Malware Analysis Report

2024-11-30 05:56

Sample ID 240614-hlazysyfrd
Target aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe
SHA256 1072a44437d408c123176f01095cdf9b06bdce3da6e7d1c582ff9c2c38f72c99
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1072a44437d408c123176f01095cdf9b06bdce3da6e7d1c582ff9c2c38f72c99

Threat Level: Shows suspicious behavior

The file aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:48

Reported

2024-06-14 06:51

Platform

win7-20240611-en

Max time kernel

136s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A \??\c:\c90c1f2f6d955b87ff5b\install.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A \??\c:\c90c1f2f6d955b87ff5b\install.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7216b6288ab55808.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\system32\SearchProtocolHost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{5889422B-4E7B-4F63-944F-9F172CF77CBB}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B83.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4F29.tmp\stdole.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4DB3.tmp\ehiVidCtl.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21E2.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3736.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Windows\System32\alg.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3208.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E22.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3978.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3006.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3488.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP404B.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0e3550f27beda01 C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ehome\ehRec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe \??\c:\c90c1f2f6d955b87ff5b\install.exe
PID 1152 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe \??\c:\c90c1f2f6d955b87ff5b\install.exe
PID 1152 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe \??\c:\c90c1f2f6d955b87ff5b\install.exe
PID 1152 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe \??\c:\c90c1f2f6d955b87ff5b\install.exe
PID 2216 wrote to memory of 1848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2216 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2216 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2216 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2216 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2904 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2904 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2904 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2904 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2000 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2000 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2000 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2000 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 2216 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

\??\c:\c90c1f2f6d955b87ff5b\install.exe

c:\c90c1f2f6d955b87ff5b\.\install.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1e0 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1e8 -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1e0 -NGENProcess 264 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 260 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 264 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 278 -NGENProcess 1e0 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 27c -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 284 -NGENProcess 1e0 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 24c -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 294 -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 284 -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 274 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 240 -NGENProcess 2a8 -Pipe 2a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 274 -NGENProcess 2ac -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1f8 -NGENProcess 220 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 268 -NGENProcess 264 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d8 -NGENProcess 250 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 23c -NGENProcess 220 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 264 -Pipe 2a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 220 -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 1c4 -NGENProcess 254 -Pipe 224 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 248 -NGENProcess 1e0 -Pipe 220 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d8 -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 254 -NGENProcess 1d0 -Pipe 1c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 288 -NGENProcess 1e0 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1e0 -NGENProcess 1d8 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 274 -NGENProcess 1d0 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 288 -NGENProcess 240 -Pipe 1e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 1d0 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 284 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1f8 -NGENProcess 29c -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 294 -NGENProcess 2b8 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 254 -NGENProcess 29c -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 29c -NGENProcess 2b4 -Pipe 1f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2c0 -NGENProcess 2b8 -Pipe 2b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 254 -NGENProcess 2c8 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 2b8 -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2b8 -NGENProcess 2c4 -Pipe 2c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d0 -NGENProcess 2c8 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2c8 -NGENProcess 1d0 -Pipe 2cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d8 -NGENProcess 2c4 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d0 -NGENProcess 284 -Pipe 2d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e4 -NGENProcess 2bc -Pipe 2e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2bc -NGENProcess 2dc -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2ec -NGENProcess 284 -Pipe 2c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 284 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2ec -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 300 -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2ec -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 308 -NGENProcess 2fc -Pipe 2f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2fc -Pipe 310 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 318 -Pipe 2ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2fc -Pipe 308 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 320 -Pipe 318 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2fc -Pipe 324 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 33c -NGENProcess 338 -Pipe 314 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 328 -NGENProcess 2fc -Pipe 32c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 348 -NGENProcess 334 -Pipe 2b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 338 -Pipe 344 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 34c -NGENProcess 348 -Pipe 2fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 330 -NGENProcess 338 -Pipe 340 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 330 -NGENProcess 34c -Pipe 328 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 320 -NGENProcess 338 -Pipe 354 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 360 -NGENProcess 350 -Pipe 334 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 34c -Pipe 348 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 338 -Pipe 33c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 350 -Pipe 358 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 34c -Pipe 330 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 338 -Pipe 320 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 370 -Pipe 350 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 34c -Pipe 364 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 338 -Pipe 368 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 338 -NGENProcess 380 -Pipe 384 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 388 -NGENProcess 34c -Pipe 360 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 380 -Pipe 378 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 34c -Pipe 370 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 36c -Pipe 37c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 380 -Pipe 338 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 380 -NGENProcess 390 -Pipe 3a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 388 -NGENProcess 3a0 -Pipe 38c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 380 -NGENProcess 398 -Pipe 394 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 35c -NGENProcess 3a8 -Pipe 34c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3a8 -NGENProcess 388 -Pipe 3a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3b4 -NGENProcess 398 -Pipe 39c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 398 -NGENProcess 35c -Pipe 3b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 35c -NGENProcess 3a8 -Pipe 3c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 380 -NGENProcess 3bc -Pipe 36c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3bc -NGENProcess 398 -Pipe 3b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c8 -NGENProcess 3a8 -Pipe 388 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3c4 -Pipe 3ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 398 -Pipe 35c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3a8 -Pipe 390 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3c4 -Pipe 380 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 398 -Pipe 3bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3a8 -Pipe 3c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3c4 -Pipe 3cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 398 -Pipe 3d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3a8 -Pipe 3d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3c4 -Pipe 3d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 398 -Pipe 3dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3ec -NGENProcess 3fc -Pipe 3f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3d4 -NGENProcess 398 -Pipe 3e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3b8 -NGENProcess 3f4 -Pipe 3e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 404 -NGENProcess 3a8 -Pipe 3c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 398 -Pipe 1c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3f4 -Pipe 3f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 3a8 -Pipe 3ec -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 44.208.124.139:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 44.208.124.139:80 przvgke.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 44.208.124.139:80 fwiwk.biz tcp
US 44.208.124.139:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 8.8.8.8:53 yunalwv.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 8.8.8.8:53 wllvnzb.biz udp
US 54.244.188.177:80 ywffr.biz tcp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 34.193.97.35:80 htwqzczce.biz tcp
US 34.193.97.35:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 8.8.8.8:53 cjvgcl.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 18.208.156.248:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 8.8.8.8:53 qpnczch.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 8.8.8.8:53 dlynankz.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 44.221.84.105:80 cpclnad.biz tcp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 8.8.8.8:53 xccjj.biz udp
US 44.221.84.105:80 mjheo.biz tcp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 reczwga.biz udp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 34.211.97.45:80 fgajqjyhr.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 hagujcj.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 sctmku.biz udp
US 35.164.78.200:80 sctmku.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 cwyfknmwh.biz udp
US 8.8.8.8:53 qcrsp.biz udp
US 34.211.97.45:80 qcrsp.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 sewlqwcd.biz udp
US 44.221.84.105:80 sewlqwcd.biz tcp

Files

memory/1152-0-0x0000000001000000-0x00000000012E6000-memory.dmp

memory/1152-6-0x00000000001C0000-0x0000000000227000-memory.dmp

memory/1152-1-0x00000000001C0000-0x0000000000227000-memory.dmp

\Windows\System32\alg.exe

MD5 d77877c59e653742b65df3f18f9a3a69
SHA1 cc17272c215fafed6af854d6f93085da9f47fefd
SHA256 bd96f28fc1008cfa9f95a652ef533be23361b51bd53dce9800efe996bb1e5839
SHA512 3f131ca5b1bd0e88cca2e3b5125cb621238d1a2e2de1c237447eb577b966449761ccf0a75ca3287d2376a5b41c2969a037927cdf98ac4bc1ae150db8ac7aea30

memory/3016-21-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/3016-22-0x0000000000850000-0x00000000008B0000-memory.dmp

memory/3016-23-0x0000000000850000-0x00000000008B0000-memory.dmp

memory/3016-14-0x0000000000850000-0x00000000008B0000-memory.dmp

C:\c90c1f2f6d955b87ff5b\eula.1031.txt

MD5 9147a93f43d8e58218ebcb15fda888c9
SHA1 8277c722ba478be8606d8429de3772b5de4e5f09
SHA256 a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded
SHA512 cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 d504042e4d81346d5013fbf8a4ec72b5
SHA1 7bdc7377fa2bd6020f165940f68dcc3797300082
SHA256 9e62e9bc0f8c17a71e53ffea58e9c0a5b08cdbc679eeb54d0badb9bc6fc9ed39
SHA512 04e373e9007a6f0ee83dd5081a3300a4699e523e9e1df352ed92784455e531143aeeb6f55a546a656ee8ec7259f845cc4c7df8a0777146647a3f8106d705aca0

