeRestorePrivilege	496	wbengine.exe
Token: SeSecurityPrivilege	496	wbengine.exe
Token: 33	1696	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1696	wmpnetwk.exe
Token: SeManageVolumePrivilege	564	SearchIndexer.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: 33	564	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	564	SearchIndexer.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeDebugPrivilege	3028	alg.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeDebugPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1724	EhTray.exe
1724	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1724	EhTray.exe
1724	EhTray.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 2932	564	SearchIndexer.exe	56
PID 564 wrote to memory of 2932	564	SearchIndexer.exe	56
PID 564 wrote to memory of 2932	564	SearchIndexer.exe	56
PID 564 wrote to memory of 2872	564	SearchIndexer.exe	57
PID 564 wrote to memory of 2872	564	SearchIndexer.exe	57
PID 564 wrote to memory of 2872	564	SearchIndexer.exe	57
PID 1540 wrote to memory of 2388	1540	mscorsvw.exe	59
PID 1540 wrote to memory of 2388	1540	mscorsvw.exe	59
PID 1540 wrote to memory of 2388	1540	mscorsvw.exe	59
PID 1540 wrote to memory of 800	1540	mscorsvw.exe	60
PID 1540 wrote to memory of 800	1540	mscorsvw.exe	60
PID 1540 wrote to memory of 800	1540	mscorsvw.exe	60
PID 2512 wrote to memory of 1124	2512	mscorsvw.exe	73
PID 2512 wrote to memory of 1124	2512	mscorsvw.exe	73
PID 2512 wrote to memory of 1124	2512	mscorsvw.exe	73
PID 2512 wrote to memory of 1124	2512	mscorsvw.exe	73
PID 2512 wrote to memory of 2480	2512	mscorsvw.exe	62
PID 2512 wrote to memory of 2480	2512	mscorsvw.exe	62
PID 2512 wrote to memory of 2480	2512	mscorsvw.exe	62
PID 2512 wrote to memory of 2480	2512	mscorsvw.exe	62
PID 2512 wrote to memory of 2140	2512	mscorsvw.exe	63
PID 2512 wrote to memory of 2140	2512	mscorsvw.exe	63
PID 2512 wrote to memory of 2140	2512	mscorsvw.exe	63
PID 2512 wrote to memory of 2140	2512	mscorsvw.exe	63
PID 2512 wrote to memory of 1676	2512	mscorsvw.exe	64
PID 2512 wrote to memory of 1676	2512	mscorsvw.exe	64
PID 2512 wrote to memory of 1676	2512	mscorsvw.exe	64
PID 2512 wrote to memory of 1676	2512	mscorsvw.exe	64
PID 2512 wrote to memory of 2548	2512	mscorsvw.exe	65
PID 2512 wrote to memory of 2548	2512	mscorsvw.exe	65
PID 2512 wrote to memory of 2548	2512	mscorsvw.exe	65
PID 2512 wrote to memory of 2548	2512	mscorsvw.exe	65
PID 2512 wrote to memory of 2180	2512	mscorsvw.exe	66
PID 2512 wrote to memory of 2180	2512	mscorsvw.exe	66
PID 2512 wrote to memory of 2180	2512	mscorsvw.exe	66
PID 2512 wrote to memory of 2180	2512	mscorsvw.exe	66
PID 2512 wrote to memory of 2376	2512	mscorsvw.exe	67
PID 2512 wrote to memory of 2376	2512	mscorsvw.exe	67
PID 2512 wrote to memory of 2376	2512	mscorsvw.exe	67
PID 2512 wrote to memory of 2376	2512	mscorsvw.exe	67
PID 2512 wrote to memory of 2592	2512	mscorsvw.exe	68
PID 2512 wrote to memory of 2592	2512	mscorsvw.exe	68
PID 2512 wrote to memory of 2592	2512	mscorsvw.exe	68
PID 2512 wrote to memory of 2592	2512	mscorsvw.exe	68
PID 2512 wrote to memory of 696	2512	mscorsvw.exe	69
PID 2512 wrote to memory of 696	2512	mscorsvw.exe	69
PID 2512 wrote to memory of 696	2512	mscorsvw.exe	69
PID 2512 wrote to memory of 696	2512	mscorsvw.exe	69
PID 2512 wrote to memory of 1496	2512	mscorsvw.exe	70
PID 2512 wrote to memory of 1496	2512	mscorsvw.exe	70
PID 2512 wrote to memory of 1496	2512	mscorsvw.exe	70
PID 2512 wrote to memory of 1496	2512	mscorsvw.exe	70
PID 2512 wrote to memory of 1936	2512	mscorsvw.exe	71
PID 2512 wrote to memory of 1936	2512	mscorsvw.exe	71
PID 2512 wrote to memory of 1936	2512	mscorsvw.exe	71
PID 2512 wrote to memory of 1936	2512	mscorsvw.exe	71
PID 2512 wrote to memory of 2652	2512	mscorsvw.exe	72
PID 2512 wrote to memory of 2652	2512	mscorsvw.exe	72
PID 2512 wrote to memory of 2652	2512	mscorsvw.exe	72
PID 2512 wrote to memory of 2652	2512	mscorsvw.exe	72
PID 2512 wrote to memory of 1124	2512	mscorsvw.exe	73
PID 2512 wrote to memory of 1124	2512	mscorsvw.exe	73
PID 2512 wrote to memory of 1124	2512	mscorsvw.exe	73
PID 2512 wrote to memory of 1124	2512	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 238 -NGENProcess 1ec -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 250 -NGENProcess 1e4 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 234 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 1ec -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 234 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 234 -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 238 -NGENProcess 264 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 26c -NGENProcess 25c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 254 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 234 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 26c -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 234 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 280 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 288 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 264 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 254 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 294 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 264 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 158 -NGENProcess 15c -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 1d8 -NGENProcess 1e0 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 17c -NGENProcess 1a0 -Pipe 154 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 1fc -NGENProcess 164 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 200 -NGENProcess 1ec -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 204 -NGENProcess 1a0 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 208 -NGENProcess 164 -Pipe 148 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 1a0 -NGENProcess 164 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 1a0 -NGENProcess 208 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a0 -InterruptEvent 208 -NGENProcess 1ec -Pipe 164 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 21c -NGENProcess 1f0 -Pipe 17c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 1f0 -NGENProcess 1a0 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 228 -NGENProcess 1ec -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 1ec -NGENProcess 21c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 22c -NGENProcess 208 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 208 -NGENProcess 228 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  PID:1420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 234 -NGENProcess 21c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 21c -NGENProcess 230 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:1276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 23c -NGENProcess 228 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 228 -NGENProcess 234 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 244 -NGENProcess 230 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 230 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:1060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 24c -NGENProcess 234 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 234 -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 254 -NGENProcess 23c -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 23c -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 244 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 24c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 24c -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 26c -NGENProcess 254 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 254 -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 288 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 274 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 288 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b0 -NGENProcess 26c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:2584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2b8 -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2bc -NGENProcess 26c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c0 -NGENProcess 2ac -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:1884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2c4 -NGENProcess 288 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c8 -NGENProcess 26c -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2ac -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 288 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 26c -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 1a0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 288 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e0 -NGENProcess 26c -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 1a0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 288 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 26c -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 1a0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 288 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 26c -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 1a0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 288 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 26c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 1a0 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 1a0 -NGENProcess 300 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a0 -InterruptEvent 310 -NGENProcess 26c -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 26c -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 300 -Pipe 1a0 -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 26c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 300 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 26c -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 300 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 26c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 300 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 26c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 30c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 300 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 26c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 300 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 26c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 30c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 300 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 26c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 30c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 300 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 26c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 30c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 300 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 370 -Pipe 9c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 378 -NGENProcess 388 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2364

