31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-06-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
Size

1015KB
MD5

bce0818b2abc09329ac710ae006848a0
SHA1

8d14a052c9beae4bf64d4e346c6f4ac069acabbd
SHA256

31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb
SHA512

5cfc0eceab553368e9307882f32dc0f34a3821c1394eb0c22250df20b16fd2899db8e6a2adeeb7693073a381202c6e1f11e7540faf25ca144b7f5c115253b5ce
SSDEEP

24576:75lB2hkhfvCpf2fTfg1N3RUDHNmdPCAaq8Nozgi/rE0TOj:7l2hEvC4fTfY8HNUPCAaq8Wdo0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2248	alg.exe
2712	aspnet_state.exe
2708	mscorsvw.exe
2580	mscorsvw.exe
2448	mscorsvw.exe
1848	mscorsvw.exe
2116	ehRecvr.exe
2556	ehsched.exe
700	elevation_service.exe
2648	IEEtwCollector.exe
2412	GROOVE.EXE
1788	maintenanceservice.exe
1604	msdtc.exe
2892	msiexec.exe
1536	OSE.EXE
2508	OSPPSVC.EXE
856	perfhost.exe
276	locator.exe
2380	snmptrap.exe
1676	vds.exe
1512	vssvc.exe
1620	wbengine.exe
1792	WmiApSrv.exe
552	wmpnetwk.exe
1660	SearchIndexer.exe
2848	dllhost.exe
1564	mscorsvw.exe
2032	mscorsvw.exe
2152	mscorsvw.exe
2552	mscorsvw.exe
2196	mscorsvw.exe
2220	mscorsvw.exe
2692	mscorsvw.exe
1572	mscorsvw.exe
1632	mscorsvw.exe
2500	mscorsvw.exe
2024	mscorsvw.exe
2032	mscorsvw.exe
1188	mscorsvw.exe
2940	mscorsvw.exe
916	mscorsvw.exe
1316	mscorsvw.exe
836	mscorsvw.exe
2764	mscorsvw.exe
2932	mscorsvw.exe
344	mscorsvw.exe
2656	mscorsvw.exe
1560	mscorsvw.exe
1828	mscorsvw.exe
1364	mscorsvw.exe
1316	mscorsvw.exe
1424	mscorsvw.exe
704	mscorsvw.exe
1584	mscorsvw.exe
772	mscorsvw.exe
2956	mscorsvw.exe
2772	mscorsvw.exe
2092	mscorsvw.exe
2228	mscorsvw.exe
2968	mscorsvw.exe
1384	mscorsvw.exe
2636	mscorsvw.exe
1968	mscorsvw.exe