memory/2512-60-0x0000000140000000-0x000000014009D000-memory.dmp

\c90c1f2f6d955b87ff5b\install.exe

MD5 e015a2d8890e2a96a93ca818f834c45b
SHA1 30bda2b4464b1c41210cba367e444aed56502360
SHA256 dc1ba9cb15d0808dc2d80ce13acfa0b07acdfcfe2cdf94da47e0e570e7345f6d
SHA512 20a80b50486e938b92f3aef85e59307f644b69dc5d1edee38038182b57caf636f5f1909959f6fafcfc2e915010d2b3d230cba8300fbc0f63ee2ee3ad8ad64123

memory/2512-74-0x00000000009E0000-0x0000000000A40000-memory.dmp

\??\c:\c90c1f2f6d955b87ff5b\install.ini

MD5 0da9ab4977f3e7ba8c65734df42fdab6
SHA1 b4ed6eea276f1a7988112f3bde0bd89906237c3f
SHA256 672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605
SHA512 1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

memory/2512-82-0x00000000009E0000-0x0000000000A40000-memory.dmp

\??\c:\c90c1f2f6d955b87ff5b\install.res.1033.dll

MD5 43fb29e3a676d26fcbf0352207991523
SHA1 c485159b01baa676167c414fd15f1026e3ae7c14
SHA256 4107f4813bc41ed6a6586d1ba01a5c3703ed60c2df060cba6791f449f3689de7
SHA512 ad748c63d912e194bb5be42f6db192b22f59f760e0536118dfa963fe29001e7fe635d035f31d86aa5e77a1d4f7ceabf27b03645d0037f147293af1e32eab57a4

\??\c:\c90c1f2f6d955b87ff5b\globdata.ini

MD5 0a6b586fabd072bd7382b5e24194eac7
SHA1 60e3c7215c1a40fbfb3016d52c2de44592f8ca95
SHA256 7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951
SHA512 b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 3067566ea8d7fd1db8fcb3aec86e39ff
SHA1 132f9f6d768d0e8df649202798875ece546a20cb
SHA256 552731c98c175b7187d9309dac1a22b033a8d38eef52b24db9fd9bd8bbb62e8a
SHA512 d504d0d446851bf6d63479a677a62bc0975e7ffb58e32c8dbaae7aedfe668e3510b3846f801577c43f898778f130e9a043c78c1042748d26d15da87cd8844cb7

memory/584-91-0x0000000010000000-0x000000001009F000-memory.dmp

memory/584-92-0x0000000000370000-0x00000000003D7000-memory.dmp

memory/584-97-0x0000000000370000-0x00000000003D7000-memory.dmp

\??\c:\c90c1f2f6d955b87ff5b\vc_red.msi

MD5 d53737cea320b066c099894ed1780705
SHA1 d8dc8c2c761933502307a331660bd3fb7bd2c078
SHA256 be6288737ea9691f29a17202eccbc0a2e3e1b1b4bacc090ceee2436970aec240
SHA512 0af685e4ffb9f7f2e5b28982b9cf3da4ee00e26bd05e830d5316bce277dc91dfee3fe557719ab3406ad866d1ce72644e7a5400dcd561b93d367e12eb96078ffe

\??\c:\c90c1f2f6d955b87ff5b\vcredist.bmp

MD5 06fba95313f26e300917c6cea4480890
SHA1 31beee44776f114078fc403e405eaa5936c4bc3b
SHA256 594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1
SHA512 7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

\??\c:\c90c1f2f6d955b87ff5b\eula.1033.txt

MD5 99c22d4a31f4ead4351b71d6f4e5f6a1
SHA1 73207ebe59f6e1073c0d76c8835a312c367b6104
SHA256 93a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41
SHA512 47b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 22ab2a2b513fc3ff0c2eec991f8ae1ad
SHA1 bb3183e700f67c44be9fec65bbd8a94b7649607b
SHA256 0407873c09c11947cca16371322e54bd07b264628f7cdaec474165cebadfa7d2
SHA512 66c66d7763cb75db82b7f96d548a96b0e442ac2906b7c849012a0e5bdd649d3b18b498c2380f367c568d39c9d8726e6d6aa4a07d81965183659a8cd6fea04fa4

memory/2460-109-0x0000000010000000-0x00000000100A7000-memory.dmp

memory/2460-111-0x0000000000410000-0x0000000000470000-memory.dmp

memory/2460-117-0x0000000000410000-0x0000000000470000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 74d55842a4b5783593b395edc6229399
SHA1 0130ea53bc632bc4fc73cecf44857f6d86671cfb
SHA256 f578a73f7716794cc574e60de0b508c21928a90abbb257eb55e840b1a28f4014
SHA512 fbd0e7e3049db3ea2cb8a9182acc0dcafea09c053aabe3c38264f7c08a6edf2aecabfca362be2e6b4f6efdab9dd01c5cd85893b95be54b28dd19e5e96b6e1781

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 c650b73b7897bf7000f7d53dbb869ab6
SHA1 0d6ad4730fda4ae530719148c8487dac4b4aba53
SHA256 b48738574a7902dc414b65feae6cd49797be35bb22fda7bed5293e029a2fc061
SHA512 fab8de27c405f383cdfd54d2d42f5d68f28e5a3b1d9b41c440d027ae9d2bbbdbfa2d4406835cb74978b4ad6d9b5b9f9c2d6b5a3a068682d9542503912c022cca

memory/2216-126-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2216-132-0x00000000002A0000-0x0000000000307000-memory.dmp

memory/2216-127-0x00000000002A0000-0x0000000000307000-memory.dmp

memory/584-136-0x0000000010000000-0x000000001009F000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 33885016d52a625fee63a9eec7bd8011
SHA1 8a28fdb0c724a62b6a54d5ed2a2f2b80306436f9
SHA256 1418d798cfb68862616a5d067031d370098a5d0c5ff5b57fd78c296cde634b0e
SHA512 d8874b9713a66cb4c70f73cbb49a42bd6d89393277158f35c1869d71da67979efc2f3cab9ed4cc33807a92e9230bfd9de26d354c4e0b2055ec55a95c20989a39

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 9a22cd19b0b6fe96dd24be4aa31de5d9
SHA1 0c947864016bb85099d155a2c86cdb52e9b9411f
SHA256 a6f8011363312cb356bfb2a906b616aa48a6617a5c9c16f9b920392479ea54f8
SHA512 d40fd01b1fba0d3f3a60ec5151ca7e3d89745b6c7bb6d9af5fc8160848bc7f0270b47e4efbca24c2c4e1d4ab5749e8d2034f9419e118598ec605a5054edaba77

memory/1300-145-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1300-146-0x00000000002F0000-0x0000000000350000-memory.dmp

memory/1300-152-0x00000000002F0000-0x0000000000350000-memory.dmp

memory/2460-156-0x0000000010000000-0x00000000100A7000-memory.dmp

\Windows\System32\dllhost.exe

MD5 84ef45e5da58da125df1e0d6d3f93aca
SHA1 4263a9115e96e5a62f92a917610b39e12324010f
SHA256 92d1914c3bdf9d49bab01a0e7195c5edc6e9fa656a8d3dcba61456f31809c5b8
SHA512 bdc561a632b67fa7d524cf6cec79c514689ea6f4a54d233a44a1f2faab68b0dc9de204aa5624d5d242181f43431408776b7e68f0ccc22f0b8de9a6bf778abca8

memory/1936-171-0x0000000000230000-0x0000000000290000-memory.dmp

memory/1936-165-0x0000000000230000-0x0000000000290000-memory.dmp

memory/1152-172-0x0000000001000000-0x00000000012E6000-memory.dmp

memory/1936-173-0x0000000100000000-0x0000000100095000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 cc3d235e22af80b29b9cc53e2faa899c
SHA1 0f0ff5a5667e22b95010aa27fd8420f31a4b7f01
SHA256 7023b4b4fc8d41a4662e69537ca4c1865a79eaa817a5e4bb32c059c01315877e
SHA512 16f323f90c417e0381b334ebeb85ce6446d3853af38d5aa501eccc8db5cc1c708656326fdfb3671bf6f879040749dd48887a0feae9dc3fbb7af9f16660514c8c

memory/3016-178-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/1980-179-0x0000000140000000-0x000000014013C000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 37ca7ad88bcab3fece7869bf6a9b7b23
SHA1 1e0a1e388ae5a24af0b565ce36bb7a2a5323ab23
SHA256 39f66165f5c422ef8dbfae1863a0d582a213fdacd9219d29f7878ed654ccc2a9
SHA512 187079e541ea6a010b097c6780d0a6c07c73e88642bb26cfe646300f678ac88794694d2a857b8b1cb0367f1edc2257af7e32210c6a75c59b721ee0d5261b1adb