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1424

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1724

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2768

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1476

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3036

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1204

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2932
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:2872

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
b8dbb0488d8930c482bec06ce2d706c4

SHA1
2ce1cfaff09a2d76f89b83fc1ae790a695ae6877

SHA256
fe156561b0e18c210a41dd25367d08b46db629a9110cab46c305daaa6465c2a8

SHA512
a5d60e94b2f5cee324e24ba849877e851629cc85843534981c94272120d6307626b5acc271e4fb135218f92b6a1ca29022d14dafba2902e16020a58a16bbe0fa

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
9ac4003080c57dda97a619883012fa83

SHA1
76c520faadcbc6c5593f7c5c206ee8fd378e3d1f

SHA256
83b9c43dd08cef77fa6150a94031c287890785d3ee9da20617470f66c4228a75

SHA512
031c7eca4845809edf4d474a9043cecebc2697e50580475678164075e905c3925211591c8312ada037d41536945cdc5436f188b236d5cac36bdbcb35d08f57af

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
b50afaacb9875353c7cf585ebea4f16e

SHA1
2c7ef0d82c6b6aa2eb459651bd418276169f35bd

SHA256
ac26b5a8cb96913e2ee9799d3c0c9a7ae3f2402f4f4186addd88496383b809ae

SHA512
a9d6b28f839874c0d700eb325db099a3c7964a70fde429ac539f4f1f521babb288af23345efbedcb7dd86c8d50d92f20909f01e98e18f98b5d85ed967dd2b888