Loads dropped DLL 57 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2892	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
760	Process not Found
476	Process not Found
2956	mscorsvw.exe
2956	mscorsvw.exe
2092	mscorsvw.exe
2092	mscorsvw.exe
2968	mscorsvw.exe
2968	mscorsvw.exe
2636	mscorsvw.exe
2636	mscorsvw.exe
2440	mscorsvw.exe
2440	mscorsvw.exe
1700	mscorsvw.exe
1700	mscorsvw.exe
1944	mscorsvw.exe
1944	mscorsvw.exe
2464	mscorsvw.exe
2464	mscorsvw.exe
1184	mscorsvw.exe
1184	mscorsvw.exe
1100	mscorsvw.exe
1100	mscorsvw.exe
2500	mscorsvw.exe
2500	mscorsvw.exe
2920	mscorsvw.exe
2920	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe
2556	mscorsvw.exe
2556	mscorsvw.exe
2640	mscorsvw.exe
2640	mscorsvw.exe
1444	mscorsvw.exe
1444	mscorsvw.exe
1624	mscorsvw.exe
1624	mscorsvw.exe
2200	mscorsvw.exe
2200	mscorsvw.exe
1788	mscorsvw.exe
1788	mscorsvw.exe
1220	mscorsvw.exe
1220	mscorsvw.exe
2424	mscorsvw.exe
2424	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bc5a346d2ba452c3.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP87D5.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC783.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFBCC.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A24F0545-8418-4225-B313-3EA229D87F68}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP864F.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP89A9.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8160.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000807446bb65c7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2420	ehRec.exe
2712	aspnet_state.exe
2712	aspnet_state.exe
2712	aspnet_state.exe
2712	aspnet_state.exe
2712	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2128	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: 33	1220	EhTray.exe
Token: SeIncBasePriorityPrivilege	1220	EhTray.exe
Token: SeDebugPrivilege	2420	ehRec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeSecurityPrivilege	2892	msiexec.exe
Token: 33	1220	EhTray.exe
Token: SeIncBasePriorityPrivilege	1220	EhTray.exe
Token: SeBackupPrivilege	1512	vssvc.exe
Token: SeRestorePrivilege	1512	vssvc.exe
Token: SeAuditPrivilege	1512	vssvc.exe
Token: SeBackupPrivilege	1620	wbengine.exe
Token: SeRestorePrivilege	1620	wbengine.exe
Token: SeSecurityPrivilege	1620	wbengine.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: 33	552	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	552	wmpnetwk.exe
Token: SeManageVolumePrivilege	1660	SearchIndexer.exe
Token: 33	1660	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1660	SearchIndexer.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeDebugPrivilege	2248	alg.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeDebugPrivilege	2712	aspnet_state.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1220	EhTray.exe
1220	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1220	EhTray.exe
1220	EhTray.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe
108	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 108	1660	SearchIndexer.exe	56
PID 1660 wrote to memory of 108	1660	SearchIndexer.exe	56
PID 1660 wrote to memory of 108	1660	SearchIndexer.exe	56
PID 1660 wrote to memory of 1592	1660	SearchIndexer.exe	57
PID 1660 wrote to memory of 1592	1660	SearchIndexer.exe	57
PID 1660 wrote to memory of 1592	1660	SearchIndexer.exe	57
PID 1848 wrote to memory of 1564	1848	mscorsvw.exe	59
PID 1848 wrote to memory of 1564	1848	mscorsvw.exe	59
PID 1848 wrote to memory of 1564	1848	mscorsvw.exe	59
PID 1848 wrote to memory of 2032	1848	mscorsvw.exe	70
PID 1848 wrote to memory of 2032	1848	mscorsvw.exe	70
PID 1848 wrote to memory of 2032	1848	mscorsvw.exe	70
PID 2448 wrote to memory of 2152	2448	mscorsvw.exe	61
PID 2448 wrote to memory of 2152	2448	mscorsvw.exe	61
PID 2448 wrote to memory of 2152	2448	mscorsvw.exe	61
PID 2448 wrote to memory of 2152	2448	mscorsvw.exe	61
PID 2448 wrote to memory of 2552	2448	mscorsvw.exe	62
PID 2448 wrote to memory of 2552	2448	mscorsvw.exe	62
PID 2448 wrote to memory of 2552	2448	mscorsvw.exe	62
PID 2448 wrote to memory of 2552	2448	mscorsvw.exe	62
PID 2448 wrote to memory of 2196	2448	mscorsvw.exe	63
PID 2448 wrote to memory of 2196	2448	mscorsvw.exe	63
PID 2448 wrote to memory of 2196	2448	mscorsvw.exe	63
PID 2448 wrote to memory of 2196	2448	mscorsvw.exe	63
PID 2448 wrote to memory of 2220	2448	mscorsvw.exe	64
PID 2448 wrote to memory of 2220	2448	mscorsvw.exe	64
PID 2448 wrote to memory of 2220	2448	mscorsvw.exe	64
PID 2448 wrote to memory of 2220	2448	mscorsvw.exe	64
PID 2448 wrote to memory of 2692	2448	mscorsvw.exe	65
PID 2448 wrote to memory of 2692	2448	mscorsvw.exe	65
PID 2448 wrote to memory of 2692	2448	mscorsvw.exe	65
PID 2448 wrote to memory of 2692	2448	mscorsvw.exe	65
PID 2448 wrote to memory of 1572	2448	mscorsvw.exe	66
PID 2448 wrote to memory of 1572	2448	mscorsvw.exe	66
PID 2448 wrote to memory of 1572	2448	mscorsvw.exe	66
PID 2448 wrote to memory of 1572	2448	mscorsvw.exe	66
PID 2448 wrote to memory of 1632	2448	mscorsvw.exe	67
PID 2448 wrote to memory of 1632	2448	mscorsvw.exe	67
PID 2448 wrote to memory of 1632	2448	mscorsvw.exe	67
PID 2448 wrote to memory of 1632	2448	mscorsvw.exe	67
PID 2448 wrote to memory of 2500	2448	mscorsvw.exe	68
PID 2448 wrote to memory of 2500	2448	mscorsvw.exe	68
PID 2448 wrote to memory of 2500	2448	mscorsvw.exe	68
PID 2448 wrote to memory of 2500	2448	mscorsvw.exe	68
PID 2448 wrote to memory of 2024	2448	mscorsvw.exe	69
PID 2448 wrote to memory of 2024	2448	mscorsvw.exe	69
PID 2448 wrote to memory of 2024	2448	mscorsvw.exe	69
PID 2448 wrote to memory of 2024	2448	mscorsvw.exe	69
PID 2448 wrote to memory of 2032	2448	mscorsvw.exe	70
PID 2448 wrote to memory of 2032	2448	mscorsvw.exe	70
PID 2448 wrote to memory of 2032	2448	mscorsvw.exe	70
PID 2448 wrote to memory of 2032	2448	mscorsvw.exe	70
PID 2448 wrote to memory of 1188	2448	mscorsvw.exe	71
PID 2448 wrote to memory of 1188	2448	mscorsvw.exe	71
PID 2448 wrote to memory of 1188	2448	mscorsvw.exe	71
PID 2448 wrote to memory of 1188	2448	mscorsvw.exe	71
PID 2448 wrote to memory of 2940	2448	mscorsvw.exe	72
PID 2448 wrote to memory of 2940	2448	mscorsvw.exe	72
PID 2448 wrote to memory of 2940	2448	mscorsvw.exe	72
PID 2448 wrote to memory of 2940	2448	mscorsvw.exe	72
PID 2448 wrote to memory of 916	2448	mscorsvw.exe	73
PID 2448 wrote to memory of 916	2448	mscorsvw.exe	73
PID 2448 wrote to memory of 916	2448	mscorsvw.exe	73
PID 2448 wrote to memory of 916	2448	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2708