memory/1324-199-0x0000000140000000-0x00000001400B2000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 cf4d0160188e20fce97d151f60aae30b
SHA1 78d08fc39b64daef4a35aee6c3cdd4ce0315ffc5
SHA256 f2d51d02cd79e51481e73dbcd2cdd4c1375dc7954138936dcbb0e334e8799127
SHA512 1460bc3829fe0e970ea0493c11887bdc0149bd393c92790fcf9ccf2a1e736887bf204e3718bdeb545e85321c455b0fbb38ffc6ae92a09f0ed3f13e78d4b2c5fe

memory/1764-213-0x0000000140000000-0x0000000140237000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 ac63b5aa0328084599bd5a3662de2640
SHA1 9845a5f2a9d39fe80d05a3fe49c69b11264988c6
SHA256 de65854aa2a2ea44db40645a71e1ec28b66e407d9a53c33bef17e6d339156069
SHA512 90d5184a22719ee224b0aa897303fdcbf65636fe4855a09635b33fbb298bf89f8c8bf88c406b0ae9baaf3648513039b86c524b530c21fa7eb8f392cf92326a15

memory/2916-226-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/2512-225-0x0000000140000000-0x000000014009D000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 a5dab24b35251cd04d47afcca68f011f
SHA1 25018eaff8046e8b4b4adaf6d21c8ab1d54b34f0
SHA256 eb70dcfbe90883adf374c7159bcf0f7d93baba6efde3f5efeb36314db22f1a84
SHA512 bc89a6122e587eca5f9adaf55cb2cba28bb0e4912e2b7f804c506480a124a3bd62dc0d146f99e3565b1fac262798641275ef465232cd7cc5874141dbddc3bebc

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 3d57a233c5636375b0af4e5a4ed10b7f
SHA1 1040de0559d90b0749fb53fd31c6765012c8935b
SHA256 9ef271b24fa2b7b75cb6823696192d34cfb990d18dd09272da7e4c76fe7ee1b2
SHA512 cb47eef6667ac86c7810918950b45a0f7de2ca3b7efcf3f1ce01d10b306b2c66c93ebcdc99eb4c9631aeaed507306f179017456283658df94828dfded298f498

memory/2112-248-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2356-250-0x0000000140000000-0x00000001400CA000-memory.dmp

\Windows\System32\msdtc.exe

MD5 88afaa20c8911d1f86eec6ff682473ff
SHA1 85994d19cc21fedd3b065416232c34553de241b1
SHA256 b55d0af823be883931f5437da8293e5d1822a32a323881051bf0f2ebcd07edac
SHA512 357528040586ff6474687ce08fbff2aa1c69dd9eb9bf77edcb8acd2a1cc15dcbbd7310855867d1909646249d449803bd0bf9fd2dc43ea14e72f5ed07b0a2b859

memory/2660-253-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/2356-264-0x0000000140000000-0x00000001400CA000-memory.dmp

\Windows\System32\msiexec.exe

MD5 68ea269774b9573b33c2325a089ca6cd
SHA1 8c47b8e6f72ed40cf909d3dc456bebc3fde1816e
SHA256 dc26e7a95cda9934bb381220dd16674f967b8432bf984282b6bed0f492bcc111
SHA512 2591cdf0aa03454ea913eb3b9eb8485fc80bc540cfbd1860cd1247c417c3671b7c05b2da46a19ebccdac69c2cb61a28b1a280c43fec32d1677c2be7b5f8a23b7

memory/2216-269-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2940-270-0x0000000100000000-0x00000001000B2000-memory.dmp

memory/1300-280-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/2940-281-0x0000000000410000-0x00000000004C2000-memory.dmp

memory/1936-289-0x0000000100000000-0x0000000100095000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 a6c31d3f06303ae8703513e8e06309d8
SHA1 88e3915c52bff6e6a596c04e0efd3362684e163a
SHA256 14ed49d1c4a5db3e85daa476866d5fa2fdef6141c1ffd122951e4f11414f27d9
SHA512 b7fcce4a5f761908a411f5c820f39aa5df094e233985ec263abfca410713cd9b4f71b65b27b4e0e7d18702d2fbea0e0e79ec0a71e0b84851e73abff1f2266f74

memory/2420-297-0x000000002E000000-0x000000002E0B5000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 4036f534b713685913a479f05c45ef52
SHA1 c904725f7d93b97ec00f77f5b65bac61fc4a4153
SHA256 2cc0087af6ee853a83e99925f470a6446f5bf35c043f5f7d5ea1b27254ed7482
SHA512 4e693ddfaab7c2c7370e2cd0dfd8a45b294edde48094ebcd97cc1e44d2b34a544cb8ce9cc405cc5ba5edd91ce485e4172c8b41ebdb970ed1fe2644bdc6250d8b

memory/1980-310-0x0000000140000000-0x000000014013C000-memory.dmp

memory/1780-312-0x0000000100000000-0x0000000100542000-memory.dmp

memory/1324-314-0x0000000140000000-0x00000001400B2000-memory.dmp

memory/616-322-0x0000000001000000-0x0000000001096000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 5873dc7c5ac794839c9a8a5cde9ff023
SHA1 446d48b5d3b1f480b0e692c108d60f81c4dbdeb7
SHA256 63fa00c2b725a6cb8e73140cfd90b0e140612f3268736d7577f39b1164b98a9c
SHA512 761b1b05dc80c682c36f3b68989aab38bd780cbf9a1bfc5a9ed22bf29fb732eb8b5253526e3b6632ff9acbe5f670bac75f00e27fdb90c0a6cbca8d4763f1cb83

C:\Windows\System32\Locator.exe

MD5 2e8bc8111dbb258aff98a3170a8d4c98
SHA1 ce0ad92e520edd7bfc7f760f17ce16a4e7416b93
SHA256 58e54235fdd0cd3a44cea401809918351b3c0e35d36ceb5dda33af5e8b03364f
SHA512 bbfc98999020d2d0c7f4843d12de610ad0b059eec5cb41bb52e5ed5377d0d14fec2d52d2a75577647fc4fa5329a35ea8f8de2d12b50a9795f6ab831243d517a7

memory/1764-334-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2916-346-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1848-347-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 6012624d9c7b96f82ae873f2c9df7556
SHA1 99ebe10d633574b2dc870cb9882739b8bb1a8762
SHA256 25301907d038b6aa37dd578219d6a664743c27078ba4327c2d43a46712472389
SHA512 c744782540cd78333a216601534920d61bf9eb236672d912caad8f6cc809a418c38bcfd71dd52dedf547e4f991a9910525750a394728b70fa281a7af550aac78

memory/396-350-0x0000000100000000-0x0000000100096000-memory.dmp

memory/1468-345-0x0000000100000000-0x0000000100095000-memory.dmp

memory/2112-344-0x000000002E000000-0x000000002FE1E000-memory.dmp

C:\Windows\System32\vds.exe

MD5 ceed0a127bd2cf824475d3f4b643ad93
SHA1 61c52cad563fd9c5ab654a2b5d08eac89227ae96
SHA256 858261b87ea5d0579139ae2cf9e5a339f23476301dcacd0eef8e334a70c7a9ed
SHA512 7e0088f32b51fae24c7f1baf3158054c2da11faa26694243d295d4a8baafb6bf2a33eb8955c6fa4b5b630ebf230c44b8fd2216047b17979b0db304090ddfe285

memory/1736-361-0x0000000100000000-0x0000000100114000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 cce6efdcb65cf765da5ad1fd93a669f3
SHA1 f5e05bc7f861e248277f99b6a13dd82f4075a555
SHA256 5ae896380e655793717a4716e446117fee23384cbf32b1d13ccdfaa6323bbcf9
SHA512 cc136f9cdbf7aae84a80828bfe9fa26c7d829627bd0542cc2b6f9b0258b22cbcef422159c6a1d5c43e009d6b31394fb190e341907fba3899dab9328218a1439f

memory/2660-372-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/2724-373-0x0000000100000000-0x0000000100219000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

MD5 b9bd716de6739e51c620f2086f9c31e4
SHA1 9733d94607a3cba277e567af584510edd9febf62
SHA256 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512 cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