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.6MB

MD5
6f952c098ab7c5132943c2ab2548e216

SHA1
bfcf8146242756ec2b51e3dc283ec479b64c0590

SHA256
a971db074ee7498c4f1acd569fd555eaec5ce8d40998dace45e68a3be7980bc8

SHA512
161e6d9c568fdb1f5e3320be1c5c1e43f1ef894403b83a15023f3f4b64eddd035349d9dece66ca8d5be8db3cb1eb763141803cef967d07725d5fcd93ad2954c6

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
99136889e2097e801a7cffcb8e0eab4c

SHA1
4cb65895f12e14285c90930d7461145332833aa9

SHA256
ee803a60132baed60d20b5d26cd0527699fc8e999aa515ff2a7819633dc26c66

SHA512
6da1e0e6dc53abbe36a3231643f649539553fb6b75b9549ccc6fbe19ff87457260d912bd67c7c86b660778a18fb04851234e7802e04dc599ddf05577328cec98

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
131f343b616a67cb653d6464fabcc7e0

SHA1
75ae939666ae0e549dcda85772754b18d08364a2

SHA256
ba6566401e21507f1b178afa943b3cacc3f59c3e8f2eb88a9944c33c595f6c2c

SHA512
5844374acfb8de9e0e788964091daf9ebb5c626627620e4eeee6fb8b0fb13732bdad4b4b3fafe50d3950e848c29ecff01097957fa3afff5c6730b9e0fe8972cf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
c64468d3987dd774c811578739ea317e

SHA1
ff19cc7bbf911a2afb74093c76a89b4568dfa336

SHA256
2bf21139dde1892af64d2570c0dc8cbc80e19813830bf9f7579b8af894f2946d

SHA512
2a15f66b11bdbec121c7e3d2c164a4e2714f9a91f134f37c05e895dc2b8feda4d4f52f329788579e15090d78916a3541a6b41ebf5d545173146ee44017e0e4f0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
c960312468fe328658f1c68efeeb3433

SHA1
733b9e965500b2922ca52950470385272f1394fa

SHA256
c3bc9e2b31976920b06eab4856ae9a4deafb6c96bdbb468c0cb61e9618d9d461

SHA512
94ae66aa5ba8fada55ea7af22e4ca654f84edff8ecd98cb55a50267f8f4b1462736f6cadcd57f548300f656fda251d5ad2fba5c43651b9271b7cc172eb255315

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cf1a176f7451dabb7e9d92c164224b02

SHA1
78b90ccc53a9637d49d6bf661b538d78e87d6c1d

SHA256
40f90214fb893b651a77f6f2bbf2e5998dcdc2d15d190651a50d27f65b47f797

SHA512
7fbe67e31debfd9df167e6fe71c879bd9e92da0b1ec26a63fb65baf47aa8760b44bd4739bd999478a78bdf152af43e7b4ea4d9df82d451fefc80a6fe74f4e8bb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c24e20a1f5d8dc501d64fce74cf51834

SHA1
2fb8ed1fa144bf6bfd6a1f1c33ac9b4c56c6a770

SHA256
ba44547bbff18ce7a9a3b30d01a53504b0a1c515fcc872b2cb8ae5810c516723

SHA512
5ca85f0a7782a8a6486f9290154891c7f3bd6e412d0e08bfb46c11b8873354d14d85611ad40fb65ff89cbe6048ddce48c48ce56f7a18400b6373307e031aeced

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
da1929a06e6f2ef228f4756d365b936c

SHA1
d61a3c844dbeff6e416e898e04d3440b5e24166c

SHA256
6f9f2984479e0e9707669cea41f618ad13b98ed7ee227f073c9fc612a57f0ef5

SHA512
33877821032077b8f6d4b4c6befcd27a66c25c435263aa3d7e45317b928899bef03588d866949ecf512efb995becbaab131d5a0eaeaf016cee9aed2ee4584429

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
58643ad1f7bf8a07ed7973293541dd73

SHA1
6021a877ef7eae95d60d03a10ace549e2d9822d1

SHA256
fd526a6519eeb97a352f0970c6865bb5c873687c37ebc44c045410801fc2dedb

SHA512
cd80bf04b974eddc31bc18f3952361941006a1d22819f9fb13eaee14345ce5389b5f61a3e5fd22d3fba69f849f525b61ebc7ba18208ca4d93240fc0fcb2c85b0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
66e5f12b8baddc29a51f6f58f9f6332e