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 1e4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 250 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1ec -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 1ec -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 244 -NGENProcess 240 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 264 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1e4 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 27c -NGENProcess 240 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 264 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 274 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 28c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 27c -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 288 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 28c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1ac -NGENProcess 1b8 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 250 -NGENProcess 228 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 240 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 1b8 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 228 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1b8 -NGENProcess 228 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 268 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 25c -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 228 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 228 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 278 -NGENProcess 25c -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 280 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 268 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 270 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 280 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 298 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 288 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 288 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 254 -NGENProcess 2d4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2d4 -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 288 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 288 -NGENProcess 254 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2e0 -NGENProcess 2b8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2d8 -NGENProcess 254 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d4 -NGENProcess 2e8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f0 -NGENProcess 2dc -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2dc -NGENProcess 2d8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d8 -NGENProcess 288 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 304 -NGENProcess 288 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 300 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2dc -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 288 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 300 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2dc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 288 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 328 -NGENProcess 300 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 334 -NGENProcess 288 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 310 -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 338 -NGENProcess 318 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 288 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 288 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 318 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 288 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 308 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 318 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 288 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 308 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1220
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 308 -NGENProcess 35c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 36c -NGENProcess 288 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 368 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 35c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 288 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 368 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 368 -NGENProcess 370 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 308 -NGENProcess 380 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 388 -NGENProcess 378 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 370 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 380 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 378 -NGENProcess 388 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 368 -NGENProcess 398 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 398 -NGENProcess 38c -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 288 -NGENProcess 3a0 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 3a8 -NGENProcess 378 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 38c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 3a0 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 378 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3ac -NGENProcess 3bc -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 398 -NGENProcess 378 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3c0 -NGENProcess 3b4 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3bc -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 378 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3b4 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c4 -NGENProcess 3d4 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:1952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3bc -NGENProcess 3b4 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3d8 -NGENProcess 3cc -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3d4 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3b4 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d8 -NGENProcess 3e4 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3ac -NGENProcess 3b4 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1544

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2116

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1220

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:700

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2412

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1788

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1536

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2508

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:276

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:108
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:1592

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
7f11a078ae876939735782c576846478

SHA1
d98fbc50effba296a72102464508a31af3a7c91f

SHA256
88ec8bec802d6898aa9c34a39f4ee45b2e14ff6014dde32741672ebf9b2f3389

SHA512
548615f2dc47536aefb4116fe644627c86857c978b0a4821a805ea55528eb8917d053d1f7a519b5f440b7c610c87db0af551157b5fcaac6c3c1aadc4838c2cb5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
382a6cda57ae3a71e7ba4ec555517651

SHA1
348b1cbc60df499e823bbba11f8e859ea7b0cca4

SHA256
c043fa6e3b06c78da52c235b09cd8e6936aa351496066d7ae08bf2e3948bb405

SHA512
556cff0d8250e3c248ffec922fd63dd3cf5414f9f41d70bf2a3b8e69b2ec531040de85c3f0d75b729b7142f87a9b3bd77810931ff69f6f583b44dc4af7bef674

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
680de0efa0e349a7c693243499b1f8b1

SHA1
735c6165d0a125c2f4e9ee832b0ba41d0b49e91d

SHA256
b40a4eeeb20bd44973fdf220ca2ea6a119859c10e67a3510c4c828ae159aacf3

SHA512
268712874102b73bd6d63c110f174fb5c599d55a79c19a434dfc8b4892bc75c2709947e28c1364f406d0d841d6119db34341f9bc8cb94bab9d63ce73008543cb

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
d3c444e812a734e7774941f26af8a1e1

SHA1
a1249dd99867e4d4953cf27ef2efc5919507246c

SHA256
b948d3d9d5495ba9cbbd8cb4a6d1b746b47d460665c9f5758ab2451a5031b58a

SHA512
8d1e3b8b07694bf2d0dbe4a19b55627eadd95e2b537e05c6acc039841c4ee90d472544e5eb9181af4af998c38571d05689558e177b9a0bba7d80528a23f6e935

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
8597230359338282343df3b9cef93468