\Windows\System32\wbengine.exe

MD5 2051a6b741e704f4ed4d33ec66e020be
SHA1 d73e27eac3357b278e866a83142ce5609a420e75
SHA256 860b189a6e55fd317aadfb077d2b640e04fa2d15c0189c60457c578f780090b1
SHA512 1b90d105c697d8246681cdf8ca4e69913a15ea1997a893ee09486b44d54787f531cd573ece3628d171821e7d7df737c74328c1de8d8dfd3ce452e9ebd9c53341

memory/2940-393-0x0000000100000000-0x00000001000B2000-memory.dmp

memory/2788-402-0x0000000100000000-0x0000000100202000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 0684874c70ab10394a8e7850d4dbb781
SHA1 cc92c466748c8e16b0dccd0380bb579a7586fb19
SHA256 249c5061cd5d940dfd8d2ed14bacad2c9b62cce186c33d974b07f767ebeeb754
SHA512 8d4b3eb7776439036a827bec8c8a59980e0218603751cc632faacba769687ed2994271ce495c07693039e365af7ebe74d98abcaca9940434fbf52ca7356c0476

memory/2940-406-0x0000000000410000-0x00000000004C2000-memory.dmp

memory/1008-407-0x0000000100000000-0x00000001000C4000-memory.dmp

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 2b3df584f05ec3684755907aa762b92b
SHA1 370a51df4589b57ec0896b32161731307689686f
SHA256 15799d571e09124a12460fc3a24cc1a6eb6b55fbbfcd4ebfffb03d8c504e8574
SHA512 f67bac2171c64553d0fb32d0e43ed563f333ba2e5645dd60818c940e121dacfc1e634d23ac75e5fe7b546603c2859293e53b186f11613d14ff6e9f568eb8f0ac

memory/1184-428-0x0000000100000000-0x000000010020A000-memory.dmp

memory/2420-425-0x000000002E000000-0x000000002E0B5000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 f955d0bdfd469adc3f4572b72ac3f830
SHA1 afe1ac237c337811c234e31abaa6e2c39d0c1d25
SHA256 07d127878caf2ddd90bbc86e31ce4cff49d53ce9911a0e25f6d7a6160a8b5697
SHA512 39cc2229ef3204fcf10e17a6605d817b9542ed55402f904eb852d1f211b9e224e1c967f29bceb1472ee1986f6a263c934caf93c975a63ecde4fbedb3d094e7e7

memory/1780-438-0x0000000100000000-0x0000000100542000-memory.dmp

memory/1856-439-0x0000000100000000-0x0000000100123000-memory.dmp

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 6055cf892a89d7a80ac91f0125a0a6fa
SHA1 5af1dedba22b09023d03de76835bc4768bc83c6c
SHA256 c7ce31c965c402bd66d9dc2e42f0bcc29779308c94a2d0885da493349d464b99
SHA512 cc37c0078e792b93ac75d4dc4469dab3cfde4dfe9c64af8a4c0284b183f9ea9949baf11b3cef646e778af91ea9b7f4fe4d82a531098cac595ffbe335a841ed6c

memory/948-535-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/616-533-0x0000000001000000-0x0000000001096000-memory.dmp

memory/1848-539-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1612-551-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/948-559-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1528-602-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1612-607-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/396-620-0x0000000100000000-0x0000000100096000-memory.dmp

memory/1528-622-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2904-619-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1736-647-0x0000000100000000-0x0000000100114000-memory.dmp

memory/2000-649-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2904-650-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2724-670-0x0000000100000000-0x0000000100219000-memory.dmp

memory/1908-669-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2000-666-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1908-682-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2028-681-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1008-684-0x0000000100000000-0x00000001000C4000-memory.dmp

memory/2028-687-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2428-683-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2788-680-0x0000000100000000-0x0000000100202000-memory.dmp

memory/1184-709-0x0000000100000000-0x000000010020A000-memory.dmp

memory/2428-706-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1856-718-0x0000000100000000-0x0000000100123000-memory.dmp

memory/580-722-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1524-741-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1524-763-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2080-777-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2668-787-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1512-791-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1512-788-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

memory/2648-815-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2564-811-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2648-828-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1560-832-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2000-840-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2000-858-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/948-883-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2572-887-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/948-891-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2116-873-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2700-906-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2572-870-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2948-869-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2116-857-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

MD5 8c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1 b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256 a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512 825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

MD5 4f40997b51420653706cb0958086cd2d
SHA1 0069b956d17ce7d782a0e054995317f2f621b502
SHA256 8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512 e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

MD5 9fe68cf6e3fa8a65406a8985da6d1b8b
SHA1 ec72224282d71a40eb4406ff7f5e7df05ce8d3b6
SHA256 7f0e7fcf3c437d86c98598ad044be13620a31946836730a1dcd3395e97f6083b
SHA512 d10e7b3aa2f2cbc80da34c74a5291e5028ee48df9e8cb22f0a91308201f8658581ff0673ad5a7e0203522a35b3e676567dd5677368359b5f4b5d32970f4f415b

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

MD5 71d4273e5b77cf01239a5d4f29e064fc
SHA1 e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256 f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA512 41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

MD5 3c269caf88ccaf71660d8dc6c56f4873
SHA1 f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256 de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512 bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

MD5 ac901cf97363425059a50d1398e3454b
SHA1 2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256 f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA512 6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

MD5 e3a7a2b65afd8ab8b154fdc7897595c3
SHA1 b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256 e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA512 6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

MD5 2735d2ab103beb0f7c1fbd6971838274
SHA1 6063646bc072546798bf8bf347425834f2bfad71
SHA256 f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512 fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

MD5 9c60454398ce4bce7a52cbda4a45d364
SHA1 da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256 edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512 533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

MD5 c26b034a8d6ab845b41ed6e8a8d6001d
SHA1 3a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256 620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512 483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

MD5 aefc3f3c8e7499bad4d05284e8abd16c
SHA1 7ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA256 4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA512 1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

MD5 0fd0f978e977a4122b64ae8f8541de54
SHA1 153d3390416fdeba1b150816cbbf968e355dc64f
SHA256 211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512 ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

MD5 6eaaa1f987d6e1d81badf8665c55a341
SHA1 e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA256 4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512 dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4189bcbcf4b30b03e768cb7abfe7a840\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

MD5 8e8f90ba637a3f2e7475944748be90e8
SHA1 2bfc0b1f651fc5b85c87b4d2eaeb2a9b37e317d9
SHA256 2e40f5d981fb1e8567d1d2f1d3b65adec01907bc979df46d2ab936172ce1c9c3
SHA512 d5ecbe40e40ccd0bcf0414b2cabff3a5e335bf8fb882eed6217f5320b2361cbe71233f6aa070f58d64530b5b9db7aeb413e7b631c857eec7790c72336cbcaf33

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

MD5 1eff63517430e183b5389ba579ed93e2
SHA1 5891927b05adc6db5464fb02469c113a975ebbf0
SHA256 b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856
SHA512 2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1e386825c6c22cf2fe2db0d0da8d6814\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

MD5 9da2695164dce5c9849aa56d38d48b7d
SHA1 ed6a57f846920f4c299f9b070bd3e18a3930a9cb
SHA256 3bc4ff013a99ff8ccb471dfe99fb1585beeecb5e047c65842373f333a241ad06
SHA512 a871cb6e345ff0b955526abb7a2f6d9210d650c3c560c4e955ac2c057977970c4f5f9661c98d43ee71ef29dd34dba732fc84832596e3b9979d68687a36dbdc1e

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b53c55f9e32ef6d22ef66abcf5b05015\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

MD5 d9bd0c8180132ff728f548b83e18d673
SHA1 6550247441c22cd799e14b6a9f9362e56b14a691
SHA256 98abe744abcbe3b983b32e143e0c36606205faa2d627d30479bdb2482714c494
SHA512 541ad211f56df03b5d55c1e85af65c0a97edb7beb0827cf7f4a3912853abb47479257140c3430aa2d907203f9e3866ffa1fec074cb2666b0b82743f6d662fdcf

C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

MD5 7812b0a90d92b4812d4063b89a970c58
SHA1 3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256 897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512 634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

MD5 3e72bdd0663c5b2bcd530f74139c83e3
SHA1 66069bcac0207512b9e07320f4fa5934650677d2
SHA256 6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512 b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

MD5 aeb0b6e6c5d32d1ada231285ff2ae881
SHA1 1f04a1c059503896336406aed1dc93340e90b742
SHA256 4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512 e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

MD5 006498313e139299a5383f0892c954b9
SHA1 7b3aa10930da9f29272154e2674b86876957ce3a
SHA256 489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA512 6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

MD5 e88828b5a35063aa16c68ffb8322215d
SHA1 8225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA256 99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512 e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

MD5 c76656b09bb7df6bd2ac1a6177a0027c
SHA1 0c296994a249e8649b19be84dce27c9ddafef3e0
SHA256 a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0
SHA512 8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 06:48

Reported

2024-06-14 06:51

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\9871720669af61c60e\install.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3ac506894ba38143.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\java.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ef03ef726beda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca3a42fe26beda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb42a7fd26beda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b32b1bf726beda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ad65efe26beda01 C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