SHA1
d5f4e6c7d6bb3e85c39b024e1a6f4355da9d811f

SHA256
f1e16891168b7de58e8c869b452a06a3ff94cd5eb25d12b15c27e19d9fd9000e

SHA512
f2bbe8b5341de58e5aa82f179c60a242870af8238f9f73be1d8fd0a8ec61b73481790f18cbb31816b9383a4d62b26469c6ddafe39ec17c4134613d736cf7aeb1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
67ffbe48fef2dd9d5385433db7b59eaf

SHA1
1438a8fc885f25b25a8c853601a6267d06e19c56

SHA256
e7e85b0321a2036d99e2cfea1a8cb2fea40cca030b5a2b6bec81deafb8fc2ae4

SHA512
cf9c4679a9a8c7fbecf9183f4ae4117159715f4c265db7ea8d02a5880792e12e14e258843fb65970d8ca0c297053fa483f8533797e2f95bd21395e75d505ed0d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
f0538b0c85b9fc006e434d1298c36c5a

SHA1
678123f45c6ba58b7c125aea52e3bb83f769d0b9

SHA256
1800cb7d03d81c55743e5a1c212db3228ff70908b06385e29528021799f47ec1

SHA512
487414c0ef418e66927ad07816ff50570be39e34b7991a28e02520ed5b1f2569e22be2a2f802bce1c36ffcd39d94ad0ddb9c8910127d6a193271b7cbb70a478c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
96edd6b9a2a88c5c356918f2899dcfff

SHA1
b50498f1accd240cc29cf32a3305dfdcdfca9154

SHA256
86f86f89fbcf19f38fc9be349a336c3e84e8ceeefdc739e68d59579365dce902

SHA512
b3f139622cf0e1f5c79ae22de44f048cd224fad5d5cf22036372224ddb64e444d88b53cb4b1e1d4ecbf0013bc2908b4e47bc79435c1226875dc7bc640da47450

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
2f1431bd1fc899a7dc025670e6251ea5

SHA1
a755fdcc9c3ca4ac04c6aa03541d5f2fec47a714

SHA256
53064a9d11813894064fd3ee1334ccfd975abc3cbcab9879c641651b3fc66947

SHA512
3f0a370c9ef6a0add0d58d79790880f0098b979a59d0f07faab34be0fc215051dc495acc872c8b5f2aae18fbf4cef2497c635cbbf890325ac719dd1f29cc80b6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
fd708c926ae8acd7dbdfa0aa02bbb763

SHA1
2e95d599a92973edb67a776b033f78344735902a

SHA256
d1d4b17766b0146d639a2ebec00b1246fd4f79a5ec6a93a161967cdedd64d136

SHA512
ad2c2efd1dd945ac7e40882f1275e5e50f57bfce9282cd684f088245185c1b595e2b57bb1f509c36ecedb5daaa11909781a26f56bfd77b1586af0c2f4589ff5e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.1MB

MD5
5cd6bf4b3ff8c97518850b8609ead2ba

SHA1
f8d29971572773bd3f2331bf56d55fab55e68898

SHA256
f763bc6a4bfa52972f1e08a1dc4b8c40efc68bb0c0ae785296ca247f346e074d

SHA512
12f9dbb83a8437d887dd8ad1ff7d8a41b0904e822d16572057484eeb9ecafa32f9a09924673c682333a3f7c5be205dc8c8399d19fd75071fa1ce15a483e6eb82

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.1MB

MD5
900bdc44318572f6fc7f735e0d7c4933

SHA1
f4793ddcd09ad1748758b7b3dbea61b7858b52b8

SHA256
6ab08947e32d122334d552f22aecdc9530540c0d301c959d7baf518ba460e3c0

SHA512
015ebe2c4a7a70fcbe552a3858ff905faee82650fc9019a2f272473cd338b49ea5c95ba9de3ff35b316063e9401a0c4a075bd0c3ffea7c8f6bc503e9beb895ad

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
458b39b20be840ed3ddfd6936a9ef716

SHA1
b31e931d12663ea43166c90900ff3992b0cd0a85

SHA256
7bc7e08faed34ffb52d662c8284b62f4387c6a8bd7da30fcb2f56473e38e4cab

SHA512
2767312b56b5bdf9be3b5ee7462225340828fc0ec6b903f9f50986275cd77ddcad5f141ff01b7d38db2a650e438bf6b7f3cff44555af8748cff321f264119298

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
7655a71129c86eaa0ed0888804c6c767

SHA1
dc466e30a2185269f8f9cf6bbb503295874e02b7

SHA256
87ab1f1c9b876082959b590e542e3559241c2142493ac88330e30547b22df759

SHA512
52ba427b6748b42092a47b0458de46e9981455ad24abb63b36a6889e09e72f192aa4494030c998875fc0c4026326a3b68289f070b914c350e9e38e8a2cb47b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
96ff45d635ec7e78a2e263fdbf704c10