SHA1
43af4f4e9c219122ad768b793e55eba7a7a99090

SHA256
0dbbf212f446655d9560d0dee54f9d4475c7c9fb48f39dc16f9c4fc917e63709

SHA512
ec15c6808ad2569915d835eaa57b90332f66e02028bba6b98618d6ba42a912f6233a6e255ea88213d051a40b48c9e9be07d77ec7e422a9fd49aa7b4cb8cd4633

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
3d1c2de730f03b77d8a50e14af2d8e6a

SHA1
845807aaff0f1162f93e596f69c68f244c984cfa

SHA256
758da724eb9041bc6ea6339368a00880dc4b656295cb1abfb698b79d9df19d16

SHA512
c906b32754ed64bb8cff39dc9abada78b10b52d8726d5aed22d83099c64e43ebc2094414a99e2a70b35c242e6e64d2d0ee8905cf88eaae5e9478dad0c2ea51ff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
38f50ee157c48c1e422045ec2dbb8666

SHA1
a69ed9aa13d2808fda6b19e543590dc7fd7f2f91

SHA256
03fefdfd01f7e0ade1e233aac583f3aa5df109aacb1b5674a19b9181a5faf41f

SHA512
938b6ac4f311143b3a243a06c875bcc48219a99b352beb878ee7a742c259b0140345c67fdd2c27b12cf5718e0668ef723bf94b3f812f9b0de42eb28092b89c6e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ad56ab04d9302e85ca66295cbf64b26d

SHA1
b1c788773f106198ee14367f584711f4290b36c8

SHA256
e90d6a6d2d7d0e6ba71e91bcaa163a8c7d5b2959b432a0ddc01352a991684278

SHA512
a1f112196aa0c0c74ebb7ed4d65ab7c96e3dbcb75db0d1e481f5c9176d89df29e10dece005200f694603c9222056d1cf580056a5938526d31efa6d1afd2b455d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a7a54416ff6934afe5ebe5fd32a54e3a

SHA1
e974ca63b3787fd4395c38fa2d842d2acef72f7a

SHA256
1d466710e73dc87d47d0d1f45286867c6ae88d1c43121da43f6dce5b9cae204c

SHA512
da7989fb45f427e27382d8e8908d1074a8e26ebdb738e71dbc65cd2c3e892d461575a9d0e65f9d0d587b9a1b2ec389e6f51854c615b82bcfd83b9d059d44a94f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
259c656c5fa0a5414b05f77f3d6f7a52

SHA1
e87815649744f20208353874da73ebce34f174f9

SHA256
6966afde29ac1f8d80c8614bc06e477bbde00aeb93e3d86e3e2c91d1bb07fe58

SHA512
b3a681fa7e748bdf3e8c026b36692a3b5feb67f5b79537d9ad9de4277449d1fd1772665b798cf87144cd2bb023b4d7aee7e20b025923886eb43be5322d8f27ed

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
bb27adcc8dcd36206fde3005c0949c1c

SHA1
6498f80d393f903f67db3ff0a177fa4d0b79d898

SHA256
91b068dbceb5ceaa203e91d81f06e010dea4fc38b06cd32c234884c4feab654b

SHA512
61bcea70b560afafec9a16017ec1e7c9ef155b6f353126dd9f4d89c9472f74d2fb5e4d433edf897628f3b9c63247a7c7240037b47f8078c1110e20fe649fe4d4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
d43384084347785a8f00eaac057cfc84

SHA1
baca2d856efbb771a08ccd660c382d9b4c9a0545

SHA256
259d9d10cfb9ff7edf6d704e810486bf1464c801e03039a7dfe74831a5226d4c

SHA512
feeac3c59171cca2783a9c045d3a7674d000061bde21d2c1d1c39e633af2399330f7ebb68754ba778e2551c030cb2a97473890fcd5bce8fad6b55b8fe935de30

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
2198c80ea1d88d0302e667b7625abd64

SHA1
f89f2e0a4c8d7aaacf8c3a88071e886d27a0c78e

SHA256
ecbf465f5bd2b28b2ce9c7592c87f39bb6ed9e419e9b95a9abbdcb0a5c6c49e6

SHA512
886b1374552d3b0ef14b8eef5e26a7a87dc1005fb7d6ad9a716f65fec7b233272d898091e0d398491c4d40ea50ff8210775b5662dc9d97aee85e5ded76cce8de

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
e939cc1cbe870ad3c5e012accf2d830a

SHA1
79c0b96202c211d68744cfdd97c2745aa9466cb4

SHA256
57b418e62919188465917ff2e63ebb21cbfb7bf45a9f84c017e22ba2ddd01eef

SHA512
0d5a6ea774b4992ed62649ee624bb21cc0705d2cc413de577bfbf122248b55f2f8a07b537add08f1ce1202066e2f14633e41ed457884ea9696cad124bfa07810

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
539e6b3fa45152069b6e3df60b38579f