\??\c:\9871720669af61c60e\install.exe

c:\9871720669af61c60e\.\install.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 54.244.188.177:80 cvgrf.biz tcp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 npukfztj.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 44.208.124.139:80 przvgke.biz tcp
US 54.244.188.177:80 cvgrf.biz tcp
US 44.208.124.139:80 przvgke.biz tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 139.124.208.44.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 zlenh.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.208.124.139:80 przvgke.biz tcp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 44.208.124.139:80 przvgke.biz tcp
US 44.208.124.139:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 44.208.124.139:80 przvgke.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
US 8.8.8.8:53 saytjshyf.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
US 8.8.8.8:53 fwiwk.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 54.157.24.8:80 fwiwk.biz tcp
US 54.157.24.8:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 35.97.193.34.in-addr.arpa udp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
US 8.8.8.8:53 tbjrpv.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 myups.biz udp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 165.160.15.20:80 myups.biz tcp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 vyome.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 jpskm.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 8.8.8.8:53 iuzpxe.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 gnqgo.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 8.8.8.8:53 acwjcqqv.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
US 8.8.8.8:53 gvijgjwkh.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
US 8.8.8.8:53 oflybfv.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
US 8.8.8.8:53 opowhhece.biz udp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 18.208.156.248:80 opowhhece.biz tcp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
US 8.8.8.8:53 qpnczch.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 8.8.8.8:53 hehckyov.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 8.8.8.8:53 opowhhece.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 brsua.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
IE 3.254.94.185:80 brsua.biz tcp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 8.8.8.8:53 mnjmhp.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gcedd.biz udp
US 8.8.8.8:53 opowhhece.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 8.8.8.8:53 mgmsclkyu.biz udp
US 44.213.104.86:80 xccjj.biz tcp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
US 44.221.84.105:80 reczwga.biz tcp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 rrqafepng.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
US 8.8.8.8:53 ctdtgwag.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 44.208.124.139:80 htwqzczce.biz tcp
US 44.208.124.139:80 htwqzczce.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 8.8.8.8:53 pwlqfu.biz udp
US 44.213.104.86:80 pectx.biz tcp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 8.8.8.8:53 rrqafepng.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 8.8.8.8:53 ctdtgwag.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 tnevuluw.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 34.211.97.45:80 bghjpy.biz tcp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 whjovd.biz udp
US 8.8.8.8:53 hlzfuyy.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
US 8.8.8.8:53 bghjpy.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 8.8.8.8:53 ecxbwt.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 8.8.8.8:53 banwyw.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 18.208.156.248:80 cjvgcl.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 8.8.8.8:53 muapr.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 8.8.8.8:53 qncdaagct.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 8.8.8.8:53 cjvgcl.biz udp
US 8.8.8.8:53 ereplfx.biz udp
US 44.208.124.139:80 htwqzczce.biz tcp
US 18.208.156.248:80 cjvgcl.biz tcp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 8.8.8.8:53 ptrim.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 44.208.124.139:80 htwqzczce.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 8.8.8.8:53 kvbjaur.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 8.8.8.8:53 mjheo.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 44.221.84.105:80 mjheo.biz tcp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 ptrim.biz udp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 8.8.8.8:53 zgapiej.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 18.208.156.248:80 zgapiej.biz tcp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 44.221.84.105:80 cpclnad.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
US 8.8.8.8:53 mjheo.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 44.221.84.105:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 18.208.156.248:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 8.8.8.8:53 jifai.biz udp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 44.221.84.105:80 tcp

Files

memory/1264-0-0x0000000001000000-0x00000000012E6000-memory.dmp

memory/1264-1-0x0000000000580000-0x00000000005E7000-memory.dmp

memory/1264-6-0x0000000000580000-0x00000000005E7000-memory.dmp

C:\Windows\System32\alg.exe

MD5 aad42d922f58fb255a410ec895b1119e
SHA1 8befbdf45476cd7de6888161bd9f1745c40d7cf5
SHA256 1699495faa5492f66549942814a45386668a509c93374cf80c9b3c985f776753
SHA512 cf0b16552f161590f7b6a374eb84b984d765a2e16b255b13240f4e330b17903d9eca5ea53fee7420e71061d2a3dd75bc21f02681143906f83a4e949d0ce5674a

memory/3400-11-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3400-12-0x0000000000730000-0x0000000000790000-memory.dmp

memory/3400-22-0x0000000000730000-0x0000000000790000-memory.dmp

memory/2084-26-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/2084-35-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/2084-34-0x0000000140000000-0x00000001400A9000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 4a6a898a30db70c333a9a03fbe6a99ff
SHA1 e04be1f2d20fca034eece71bd8d90913f8a78f74
SHA256 de75e7a613a6eeb826c0faeb1f3622469fca162269d9054dc6e6e456272d1eb2
SHA512 a62a0aa5a543c3256d09b5cbba466f8d78771363a208c81f9539de3547abd9018ae3721c0f602457ccf6c02dea2836b4cc02017eb6469c06b16c67e90f0c1b2f

C:\9871720669af61c60e\eula.1031.txt

MD5 9147a93f43d8e58218ebcb15fda888c9
SHA1 8277c722ba478be8606d8429de3772b5de4e5f09
SHA256 a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded
SHA512 cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705

C:\Windows\System32\FXSSVC.exe

MD5 ecefd8cd3251fdb7c056af98191e6b7b
SHA1 2ba820656aaac80a0bbc565b6de3ef57cc46d729
SHA256 3d0bef761ceafee2820fc82861dd0faf9dd3425e2fced31e1598804de29d1326
SHA512 3ec77efedf3ec945c9de0936c5a6a6c27abbaa7ea79e2fa67760e003b4806ed312bb5a3d42b593f2cfd0a4cefbf7f5ee6f15d2a98d1aa5b10207b3f652b62a1e

memory/1812-77-0x0000000000830000-0x0000000000890000-memory.dmp

memory/1812-88-0x0000000000830000-0x0000000000890000-memory.dmp

\??\c:\9871720669af61c60e\install.ini

MD5 0da9ab4977f3e7ba8c65734df42fdab6
SHA1 b4ed6eea276f1a7988112f3bde0bd89906237c3f
SHA256 672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605
SHA512 1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

memory/2872-100-0x0000000140000000-0x000000014024B000-memory.dmp

memory/2872-98-0x0000000000710000-0x0000000000770000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 f35a6addd6916de407646509399115af
SHA1 7f8c33897ab0cf079011ad20de3d3bbe62766cca
SHA256 af3b11210ffebc7fdfef59a927bf10a5fe6c08b7084137476b9c887e3e307e04
SHA512 dd9e002a50a669500b6cb70036fac2b2a0f11ab8cb630c62646115bf25ba0c5f4422ed0d8c36c5e02994ba2146279ed133b480bcf1aee3d950095299b7bf8b89

memory/2872-92-0x0000000000710000-0x0000000000770000-memory.dmp

memory/1812-119-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 ced6474ba103a475307e887ad352bfd2
SHA1 7a56b5c25f783e1b1f20acb56c318b4f2c643082
SHA256 1e210bd46b85967566c8ec043d85a5d418d2e936c64d8b25dcdff0979c1efb51
SHA512 e71d1ac1d8af9341feb4d64852414742d50eb896b90380de179c510ec84e1bb39a728d8136b8a7c5ca91af04d25c32e30e76c4075dc69b758fce7c266d70d44b

memory/4332-137-0x0000000000D90000-0x0000000000DF0000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 839f36950857102cef363f8e8df66565
SHA1 24887c7f50228d31715f01507e4f48b050700823
SHA256 d36a4f82584d390c96c1828ff48c06188c31a551a897f71b733a423c8567013c
SHA512 632147d41ba65cf6a9aa6b220e7665bb1bf38baf83f14a43844ff5becd02e4434bd6f8b6eeab81c30ae39d8b39feea49f8b16963ddf92422c6355c4612df7459

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 2a02753a0be060e4faad0e863af28858
SHA1 eb8868f790e0e866692d14a60ebee6ba67f0c82b
SHA256 adf5ae823a26e7108ec7e42d5844f28a9d35c68cbeed53b3c0d544e8c6d30e0e
SHA512 de9e4e1d25256c9f3217eeac929ee4010490742cb84387936e590e9a9e86ff92788c3edda1a22150862b06b54a64ee0e49d1abafc3c152e9ee120d50b9732496

C:\Windows\System32\Locator.exe

MD5 28d2aedb28be95c823de11cdd41f3506
SHA1 5d1e5cd6b947257aefbeebf766863ad99dff1b82
SHA256 ea09f8c2e78d79d782a2ea6cbcdd57ed053fa78a1d0ef04101a907e878f9de1f
SHA512 e955045ed3157e46a121b69cfeb583408e7cd48f3ba3079c66397f927238b72351682ef065fdebe59f8bc4b6f76b0b20750760237522cd6d8563d775ab5b8459