SHA1
cbf4df8f6a4385cf1af7c1bcfdb825dc12e554a8

SHA256
940b341c799ab066190fb903b0e08469be66c5334c0453e1e74ca18b8565e57e

SHA512
20d6dce7a239127da6d9a6da6286f80797dd6b25a664c9040ca47790c1cd7f731bb7504a5a87cae02a45c8b266821e8641cb33da54d92133509911872075402f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
3b4fdf6e81e9087efdbf3d9ede541187

SHA1
acaddacec9f9cd702820363f0916bca32b01aa15

SHA256
449401050012547ef2e8677c55f80bc42cdff7ce446aa74f40c0f374a7f1e17f

SHA512
57d3ca3905885ce7393e457336ab5a3af62e5959f61bc2ed814e1c625da9e229fff3189b229e86365d23050ab66554ad08def97358118e6c13c5dc207c6d7238

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
f4a19b3a9c8d918bc4c55c753eaf064e

SHA1
2c53c2650e0f4d5d2a8bd7761e960dea4e646dc8

SHA256
9eaeb85b5682a4bf28c36fede14b387d80a0953e955ede55c020304de6722584

SHA512
014d99f693adb35a4e1312cdee0140dc5b5af926b2ccc563f0d19d60e1069a45cd7ea86e892a7073d1305a1482e4bcd3f4beba618e28d143cb414b7b58663076

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
98ca10e62ecb2f7a16bd04ddd519b49a

SHA1
990f8c85d38e090732ba9dee8c1e54ab68478fc0

SHA256
cf3859d5c2eb25ab8542295bb7f6b951e4bd8dc2702954df4ef6ac3a9c2fac6b

SHA512
3fd2d05774ef281d56b90d74bb2ce86a9891435cdd661a2a5c78ff20a0ba806407d3812f8d6f838a81077b83a64f14d0f905a5b798111341b38cf16daa93bcab

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9e2a87ee5ffe824561596788b0d0aa29

SHA1
399b41bed194ce0960338b8a8b60e34e150c1909

SHA256
2c1010a1827d2459076862b6498efbf51c2315d31cf45f18ad2de3d32ad9d8e9

SHA512
3e56ae07897aadefbefe1cd4745666d632359623b15e002026ee3df754c1c52d46a6bb4a3df17c6b11d63b8d1bd62cc17339b3a9c60dd6f6429d2e3ac170d9fb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
837203bd1945872c1232e2e088c7aafa

SHA1
b55436d0b03e5fd2d556d330f5a3269ca28b8a1f

SHA256
865c0490a0272cc4ca1e1f3385b688a8f6319cafd552666db1fe65fb559ee705

SHA512
7c8d1da90a972ed47bac172ae627a7c40ca37547aba839aa3cbe89974387b005e6c99e01dd6abf8b29e3fe2003da261a5178934e9ae4c88663bc04b22a179ed2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
e3bb2743c767b207e2357231b4501928

SHA1
03c76f77de04d9be07c4444a78dc000a4e153f67

SHA256
6b7c545db08ba2efaf85d002d61ffc5907cb1f65b6add8544b36c2ef32072d02

SHA512
ee312e4d2a9faf5cc00bbc357923a1e149752344fb612ac63d159b2adfb44fc80ae27c5838f9b5348536189424c1667c749b3bdade41d0de5fffaf7523cb6312

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
06437113d56e71c6a1198234d4a3998a

SHA1
7dc94561fb171e88c812a536e72d3fe60e8beac4

SHA256
ad95afecfc64bc79326a034a5fbb04d33e01929c4d3b71c7c3d5e40506614c3a

SHA512
d08b69cec736ca1fdab28a6808c3d1b4113a8cdaad0a3a99c5cd27135d6a131bc3c42bc58f6b9cab9742e8047287cda634d9fc3b028c9e961f18c6b1f08271c7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
3e0bf7da95f3cda91140719a88a1f5aa

SHA1
4804f802ced1a6aa62da51634c0bacae877d85c4

SHA256
6fbdbb8f7d3e7ba3de10d3cfce2f7f69830a5ee684af1c0fdace6011e5296aaa

SHA512
2efa89813a6f8508507bc000f820c6bb7e03e92f43117cfa522a0490c5024a182e08be8ec819c43fbc03fb811cc628f01f166c6f00462e770a836673d4d518a5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
409597761b85b77ca47316fae7035441