SHA1
5a775526e75ce06d2ab602832c23834626e6174a

SHA256
6fb32070160435fc76830e49c8057d5fb61f7373cfc876891f796facebfee715

SHA512
a126df27e407cbd61c29aed49b4787bf285ffb7940daebb15f5933407be199965f19f3dbf3561d313c39d809d35617164afb1041ffe1d3014a89f8c9575e9ece

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
fa46e5f2e45ba9ee959ad60a810a1e09

SHA1
ffba2418cdf1b70089573cfbd9d1dabd229e4165

SHA256
41201de1cd25533264a21399823f9452c74b767345b2e35fc84dbac6e4e94495

SHA512
5cc9bb847601f480a800027890ff94baff6008961ebc5f5bb1bd13820853aa4b3f5b6dbb834967166e1c313179ae3d1c5a46efc47f64202a19a9037215c7bcb7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
d737117c842af41a17a3f8827cd306b8

SHA1
b99b1f48a2d9525f4f0af4b13f6ba0592195a977

SHA256
dfb3d789f3801e8fbdaa67a29cada6df7e8d6c64f2df5b0cbe72ec5906c58feb

SHA512
8dc1bdd801691e59ff9907b1d9bba88cbd9a576f1c358355d61250a8f30b760a724d7d2583cb929bcdc4d60d70b1b5ed254d9320ad69852c5a035c0d508595f3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
5e244e5fc5e4de11cbcc3adb8bac63bf

SHA1
4304930972459798b504e2c8058275a5deaa4302

SHA256
b2854bf64ab8b388b799f2173aca8484c3bcfb34281c4f7a2705611354057c24

SHA512
dc6ae2ce92083bee2409cc2bc0eb300aee47f441059ada8f5c7a9eeca63e02022e443ed0f81d0e3d16809c6f488cca7ce24067de349a02c618b3d02ccab32b59

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
915a8797b5ff6e83d36f3d28dc961aa6

SHA1
cc7fc417cd38a6e308c6691ab47b895aa3d546c0

SHA256
9cc7493eec1b575001256499343805283307dd0ab0f6de5258e2e612a5fbf09c

SHA512
d75f1b24f75c5c0800eaa889b82ff17cd4c40d3319994232f88ac80d724d96529475aa62aa643c96d4200089b5a9999e9f26feed6c8ef605c1a7be4098b4ef22

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
4b132657a3bb725e802fca63f5f8fbad

SHA1
fbf301c6281490ec6301ff536b60a754565b7495

SHA256
2f5ee64bfda311d5dbae3b091ebce1d0b12e6e47286ba02f828cc8a54c709d52

SHA512
1ded0bd1e95b4a5665d5bec5f9595dd24b6ab0103198e3da159a8bad7f191a373f05e1a2c764b97d10235753d9cc61842f5ea7ba24916a2280f3a6fdcf31a300

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
87c33d6f8ba2c1735ee67030fb609095

SHA1
40d6b4bdb758cdd571c7ebfec7dcaef863bb191b

SHA256
7a27b20dbc1dd8f4dd1fa2c0cad44a1c0c17f1959b678b821e65b3fd81ab6972

SHA512
9440ee863d02f8eedab03f0e8f74f255a943be102182ba238c10c9aad537c00f19c6be62bac4eac0970bdc45710103917a2a4b5a6f2326351cdaf63f43675c7c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
7655a71129c86eaa0ed0888804c6c767

SHA1
dc466e30a2185269f8f9cf6bbb503295874e02b7

SHA256
87ab1f1c9b876082959b590e542e3559241c2142493ac88330e30547b22df759

SHA512
52ba427b6748b42092a47b0458de46e9981455ad24abb63b36a6889e09e72f192aa4494030c998875fc0c4026326a3b68289f070b914c350e9e38e8a2cb47b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
9a3586a1e5e0215eea123afd6350a81b

SHA1
c763d2a2ed9b596bdbbf55d40f77321f7ec6262f

SHA256
e9c009aad361691ad20f02a53aad071df513d77a83d1386241f8cdb0a950217a

SHA512
ed6e6e68df29271fbc28918969423382a8bc8b7a84a51431585661ab944223ee5b80223852a8c2f9259b545c75e5d49b79460edaf9f237210aca4b2aeab9b5d2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
acafcbd5dd16fae7749673e042093f46

SHA1
b517d927612b7bbcbc2027966e757c3e9c97fa4f

SHA256
92a75f9769d20f4ec396fbfd8444ab66270bad051cb2a893df3bd18695f6175d

SHA512
caaf952b99ece09a26f1a6f7e3ed2fae8a189a6aba8487b05f9d295d64803e49cccb4e21f2dce0cf8dc96ba3a726722680ec2d386ed1e426e2b067435b7a1179

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
b8dd0e025c67109440194e78f90bae31