C:\Windows\System32\snmptrap.exe

MD5 0e66874080c7b1a4db07c4c0c8b6eef8
SHA1 a5f887426eaf16ed50bbf768ba62b5ca4d28e0a0
SHA256 411de9454867dfe6d05040a8752afc24261a9154588307db29fffa5fec9f6a3c
SHA512 70c6fa73ba48ba9cdba3522f8470273cfe7807e0b2e4f2da9b0af3e46f15f245b4bac8575f29042c6b5f2c9c74a9ca7d9c75763ea9dc2bbb4498f22e89947e07

C:\Windows\System32\Spectrum.exe

MD5 b3367e1aaeb8ad0fe72e389ba5153a18
SHA1 d566c2291455c4046da9feea6cf7dccba22251a3
SHA256 693185fc8232b6a1543fda55fa839fd9636d6c8d13141cfce08d6037d14c30fd
SHA512 d39a636b7748e1bf267b4650afe43a013ee4c20ce9fa4700603d10dd35be2f516d60c1ffc918b3b3680e7616d68fc49a65e4bfc58a95f174d3237987908e6a21

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 2b66020da23d1272c1bf393e8d559fa4
SHA1 84b5e784665aab9e94391fb89c7c1f65ca070d6e
SHA256 68d3e1c94484745fa1b04662d462f4194d900445a4abdc3f9153784ff50c5616
SHA512 d0cb6a97ca6129fdd6143691d3e02fc6d8d8ed00923471d8fbadf1d28ceccab11c2a79cd569b3d1a398487b277b7b094eda4e83cf0a3c06c066db8cb30552fa9

C:\Windows\System32\TieringEngineService.exe

MD5 b3f6c549798bbdfa37735523644c0626
SHA1 742796f9e6361d538a4601818825bf6260c854ea
SHA256 225637879abdd21165525ee3c8fe0ba77a8fe9012f39357b4f39af896849d126
SHA512 df560b80aa02e5196c8886a5f154d72c093b4c4058def0efa9c3973c6429347925a4bdcd664e935ef200bccef12027729e1238d6354e2a29646dc44df602c966

\??\c:\9871720669af61c60e\vc_red.msi

MD5 d53737cea320b066c099894ed1780705
SHA1 d8dc8c2c761933502307a331660bd3fb7bd2c078
SHA256 be6288737ea9691f29a17202eccbc0a2e3e1b1b4bacc090ceee2436970aec240
SHA512 0af685e4ffb9f7f2e5b28982b9cf3da4ee00e26bd05e830d5316bce277dc91dfee3fe557719ab3406ad866d1ce72644e7a5400dcd561b93d367e12eb96078ffe

memory/2308-239-0x0000000140000000-0x0000000140095000-memory.dmp

\??\c:\9871720669af61c60e\eula.1033.txt

MD5 99c22d4a31f4ead4351b71d6f4e5f6a1
SHA1 73207ebe59f6e1073c0d76c8835a312c367b6104
SHA256 93a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41
SHA512 47b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94

memory/3220-259-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 dbb7e6516cd05682d5277fb74690fdec
SHA1 1c35a4bba277caf22f36278ac46eca3aec966c9c
SHA256 91450871f59080be5ee64ec6cebc47bc2cb3756a6782f1193da32f8a4b036a48
SHA512 f2bb480d1e0e9ef9ee6a49a81fd8a1e01756b4972735350404921dc706a25d0bbbb10fe54959e5d8ea11cf6fb4bc0856ad62461731921ed925a0ccb823ce5943

C:\Windows\System32\VSSVC.exe

MD5 df47aee86b91bf44d0c21ddc6ef44fe0
SHA1 01fd079df2261a8bd4b67fd4e3ae2d7696f842a4
SHA256 e9c4c358cc29ed668020fc56ffeceae356440dfa073ffcf2a272c40f9dc2198b
SHA512 a3932d0c8a6fef0a53c7c73553c5adb7eff5a701877593df29147c76ec1a518ddca9b81f6b81136f951baf9fdd8d1b6b3a3aaf85c013e382591c2be906604730

memory/3896-280-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3848-279-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 112a22506b6387391b46a2a35a1ce9a4
SHA1 c0e8aac335d7fe6eeb7e4a687138536204486c48
SHA256 0a7577f2a4e2cd01433c10d7b1399a2a04ea8b29186b0f782df7b42dd1b34c02
SHA512 a0645ae4142b75b2a3d79e1b98b2bf1eec7430730e81f4d3dda0cfa1cf2454aef386e855f880e036ef9a56cec2c9712a97620207b68b91c7c90e3bd13aa5bb58

memory/2148-245-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/4432-244-0x0000000140000000-0x0000000140102000-memory.dmp

memory/1228-243-0x0000000140000000-0x0000000140169000-memory.dmp

\??\c:\9871720669af61c60e\vcredist.bmp

MD5 06fba95313f26e300917c6cea4480890
SHA1 31beee44776f114078fc403e405eaa5936c4bc3b
SHA256 594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1
SHA512 7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

C:\Windows\System32\wbengine.exe

MD5 5e4e3e1b4c1d6aa8edfa5d598817b0c1
SHA1 c98c44d484648721e5a99c271eed7577699eaf3f
SHA256 3a18aee151a4fbfcdb2291c4ee0bda8533c8c95f84088f02503dda0bbb63aa49
SHA512 9c6bd98bf328b9327e83fd15231f301e5e34c0dcd4f03b521093f1d9adb0bcd70319cff57ba02b3789dda50355949b232266d237ea21bc31845392c680df3a74

memory/3400-291-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/4372-292-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4872-238-0x0000000000400000-0x0000000000497000-memory.dmp

memory/856-237-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/3564-236-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/4332-235-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/1264-234-0x0000000001000000-0x00000000012E6000-memory.dmp

memory/5004-242-0x0000000140000000-0x0000000140096000-memory.dmp

memory/4008-241-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 ee554590837707412ff09dfae6fd64e5
SHA1 a9e624955b7248b3f5f7695741f0529b7e56215e
SHA256 283fdb159cf5efb63c7acae614342ac3fdbc29a638a380ea5941175123ef61fd
SHA512 e997e98a80660d8114c8c02f80ed617b016eb276742da8c6b761a40993af874ff6bb3c7c070ee52958578014d523cf3d88b71c4bf6a206863775db03acd69cb4

C:\Windows\SysWOW64\perfhost.exe

MD5 91197ad05a705ca26d153bd9e5a08e17
SHA1 47db5cd1d6798ca8645123c412edab278e11e1eb
SHA256 b4f45a24a3ec1a9a5db5a2918abc51c3f95cef580cb5f68d4075175740d062d9
SHA512 0bb5002374de7dc2485b6c754839894666cbb888066ec9bce5af5bdd9afee440cafd537a3a1334a1ba25e5588a69c0bdb1208c80b52410e9bd123e74725db8e8

C:\Windows\System32\msdtc.exe

MD5 343617cd5ea7ff15ec43aca2988032aa
SHA1 452e58bcf3015ce68b365a2a24385d67fe623acd
SHA256 a986ed95ba687c325c33c8d9e9cb8da3fde5abf697fba039bbc677dd11e25f8a
SHA512 0af320f75d37dd382859be87899b63be19930c0fa40634741f4720705b8459b6473a0d66907ba392dfd62e7d83ca00debb0375939d000f66ab7328e5c532379a

memory/732-135-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/732-133-0x0000000001A30000-0x0000000001A90000-memory.dmp

memory/732-132-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/732-127-0x0000000001A30000-0x0000000001A90000-memory.dmp

memory/732-121-0x0000000001A30000-0x0000000001A90000-memory.dmp

memory/1812-117-0x0000000000830000-0x0000000000890000-memory.dmp

memory/2976-115-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2976-113-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/2976-107-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 0e8a811c8f0f9f77c823b390018aae64
SHA1 b4ca79242547216cb00426f0df85d26bd9419b85
SHA256 675e894807d878fee68ec5782f87c08ed2420d3722e45617c5dd640f1e978638
SHA512 b39d6ba190ce3c2ea2db79ca0a87ab4ad0754fa5e846ed50bd853ea90756a8ddffb2a9effc1eb1837c324f85dd7d9aca22cdcb691717a1b781c1f6d36f8da8bb

\??\c:\9871720669af61c60e\globdata.ini

MD5 0a6b586fabd072bd7382b5e24194eac7
SHA1 60e3c7215c1a40fbfb3016d52c2de44592f8ca95
SHA256 7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951
SHA512 b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