SHA1
034b23db3fcebde40aa1b16623f93276c32fa0c6

SHA256
a9cb70c891f2bd35a6ba60ad939c2c59895a7b41164765e390cf9cadd44d5fe2

SHA512
31514bb5186293fc9ce159f23b410d83ca60dacd31f966cc2824b383f3791ad2c0ead9320232ecc3af0024c9834c42f00a85646d3e1ec4b2098699acdf2cf9b4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
3814f4faceefa4cc2970b2299a71ccb9

SHA1
75cd9a88a96e4b748d6b435fc3d07ed9d9f5155e

SHA256
546a70c60197668ba846b4bfd6b60894b09e7ce338070033bb42e0bb360d853d

SHA512
ed7aff1a08974a8606eca910a20f11fab8be663e182f8f30bafa7710356045abced7e4c393667bd3797b9c688e20d1a0712ca9b47791466e46b5de6bd3ff8161

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
f54e338e8ba97a25c616a172d0801f9e

SHA1
06760542c5ee6935bfd3fb291984591131e728c7

SHA256
9c8c405a1a15a7b28cbdeffc36e3760b67f52152e26b15bb3a32834c0f4d5bc4

SHA512
1e981108ac402941f91899839debafb173a54e2bcabe58c59f0e285128026ab24bdbbaeb4119a9a3b1c0f42e987d21babe1cc5de510dd380734c443eaa1a9f67

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
c0c7bac2e18825e5d3bb4da6e44c7631

SHA1
a0b27844aa53f14d9eb3e20b1961a5d4921d3a18

SHA256
bbdafeae0eabd5ee04a0e3a406e82439600b773e218319342a225562803b0424

SHA512
e91023f326c0d428f73459c70755a10017f9cac92edf9d3cdde446f0bc1e1fe372814baa244b973ffc5d1c35e5f426487ace7c819968d36866f931194cfb9ca7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
fa8a33aa8a50bc245478a0b71a1b79ab

SHA1
5fa5506996840e87a5c6e878abaa8acdffd2b9c5

SHA256
aceb2817236e92ce1957b766ded6ebdf3ba42d8af1645dd8226d19c8e66cbf04

SHA512
e9e36574e300d133a82f60d542a8a9f7c536b61dcad6e2c5f920266c18a768002b8d771f6e2192abb041de87d5461be0e66a66cb7472f5fb2b6a923c8d7f3dc2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.6MB

MD5
1d7e89f5997ade1ef7bb48562cfcb48f

SHA1
3f3cb8a040d72e372a90707456508fb37afe9af7

SHA256
d6723c79b3a468b302902b588d7a0e428d903b67aefb252cddfde9b933af23b4

SHA512
c4494770aa2ad5f14a8f78e7b3cb3b9d1df1d2be74dc7da5abdbfffd75a4c06f9a441c719780f3a8f7a68e2d562583649d57d66056ea5d4e8cc36dadc9208c01

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
2f316268313fc78c17cf55ede29d6198

SHA1
1de4e2a6c045d986bab40e26ecebe4adf4839b13

SHA256
54cf9076641528f00aa9a01b427f05d507858c84208ef15817a992b1c5d1679b

SHA512
1aaa3e19c02b947c42e387ff42fa95400944252dd4ea720c7a8d90d1fec68e703f55ecce852b87ef030d4227522163859f0374e92c1ade44221731347db5aea4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
e2643135b3fcdfa9fa28e4ac69d67321

SHA1
774a3a542779d394f1fbe4ddd5d13ba27679c3a1

SHA256
383cf972b93f8f2c1fee8665f90520b10d3e1a3fe2bbfa1ffe08327c79fcaf99

SHA512
eb98b8ae74c15326f0ecb57d06fb0891c53e18ee346e92375a32f40f7c629f5d1098a306e3557c6133449ff46a7b4a0c36253ce69f70b6d2daae01c79479ea18

Download Submit
C:\Windows\Temp\CabF2D7.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar1A37.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1c6743198c0a9489cff5bb12f9434f11\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
8a0c198de4603904f643bdfd82cab8b6

SHA1
27a6828363db94d05cab605fa184fd3d9edcb281

SHA256
cc8dd4a42c0b4844def27dc34fadd0721e0748939b004f0ae7b492b74d4bf8b7

SHA512
03b2aba94400b53bae405844ab9a36054087eb6e99a8de355fb2c3c1f52deda9f35ef2c82793451b53ce9a0d8f7d4e56a46c8b4e4f7774cbd74a43b4753926ad

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\578ffc6c79e07ee0de2fcdea793529e4\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
fd8644e3fe271e8b90ba15c3ad6bf063