SHA1
63775541be77637d5ca0bb743f11db4506526b6b

SHA256
bd26db6874367a8da67a882706fff73834c0a5b3bfac01b6ba9b0ddcc32a66a0

SHA512
dd61f435483294eaaf53b31d241ebc1ba2851c8f9cd57884b1e57e05cb7b50953e1438f0bddacea2f4cc306be2707342950149cf992647004e1c539e7c4416e3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
0986990ba0880c979e05b832bf979f67

SHA1
9c00358e90756d1431db6b935c8e6bd329246c4d

SHA256
d26a8493da6721cc0fec662048d2dff3778760b4b5bdce4cb08b8ec25a60d59b

SHA512
feca538501af565a3fc8bd64d8cdcd0e491e89c050252c8ee1d3a38e7a5e044c55710c34c998180e1f13e5ad7b464f3790873e2f016ea364e95c1478612f7dab

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
87cc16b3848b3e623ab2c96b64e373dd

SHA1
7a15f546aa2cf8a44bff39d3b497f37d24f4f742

SHA256
5f29f6371abdbecc960dff1bcab44058b37c5ec6bd48f284cfa8589a112a6446

SHA512
22d1c947913613b440bfd1ff94742eb91c11d92449870ef59be5ff9b93c871997bd77416291bc2520d3310444c6b62cf0c0a7d91d321db8dd3ebc7468c9be18b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a5ccc1d2d73a5bd72b63c5ed3c7f75e0

SHA1
323b851a70e7bf69cb6d0c960cab5fb27983b506

SHA256
55d6cbe524a039b8f99cb798f4e08bd08793674d8c5b4146315318cbf8464403

SHA512
3f8710eed83c67deb84c6ab11351513865b63346cda2120e9ab849bfc5a21d65a0d84f1dcff8a65aae08e62d29f83caed4cd537886ddd30e5533d0ede1c39551

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
6267e70c545ec41a22fd20446f7a3b27

SHA1
75c731bf75532efd86ccdc53335062809607ed63

SHA256
2a8ca198e4b9a2302dc8cf70ef1ce7baa6e99d67915a9627b113fce36ac24930

SHA512
32f8665735e9c89e2e7f9746298d12c141e33b3d63eb3a317ae0bdf609b8b5cdac03d10d57a03b6911ebf98e0a5952d78e7523f199640ba33a51b760668648ab

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
4ea9bc5689e79b53c768bb2f8c8b9f65

SHA1
fc4106caf7ca5e3b3e1167463f30244a04e9f663

SHA256
12588187789e73bb78d28cf0840ee494fb1d10f155884f022133a298233f20c7

SHA512
797e019fe37dfc6b65265846cfb19a616488a48c7ff22aae5e7c7cf4a8c3a5f022085baf70c351c5a6ae726d7ba2549497013922a184b00bbd07c5d65359a39c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
364c5f4635ba7393770140bbab400109

SHA1
2b6548a8bb1300d4fc8f01376a0845526ad8ac96

SHA256
7382618b0c91bd0d13d15aeff5ff71f8ed2962a1e7202d0ad7a8242877cccf58

SHA512
45af18fb98df9328bd76b992731e2320caa0e0e3bf99acff9ebb01610f275a0be045f38fd96e2295a68114f067e5a0cc8801b892439463ebe0a5647ce49cf53d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
2f9cd69d8b11f632a672b6d001245aa6

SHA1
e8928c0a2e8c969d113cd80f1ed64096dd0ce44e

SHA256
937ff428d5cc25206ca19d0f3a7ed6f32567db0605d59758756ad1b09d5930ac

SHA512
cadd139198cde29dc6c46a8aa00d51c8c708dd4d268843761977faea3acb3087c879bcd1fbbc0a5b5863454c69d9f1cb614b2342a29f6d78c8685486d2d03d37

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
aec4ea883c08a47991a4f5d9fff7f1b7

SHA1
06151fbc00eb00e4d4ca9d89ac6bdc4393285779

SHA256
6aa9296e763508b54393ea23077a7488d695ab4bc53f5af68d7ddc0a4cccc9e4

SHA512
e4e4f2f442c58bc9b889a0381e4c14b5843e8d94257ad01d704d94d5ade2c25c207f2f6b8aef925ab117953e203a14e98ff1e108409d81baac4e77bb99643576

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
d5be432b5f0a340d42f8ede51c81ec42

SHA1
8564e3528ac87e8f0b44f3b242c7e7a1ec28adba

SHA256
47cf2720bbecb67e7e01b48d23d3e869a345ce1f9bb39d659e112edb7d6c656a

SHA512
13515be38b425cb38df9f460c7928c99c9b455a06c3873e12b1f300dce16e3d94be2184e99f70ab4265db5bb906338c6e4c51d14ca4bdf677731bc3828015f11

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
af3b13a529875e806e44037afe3787e6

SHA1
62b9e001f03958ebc7f0dc5518eca6a232e0f272

SHA256
63559b823b661fab5160a6943f4a97ef69db49ab883f3317629def283b638e6d

SHA512
4185b41510d8901f8d5c86d310c5504222df3af80871a8632ad75ed91c42d4496d0ca5943bc75529f65c280a35f98cbae08f08494889496ddff87630cd9ed592