C:\9871720669af61c60e\install.res.1033.dll

MD5 43fb29e3a676d26fcbf0352207991523
SHA1 c485159b01baa676167c414fd15f1026e3ae7c14
SHA256 4107f4813bc41ed6a6586d1ba01a5c3703ed60c2df060cba6791f449f3689de7
SHA512 ad748c63d912e194bb5be42f6db192b22f59f760e0536118dfa963fe29001e7fe635d035f31d86aa5e77a1d4f7ceabf27b03645d0037f147293af1e32eab57a4

\??\c:\9871720669af61c60e\install.exe

MD5 e015a2d8890e2a96a93ca818f834c45b
SHA1 30bda2b4464b1c41210cba367e444aed56502360
SHA256 dc1ba9cb15d0808dc2d80ce13acfa0b07acdfcfe2cdf94da47e0e570e7345f6d
SHA512 20a80b50486e938b92f3aef85e59307f644b69dc5d1edee38038182b57caf636f5f1909959f6fafcfc2e915010d2b3d230cba8300fbc0f63ee2ee3ad8ad64123

memory/1812-83-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 22d69220332116f25c6fad61f3fa7df8
SHA1 26336f4eaea1212e9f13d36cdc7fb33ac67aebd9
SHA256 349c04ce1421ae8078583e6a3c601b075a9a09c9e279fcc584f6bd937a8b1c1a
SHA512 70964ce44139c508fdab739811cd13c13a0402e8c400e598f1ae8932a41c091dbe0cfed55dad1320544f3e6db8b333d388477e9ba9ee35a453c92eee61cd6599

memory/1356-304-0x0000000140000000-0x00000001400C6000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 f7bc607e28fdb64d38240ab8f54a6678
SHA1 4fd904ec75ecca265965944fd20e9bd35f93537c
SHA256 7c099f82d9a65d59324f660af36b5bdb908741423d3ab180f10eed7f3f6bb433
SHA512 4a8bc6a78c4483c013799483ec0dbca14de0a954bff9dea6792a2a36c7fad1e24644571edadc4f04651567f96cea2b582d42af4813fec3b019f681bec7200a91

memory/1028-315-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4008-399-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2872-400-0x0000000140000000-0x000000014024B000-memory.dmp

memory/2976-401-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2148-437-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1228-436-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3848-534-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3896-535-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4372-536-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1356-537-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1028-538-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 342198e5fe14f22879cc359812ec70a5
SHA1 8e352436cd8c4c9abba64c4aef96392007b58202
SHA256 fd1e4e3fd32d5ec753a194d11071ff4ddabdda62f3fb1640124c723408938869
SHA512 1afea87a4980fde15c53f6a30cab0c41713c76f0bdd6bfb79b6ccfc1258ab15810fef95e860cc831453d3ed514d4f56eb7d8f3619fbe1b087b10ddf07a9be022

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 a59b9b80ac465d75c222b7e857810fd8
SHA1 5e9b9696c3ea3b1b088cc57b360b0e2a1cb5d805
SHA256 ef11061f5657ec745e161f293cfaf60143e19320d811935e08fc5287b283c136
SHA512 380e76aeedd1c373af6b072d76331642bea9faa44d3847c9e530f7df82565191bb6d4283c782ddb36d58e9523d97003cbb01a3aa70fb2807a36e478fb800fa1a

C:\Windows\system32\SgrmBroker.exe

MD5 5af1f0552072f79e961d12121674ac5f
SHA1 b2516fbaa32689ddbe9c39e10ba509da7a467e09
SHA256 2d2b01023eea7bd5cd93716ab48a549955251fe764246d6ea2851e2cca4f79bd
SHA512 ffb70e4fe243183102b8e02863f254e8706f6825f0cc7ca95b8b7b450bb5a08d59d27400088b0becea9372559dafbb338c2d6fe98b70663d214b785f23631419

C:\Windows\system32\msiexec.exe

MD5 8a58c2aea46ba6f9d2a171271aa6b93c
SHA1 9205b9c59b75ce7478108ee72d780c7061f1aae2
SHA256 0f54f7e8a2555769a61dd0bd542695ae48a5e3190a1b376d72e336c43fe4ae33
SHA512 82c6f7b417a66bb491a18ae06b0d4b4681e721b3d0fe25af7b34f7787851715490f330bf5c24d66a2366cafc85fee87171249e06981689e340542a74cff7e07a

C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe

MD5 259a2e0b09b15a4b24c1138b96edd190
SHA1 dc03aa72c526577216dc068ca959e41094d44e4c
SHA256 d9d74a6337636ee299e8ca09a663e405a08e947984d583b00eaa36143293866e
SHA512 be2c090bb5e0931bc61cf1e28caf8cb367cba7804c407070d6c37c240d7cd7a7cdcdabba74544e9599b788bbc2f5b816df06fa5c8db1e42bb7a3e0195848bc15

C:\Program Files\Mozilla Firefox\firefox.exe

MD5 25e8f30be7a815a11c56f52cef940f22
SHA1 e5d65536e8e0a43a41ad31e7eb516b8e181cac72
SHA256 4acdbdf9c7367ea4e7cb7699853c063b061410584f671f1628d678eaa24d552f
SHA512 4c84e7be9b805c0262dd64c64f08d980fc326c34654e88225d898c72c38a65a98264e22d84dee1536ea2074dac6d6db135c0f2bc16c61fbef28bec5c51d5c5de

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

MD5 a88b99d309e2c84d28bed3f905d4f248
SHA1 632233f96863871200239b75275105abd2bb643d
SHA256 d7a1d024fe8a0d5d9934c13f7d29cad07f147a53ec1a481708da79e64c3325f2
SHA512 ba91a89000d0771c62ee7ddc098bc0034a9b38e809869701cf2b25c3b6e17dc90bec7b98176d7dc918f7cfd18de1a8f4c0e1bb5ed4567bfa4aaca241e07f3869

C:\Program Files\Mozilla Firefox\crashreporter.exe

MD5 4baf3cf0d229270117666d8a41d0e594
SHA1 a07bb3bc90675d4d1af16a87e6856889675fb632
SHA256 c539102346e395aa498d74931ff540e1bac4566bbb2154b093004836d591d170
SHA512 2535075ca495c420efb666225ac6fa1fa254af50fb5d3924a9e1fe8a3b2422cbad22f9b35256c55f958c547ba944c440518adf54440d9d5f105c82da1632dd0c

C:\Program Files\Java\jre-1.8\bin\tnameserv.exe

MD5 5daa6d31d9c1fa9ea2d025575eb49191
SHA1 e129836437cb49d6a79e3504ccc10de27a28e6ee
SHA256 4e027c1fd92a7fb277d6dada4956b5d4b3a96c496d1012be1d96790b757b31d8
SHA512 c1426f234ceefe38434f265b8895015a867cf5dd7276c0f6def7eb0e2ad7e5a0803f9dadeb7e51fae9d61a3cb6aa01ab22a3bf07d8a994844dd1223f79d16293

C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe

MD5 e3e96272b2c7393287352c97ec2fbf62
SHA1 9a34670a3742c1417810b1fafff44c2ff27b1a33
SHA256 d87edfc31fcb4f8eeba8ef071ce2349b6aff879d3cb450227d14e4ae4561bb97
SHA512 6c034d8e7d66073f610cdc31330ff0ccd4b296f77b3b57d991c642a1e0fbe30114018634d7c5943f0f780635673bc21d71c273c27977ab17fbab4b705080ad9a

C:\Program Files\Java\jre-1.8\bin\policytool.exe

MD5 a0209a3f2121bc302ad4fcabe2da7314
SHA1 ce3130d7ebd14a798971189d5fb28b9b099202e4
SHA256 bb3cd8b02b29e317f1d3d92ec36547e6145098ca382326c55561c803c40a8a89
SHA512 9e7dd845c7529d347d31f25a6b496b36d27e1cc5c5cde55a7b43824d3bdd1f4f3c06d8483495cbf3069fd405f25337c7b17bec84a75c9c0eee8ebc02a6f66ae0

C:\Program Files\Java\jre-1.8\bin\orbd.exe

MD5 6e27f77223ee94ff86456bf46497eb5b
SHA1 1759954488f27cf2936cc4f6b5caa6d2e6effd91
SHA256 e38a0eca1537a4c384461a21f4056d7cc3f755624c179c2175b2e396e31231e8
SHA512 dc81e7ca1386c87e569a79533c9b0a97c43263493a81a75a3d7e69c7b4a43987c480adb006ad733ad45eb4feede6d407339b5eda6a5fda57dd342c0f91ff5e4f

C:\Program Files\Java\jre-1.8\bin\klist.exe

MD5 5a4d75599bb3fa5b64c55c1de2c18cb5
SHA1 e745e674bf51b207fb3c19c3b8b3800e4081a27f
SHA256 dbd4cd984d13c69210d52d6c10778e66fa65d5e2e60867b009b894355f18fa5a
SHA512 45dbc1b6e889b85ed301101bda55c9db560b1dfac09ffb076abbc3b35e0032a8369740ddd6e8544b4584a25316328c27a9bf7b5469dfdcad85ef15b2b482e232