SHA1
78fbc806efa326a66b001ca0ca5963622dc392c6

SHA256
c91a0ecada9c9f5811a2397ef2e3510a6e4db2f838bbc471fd2beb2a94db16fb

SHA512
2074d523af323a7b760d9df807c428ed87a38683fc3f8cdf693aa05df48fcda27512e3ea2466479219204395d6b8abeb2912bc780145bd78319dfac59050fbd1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\819993547668c320af251285c44df619\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
ef3591cd34ddf5b2da6f1ae6adfdccc3

SHA1
f4a57ae910d97a8a5a95ac917e4baeb38c7c2e71

SHA256
3d8e423d71024eca5f6cf138397070490af6dd57e4e9a70f1da951033b456e72

SHA512
fc50142b156b0064b360d428c33c101ba17783aa7d8e908160254a70e7faaa2cdb2e95fa408a03e16ca9c7be61f095b33aa8166aedfee051d2c051029ff79cd5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\aa3ad22e4d087bb742f8477875949614\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
19c895157ef0981297f4156dae38bcfb

SHA1
f55e32052493a462f01c2a1a6cd9ea78c7230ed4

SHA256
fdfdd0139970553279a3788f9e781200ce7ec211684821dce1bb553a8954b1fc

SHA512
eb920c6046fced8d4fd40d26f89c3c3fefd9f29a50e8aae32445c50d359b5280086818a15684eb48d6fbeb64c1b07f7ad61ccf9c0416fcdcfd409e9397f2026d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
a70786348fcf9ccc2a6f2596e5001aaf

SHA1
692e45c57f7fd6a78d8aa9dc7b59670f98f9dee2

SHA256
5aadb000fcf7ae69de4108eca0a53c2d34b5078413680f2341d74eb2e672422f

SHA512
888e925e02fe704d1301bdf02f75a808a208421b3eed6f10ea48528f6f66d046582bd6dbfda952c2d737cac6739e4f8f6768fec9469157674a024acac157a2a7

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
1970e40d5c90aaefcf18315db777241c

SHA1
08887f7051f9f093df868622a8b5eb175cd87cb1

SHA256
d409fb0f5ac4e183ed202684d3f353e40899eeebbce7b8ae4ff8618f75125030

SHA512
0786dc432787279ad372182b6d2e1be803a795ef2ac785e5f1c70b3b115b007707a3fbace4eb19bca18e9e0dbf6cfb1542df34f1451552b681fce1066c1e0408

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
fc34c143deb059714a2a9b44fd0752a8

SHA1
74c726c07e7ff2974291d7be5628e58d213a991a

SHA256
7d2666d0fa7c77a7e7755578ab26f6363ac831ff9543e4411de7b6b6a138c865

SHA512
0a7e7c9d523916ab01194a1dae8cd1af7e26a3db81324f6cfcacea8274f3abce4de9a0b78909c39037df61a02d13bfb7b221b7a84dc137f3b223308a12de2c3d

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c96840764d654defe1a2e758efa46da5

SHA1
f90034cabc8226c6e581361db7f5275884df12f2

SHA256
9fd37037806c7ed8bf9094ce2ea37afa4961c68b6f26924974c5ed106fd9b340

SHA512
f68e75db9e0a92ecfaa6e2f1bf3f6ad4223b729fdbe3d810bd84fea046ea1574d342895b8ab4acf7ef4d25f34f1d7972c8f80352952694c44e674900645c8ce3

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.2MB

MD5
68e029fe06433a2b5d7be8252b3f0335

SHA1
8174e137c5100d1708d437ca342360cd434f1fbc

SHA256
6e9de97a648d29e16e37550bdd50db369434c1a023b194a87b6a78b74b37059d

SHA512
6f130cd7e886af7eaa566d18ad8f8557f6214c8686a49bd657e6c1de537d2201f6146012a636f9b8cbac99108d645cfa1e863887877a9fab9c0c3b4b302be711

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
732e4b3e8356b36f3e2495d472b00474

SHA1
75ac0d015887dd325f018b948cdfe9fad499f519

SHA256
31f3d8796beba5fd19144541f93296b72e6aab82d8fc4fbfc52a355cd31172d6

SHA512
b4249167385949ecbd69f1befcb7723408c3f6399d2e2a1b99ebd7b17f678adc7d191ec334ee7309ff2963a0ceb77167b44a878ad6ba01d8a62cd5bf2f38a985

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
64f8b0dae8651dafafd26d742bec2d5b

SHA1
ff6de520a0b0ddc81c86bce469c126871ea2700c

SHA256
a479c4788188d5c381e41edd27364ad6104d271d068bbcc32cc25945210e1a8a

SHA512
f321bf246154e4623d2fc16a8a5719b658b64ad6fa86baa9abe9a931b55868b780e98d5c76da10474b7691e3459d322c80e9fed8515e190e4668d57ceb0c5497