Download Submit
C:\Windows\Temp\CabFB7E.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar236A.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\952ede05f03f8e49e4c4acd4a8064c3f\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
fd49f76f160b520a0b0c23cccd734643

SHA1
9d20f4ed1ffe27fe76e2b2328e3aa213bbdbc4f7

SHA256
9265926395c7e5bf87059501a2268c94bd566129e4d9bb361745dbf5eb7d2acf

SHA512
767b072bb4f52e47522f855238541598e56f3e819ec5852f3bbe092c00747fa6823d113e84716e6ffad88b55f5ae2715446359aab158693ec32ac01070b03bed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\97b8b3f279c29f2d4263e4b88b6ed2d5\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
5660cc7b4f71c4b18ac768eab81ae63d

SHA1
869ba02b54120fdde186d94987f4620533c43256

SHA256
a43891086717ca79902558dc45d6cd6f75ec5cd24d60e1b5360306c35429498a

SHA512
5788eaed091b0fce4eb95000542abc771f7aca2e1804758478813bf6c36d35cfb116284dad50d0f665f527af6de1ec540d0150973aded3a8b7d69442fa99fa79

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d101e1016e726f03da427c7c6fe6e4c9\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
47b796528ffcd83c86aaee56d93e9213

SHA1
bdb494f20bcef2287e662b812da2cc39296e286c

SHA256
9cda91a0c6acaa862c2ede8a86ab4d0f2d5542211da9bf21da0c316171d9f940

SHA512
3ba2f70fdc6ad368f375538cc3239753f41ea8b6f73a600590a53938fbd5554ec257601ecacc1f8ef6b23091929347d58344347b155fb4b4aeb5d4fbd10d13bf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ee94c280c81a2eb335253812436447ad\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
291fc723d939853a31b9ee00666b91db

SHA1
3d8a3302e0a3574ba0bf5a2f76b343bde070913d

SHA256
1df4093c1d52a29bcee248fbe5bf6300f2f6bb15d260e7439c10bed2d1091770

SHA512
efd1cc76aeef13bc3c3f5fc6e0d537e2a48e498d15b49af0efaeb1004c484d54bf38d2d423bf15b26363bb43b5fa9baa1ce8ea68c74f7bfc80e2b124a54c2a42

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
f70c6a107a1b0c8f65ce09b5a7ac45fd

SHA1
272c2639bc3a60fb0596b1d6769288644dfc1527

SHA256
9cb3c5187dbdd6a2ac92a18cd2f846e1d33bd350f46055afa41b123a1efc089d

SHA512
f43fc03d743d84ffadbb8bbfc06bdf22e9997a26ece654903c5219e172c3ecdfc417f9bf99a08539d1f147680f5bd9b478c4b87bc94d95bc7894fed322548345

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
b035feffc1683673e32389694c27cf11

SHA1
9dfb345924daf4b4f60d8022efb4a1c2f5ef83be

SHA256
54e93aeca5dd61697b0860251a59ad88e2c9f18cddc9d04fe236085a5b310870

SHA512
65ae6196b479ce6a54b0ab78fafbd4c0e12cb1c18de54a8a874ff87095d8e4061cdaf774a770c434838ff500e8aa1004d7f85226d47f95467793b1fca7ce2b1b

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
56e9363ed8b3b24cc1a12b909ad6a7b7

SHA1
e716f4ec446041779d46baadf487ab7ef83f681e

SHA256
853e96e4db261b6d40b280b2290a35f3eb3ce459b17ade417f818303d9db450f

SHA512
0f03630e406af825c0833dbfb2d0d3dfc2609562286f15273c11a09e8af464f73b557030c249df26212edddc8e7c6409ccc3294998c49a9e0eea4c25807fef86

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
28252d47979c40dd0bf0b0860fa03fa7

SHA1
7080032b3848f132e981112dcd099ed2c4c92f04

SHA256
29f5f05b964ef8db93da54c3599c26887e4222b3b26af8b5a3b058bba448988a

SHA512
f0719c29314adc37a0eb5c7ffe704737a48a4089544e6c593c548914fc4494abb13d193cdae8f95f5ec40264cd2a8e74ce583faaba4c0af98d20915526eafb93

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
e3947b194f6ad85596cf6ec22e25f263

SHA1
5a5fb9cefe112d075d528a62d999e4889220e876

SHA256
266126fa2acd863ebdd67be07e2557ffc9f11d8807ddd7142bbeab6dcdf02b86

SHA512
659ca00355a6b8bb3d341ecb42e1b00dc593044a2c6ee7187cf22e8eb9ee40da5091e3435871d09588be6d4ee6a4b0a7f86607ef2c263de702ccaa4d55f963cd