C:\Program Files\Java\jre-1.8\bin\jjs.exe

MD5 d99fe6fed791d56d04b19df1c22cef9c
SHA1 d2399e9612ae804f50cd263d8c4b3f9833a3539b
SHA256 31d1ce0eec988f1b7f9f754bc80575f9a3504fd4ef98f7945f07a04abee37163
SHA512 0873e59ae7e4a1b80c587e37c7af5eb8cf2b791c44940c4335d53724200aaac3c6ab339727edc4619fb30c65734e39fbf70f9279ee52a52bdb7d6790d754e81e

C:\Program Files\Java\jre-1.8\bin\javaw.exe

MD5 a1b8f12ca27fc4298c34cbdddc299de2
SHA1 442ffbe1d674741d47793cfd4752553203fe8c8a
SHA256 64f3619c48cb63b484df145dc41547f20005292104b27d68be8e93c7d477ed3b
SHA512 d54d0bcba2a0b2ba34d77606b3b3c2542c48baf2ac4f2238e9281f23549a49ce218e8857dd6c793007658c3ddc307edc8cfa57cec7f4702cbae056b4278a2a3d

C:\Program Files\Java\jre-1.8\bin\javacpl.exe

MD5 fc1d29c4165fcab4611b118ff187f25c
SHA1 9dce268e544f2e65e5be7a2a04aa868a9f2096db
SHA256 175052638752fcedc3f74430ba7e6b13ca7d62c471137b5046748c6b55e23c71
SHA512 bd8d2d9c56f2ded47ef4c3ccf3f7394f477b22cc5f8353dae8e1a322bef89f4db28a36eca63d6b1bcf1a0b202e71b782502129ea47fa68eaa9e6167cc490e1fc

C:\Program Files\Java\jre-1.8\bin\java-rmi.exe

MD5 e8c4878bceafb9197433a4b3c3af3cba
SHA1 50d331f02e444c92c27ad5ec7c2f59a7eb3ef36c
SHA256 e2b25407648a305843a5a5b9252e020a587212c8e978e2ccf007671364bbdb40
SHA512 6eab026dc26c7a44e5238ea75d57bb029fcdcad2b83d13bbb387512eec9a776900b216d806a0be7e30dc6501069037c48d94bded5574b9feec506777ed384faf

C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe

MD5 0429e36a2b7ba1cd4c48241d924f445b
SHA1 ff1bd74c7fb3434e0e1ac538d165313e1fab32ab
SHA256 7b1d9ebf762f4ba8c5b207487e5b8c4c78cf9d5d864a0c3165ec2a6c5f113b15
SHA512 7dd549aa96fd025c1054d0b9271b1a72e39451d15a6799c61b5882f99d9f8211e702cef718fb630f0242bebf013f78efdb94b3f918e37a0638945d941f888cb8

C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe

MD5 22c14b2cfc1b4a319988caf9c9f682b3
SHA1 eca0adf93ddedd6f597c2e53eb9c3d3a5f624f6c
SHA256 38c18687eea0564a54634ee6254cd48946019b1f2c9f83ee2af8c0c54b70796c
SHA512 2734ca3bdbcbb91437e13b82822ff68bcf1a5e754d7594d643390a999c631773aba2dbcd28ee3dc6c3a7b5a7571a768fdc4fc982b556097077a75f96dfe80a14

C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe

MD5 d102353d189282d216ed3688c4de9a6d
SHA1 8be7611c82511c0614565e31accd6f2951884585
SHA256 9fb5b328ad914e9978d6acce3e5235930b5963f77a2e640e81ba213ada79afd7
SHA512 2eeaba1e2e870bc3b96559548a2b10cb366cc4c0a5889b41a0af8fc037d318cb69392a07c662441c519e595ac77ff3f4126a4f41d9f4db7baebecaf620c7d175

C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe

MD5 154aadf852d23e1528022b15b8baf811
SHA1 5df7c2ebcc82e94b8345fcc7674f7a9a8c9621d6
SHA256 e7c83b5d73a815cc894c69ae06a4f2cd792bb666a86c4ff0679fce6d3cea48d6
SHA512 eb87b19658cec4697f57b9e9f6d8d49f6a2004ab78ae2dd6cf9b62c7cfb3c425e28d8bed7d5e23d0ca12db939f7c8675ef400cb386e714afc3a9709e6a55ce47

C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe

MD5 3c3924f77a48b6aa63c37756de412569
SHA1 c3d3ea7ccfb21e95c9f3d5ceeea61dc22dbfe917
SHA256 9fe2c0869c3d80979f3ca5a91a97ab28358a89f6504e3e2c0932795567d2926b
SHA512 98a861e5589df0861b9b7496f5e792df01b79b7d3ca4d3019e5e9feae6fb4f4c3fc9c2bf35ca05bb3e5250c60634730ffc6aba666ef93f4afedc6b36a954a7e6

C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe

MD5 f10eeed517074a9beb5c7d7b6ba40ba1
SHA1 7770d6118549b8fca900e308ae0c9a3276d258fd
SHA256 4fca621f31a2ff15f0f653b2b2bce98610dac95bc242a2d6c957afac4f12f73a
SHA512 2f284707456c8c29e71441036dd7d22480cf69f38cac3433fd778a260821c33191bc1d1b501ec0ad2aca1d46afa58f378e9b0a1cfb4c654ebe85a9e08c953a06

C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe

MD5 94ee693eaebd3227045d620b308efb84
SHA1 faf575ff3c654bc7246ee08f56b80365d7df5d18
SHA256 d886b5a8d7ba0fbc9b06835bf64e06eebdab72d3d60fd4f6e043f83e31824e0c
SHA512 6a598737e10cb2b9d8505f0b169bd3f05ce0bd6734485a88daffe457b3c3c8580eb2390f151a7fbb8c1aafe41ebbabb9489edf91b96f1398bdfc389aa166a4ab

C:\Program Files\Java\jdk-1.8\bin\xjc.exe

MD5 77a45d035907d7ea6449a94d4813cd58
SHA1 415014f14c3c5934c9955476d1c3379b6213e80d
SHA256 58cb998cb1a0c0615001d74298f3c878a91d89e96f830acaeec9459a2946dcc4
SHA512 d0c3b136d9a5cf02b18371735c4534fcd5273feba6da741b7a715c63cca28248d3632cfa0493313077a7df9b1b4701e41f0c3e89f56d6a788fecbececa283ce2

C:\Program Files\Java\jdk-1.8\bin\wsgen.exe

MD5 06cc94401d202584af9690ef3c39094b
SHA1 bfd0459134bf9c660ae5bcc9963b8a3979bd2eff
SHA256 8eb58c07c6d5b5b09a3cc1409b9050e793f518c8f0a32bf30c03cc72136afa27
SHA512 a3718245c22d80f0e88c27c952c4843f4fc9c5c8886154b7166f9a17d207703fe64c11f98f54a3bb3eea9fa477e72389f8007e2de599aea91979882a41586fba

C:\Program Files\Java\jdk-1.8\bin\serialver.exe

MD5 f9edd8bc7f3125da134659b7452326fe
SHA1 081055cd24f2cf44f92dfaf06e34e25f72b92f27
SHA256 32a73afc4507f8f492c7cceb5c34f295e78dfde284c7c789e194c576ff0e2043
SHA512 6942a91994af3acf25423fd756380497ae1150c70ee41a1a1c91269dceed21e9f567a39669a33b6e53f34492fcfe45f0e9876be352777c25cbc7f3faa9b914c0

C:\Program Files\Java\jdk-1.8\bin\rmid.exe

MD5 d8a99aad6e9258ec9b5322841b0645d4
SHA1 7864323fd2bfb93470ab7f725274b1f51f303067
SHA256 3d41248a26068ae178adebdce25eff55396a39338e328ece489879d091448ebe
SHA512 a75fb7ee69a0d0a595e0285e3209ca9cadd8b2ea0f90217564f9d56944c154cb5873ef6018e84411327f562ab85fb8821793cc9458c9a0567eb80adebdfe080e

C:\Program Files\Java\jdk-1.8\bin\pack200.exe

MD5 1026f8ddd90252b0bbac39e2e26dc336
SHA1 8057151f9c1e4c515bd1e9ae664e161da5072924
SHA256 50414ebda4480a99e3895788c08a95a5210cc3de23718cfb19e7941b01af84c3
SHA512 ee5253c152c80f687882093785bffd6837dc59fb94a43f7bf34b31c4a34f5201991b186bbfeb6eaa852198d112620619578d4cb05bae40f129b0524fd0d13c44