Download Submit
memory/496-631-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/496-262-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/564-293-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/564-665-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/696-683-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/696-701-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/800-577-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/800-583-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/912-754-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/912-756-0x0000000003C80000-0x0000000003D3A000-memory.dmp

Filesize
744KB

Download
memory/912-759-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1124-742-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1124-607-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1124-594-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1204-275-0x0000000100000000-0x0000000100155000-memory.dmp

Filesize
1.3MB

Download
memory/1204-636-0x0000000100000000-0x0000000100155000-memory.dmp

Filesize
1.3MB

Download
memory/1424-194-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1424-73-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1424-98-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/1424-97-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/1424-74-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1424-80-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1476-161-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/1496-700-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1496-705-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1540-63-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1628-93-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/1628-88-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/1628-198-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1628-95-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1640-806-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1676-632-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1676-635-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1696-286-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1696-653-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1712-755-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1780-200-0x0000000001000000-0x0000000001126000-memory.dmp

Filesize
1.1MB

Download
memory/1780-558-0x0000000001000000-0x0000000001126000-memory.dmp

Filesize
1.1MB

Download
memory/1936-716-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1936-704-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2028-72-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2028-9-0x0000000001CF0000-0x0000000001D50000-memory.dmp

Filesize
384KB

Download
memory/2028-532-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2028-531-0x0000000001CF0000-0x0000000001D50000-memory.dmp

Filesize
384KB

Download
memory/2028-6-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2028-1-0x0000000001CF0000-0x0000000001D50000-memory.dmp

Filesize
384KB

Download
memory/2080-779-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2080-765-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2084-109-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2084-107-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2084-101-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2084-209-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2104-798-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2104-787-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2116-212-0x0000000100000000-0x0000000100125000-memory.dmp

Filesize
1.1MB

Download
memory/2116-568-0x0000000100000000-0x0000000100125000-memory.dmp

Filesize
1.1MB

Download
memory/2140-618-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2140-623-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2176-250-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2176-611-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2180-659-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2180-656-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2220-113-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2220-224-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/2220-120-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2220-122-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/2312-177-0x00000000006B0000-0x00000000007F3000-memory.dmp

Filesize
1.3MB

Download
memory/2312-279-0x00000000006B0000-0x00000000007F3000-memory.dmp

Filesize
1.3MB

Download
memory/2312-274-0x0000000100000000-0x0000000100143000-memory.dmp

Filesize
1.3MB

Download
memory/2312-166-0x0000000100000000-0x0000000100143000-memory.dmp

Filesize
1.3MB

Download
memory/2348-144-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2348-149-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2376-666-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2376-671-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2388-559-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2388-580-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2432-593-0x0000000100000000-0x00000001001A5000-memory.dmp

Filesize
1.6MB

Download
memory/2432-241-0x0000000100000000-0x00000001001A5000-memory.dmp

Filesize
1.6MB

Download
memory/2480-603-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2480-610-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2512-48-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/2512-53-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/2512-47-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2512-174-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2548-642-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2548-647-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2592-682-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2592-677-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2604-39-0x0000000010000000-0x0000000010138000-memory.dmp

Filesize
1.2MB

Download
memory/2604-84-0x0000000010000000-0x0000000010138000-memory.dmp

Filesize
1.2MB

Download
memory/2652-727-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2652-724-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2732-56-0x0000000010000000-0x0000000010130000-memory.dmp

Filesize
1.2MB

Download
memory/2732-31-0x0000000010000000-0x0000000010130000-memory.dmp

Filesize
1.2MB

Download
memory/2740-225-0x0000000100000000-0x0000000100126000-memory.dmp

Filesize
1.1MB

Download
memory/2740-592-0x0000000100000000-0x0000000100126000-memory.dmp

Filesize
1.1MB

Download
memory/2760-536-0x0000000100000000-0x0000000100125000-memory.dmp

Filesize
1.1MB

Download
memory/2768-130-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2768-125-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2768-239-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2768-133-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2796-135-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2796-28-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2904-195-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2904-537-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2960-790-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/3028-119-0x0000000100000000-0x0000000100134000-memory.dmp

Filesize
1.2MB

Download
memory/3028-15-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3028-21-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3028-22-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3028-14-0x0000000100000000-0x0000000100134000-memory.dmp

Filesize
1.2MB

Download
memory/3036-180-0x000000002E000000-0x000000002E146000-memory.dmp

Filesize
1.3MB

Download
memory/3036-292-0x000000002E000000-0x000000002E146000-memory.dmp

Filesize
1.3MB

Download