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
eb06157795feda515aa10c742c96e40c

SHA1
9f7aa4a7127347946f6ec49947b7a606d0c581b7

SHA256
e0f84f322f3ba39bb9787d49e7086ffe2aabe75ccf6187290c56c188c9e00659

SHA512
2bacc25550991b538709fe2bf4e634e04988cc3fdd074b12cf8869aca176de84160cf7fb1c6e68816e5eca63f9fafdaef211c16b99d26366fc8017728facfd3c

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
27eb69e0e2bccd706a68906fa5155112

SHA1
9c24f6aff09eba8a2633b76f3527b5e385f02bec

SHA256
549087caaf3907fd21a1ae08efeb08154bfbb30ad52f63f768d9cb45edf5c088

SHA512
19b1bfe8a8952e494ac2b3c2a554edb6c6c100667a07a512db163f3e0090ebc89ab8b33269581c49a761e50ceb3f41c10d0e4541114d277bcf0ca88f2311606f

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
e946517e1a552e80ac56a8bcd89b5515

SHA1
2a7148cb6c8cfe8a10f9489008e3489491c8f273

SHA256
dce4d5dd825302417be02fbb8fed83e192175d76f1fb1a20e9042c5c84fb87fb

SHA512
0b8a9807a8f7b01ec704e57e33d820ebecdc1fc938d335e249fd08b7a9a18c3883b33be3ee485f1793a123ed71f0c1825a49c39a28483ff909f136b7bb791d6c

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
cb636f1f6b573815c1b57c6daa92dcf8

SHA1
e11e8d33bbdf6ba30bffd9717332b547df6ee183

SHA256
718f1ddbb950dd0de2411926e2c4401375044e89ca987ce23384aa7bf6d7a004

SHA512
7d366f915e6936952e950d76ea7ed4897468c131d04299fc7e0bfedd00ce1601d167c6e095cde50e42e13dd8dbf1940361ace47aa05cb5526a4488a2390f867e

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
3ba491da9e2256d3679dbda3b340492c

SHA1
d6bbaf31c8a304caf6f36e6effaf2e132cd79c1c

SHA256
631a7d96953c33d78b086f844b6cfd9677d89a23b74a96897b6ab770ca19e753

SHA512
2026e2c4d5ec2c19c13499b7df322617812fc9c00e1cb3cf1742cefa010fc6d91c0107e2eb8c6d56f86d8dd90748b0056a92d572b2e7b3e4ed0a7a88643505ec

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
80bc88c7b9c874c3a241b116fd6d746b

SHA1
11869aebe3753e5b14a343bc79e4efac0cecab34

SHA256
6c832467410bbefaf22d499785248f66fe6abfbf986496a0582d3a27712047d5

SHA512
e07a1e31d33068c8a80625167ce2d3971b4c1af84b0749455f646702bdae083b8d6afcf8668cb493c135ceecd86d33842fdcf6d12d0ffbe527cb61001a1623fc

Download Submit
memory/276-605-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/276-263-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/344-849-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/552-707-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/552-330-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/700-145-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/700-262-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/836-812-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/836-809-0x0000000001AF0000-0x0000000001BAA000-memory.dmp

Filesize
744KB

Download
memory/856-248-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/856-584-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/916-779-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/916-790-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1188-773-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1316-801-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1316-791-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1316-892-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1316-889-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1364-881-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1512-300-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1512-664-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1536-222-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1536-342-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1560-862-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1564-608-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1564-585-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1572-720-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1572-708-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1604-303-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1604-184-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1620-304-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1620-684-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1632-723-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1660-710-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1660-343-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1676-298-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1676-650-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1788-170-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1788-195-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1792-694-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1792-324-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1848-86-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1848-87-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/1848-214-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1848-93-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2024-754-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2024-740-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2032-744-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2032-758-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2032-606-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2032-623-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2116-230-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2116-110-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2116-117-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2116-116-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2128-535-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2128-8-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/2128-1-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/2128-69-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2128-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2128-6-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/2152-660-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2152-641-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2196-682-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2220-685-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2220-688-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2248-22-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2248-109-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2248-14-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2248-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2380-276-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2380-635-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2412-297-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2412-168-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2448-72-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2448-77-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2448-70-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2448-210-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2500-743-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2500-732-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2508-558-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2508-239-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2552-663-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2556-122-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2556-242-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2580-52-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2580-59-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2580-53-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2580-97-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2648-157-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2648-275-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2656-852-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2692-699-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2708-44-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2708-106-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2708-38-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2708-39-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2712-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2712-136-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2712-34-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2712-28-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2764-829-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2848-539-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2848-731-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2892-200-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2892-329-0x0000000000580000-0x0000000000632000-memory.dmp

Filesize
712KB

Download
memory/2892-322-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2892-211-0x0000000000580000-0x0000000000632000-memory.dmp

Filesize
712KB

Download
memory/2932-839-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2940-780-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2940-776-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download