800806923dd907856e90bf016f745b91dcf3082f9063f57d98b55022d0dceac2

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

800806923dd907856e90bf016f745b91dcf3082f9063f57d98b55022d0dceac2_NeikiAnalytics.exe
Size

648KB
MD5

079eb7470f298eef02723f0ecd201ea0
SHA1

f0bade17f3459d492bd443886c2d33bf27530b33
SHA256

800806923dd907856e90bf016f745b91dcf3082f9063f57d98b55022d0dceac2
SHA512

96e09b53706b05a0de7b92212ce4136cac9ea0db18b5c71dc69942f1f5f47d38371c59748101233c90628a6072ff83bab83a4a6c689bd2c6b848c3a35a3debcb
SSDEEP

12288:6qz2DWUzVqKNdQ8yRK6rkObwsToHOOWGgqvoEWH/lInNg4JYU5a0Cuxy:Tz2DWyVqIi2lObXobHAEW9INFJY0au

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
460	Process not Found
2624	alg.exe
2896	aspnet_state.exe
2668	mscorsvw.exe
3000	mscorsvw.exe
1660	mscorsvw.exe
2968	mscorsvw.exe
1976	ehRecvr.exe
2584	ehsched.exe
1480	elevation_service.exe
2176	IEEtwCollector.exe
1896	GROOVE.EXE
1800	dllhost.exe
2256	msdtc.exe
2112	msiexec.exe
3064	mscorsvw.exe
1344	OSE.EXE
2552	OSPPSVC.EXE
872	perfhost.exe
2484	locator.exe
948	snmptrap.exe
928	vds.exe
2816	mscorsvw.exe
1684	vssvc.exe
2848	wbengine.exe
1656	WmiApSrv.exe
2424	wmpnetwk.exe
2216	SearchIndexer.exe
2404	mscorsvw.exe
2408	mscorsvw.exe
1324	mscorsvw.exe
1640	mscorsvw.exe
2824	mscorsvw.exe
2236	mscorsvw.exe
1280	mscorsvw.exe
1760	mscorsvw.exe
2932	mscorsvw.exe
2984	mscorsvw.exe
432	mscorsvw.exe
2812	mscorsvw.exe
2924	mscorsvw.exe
584	mscorsvw.exe
2932	mscorsvw.exe
2056	mscorsvw.exe
3000	mscorsvw.exe
1996	mscorsvw.exe
2824	mscorsvw.exe
1912	mscorsvw.exe
236	mscorsvw.exe
2080	mscorsvw.exe
1704	mscorsvw.exe
1032	mscorsvw.exe
1712	mscorsvw.exe
2212	mscorsvw.exe
1688	mscorsvw.exe
2300	mscorsvw.exe
2752	mscorsvw.exe
588	mscorsvw.exe
360	mscorsvw.exe
2404	mscorsvw.exe
1688	mscorsvw.exe
2128	mscorsvw.exe
672	mscorsvw.exe
2436	mscorsvw.exe

Loads dropped DLL 55 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2112	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
748	Process not Found
2300	mscorsvw.exe
2300	mscorsvw.exe
588	mscorsvw.exe
588	mscorsvw.exe
2404	mscorsvw.exe
2404	mscorsvw.exe
2128	mscorsvw.exe
2128	mscorsvw.exe
2436	mscorsvw.exe
2436	mscorsvw.exe
2924	mscorsvw.exe
2924	mscorsvw.exe
2904	mscorsvw.exe
2904	mscorsvw.exe
932	mscorsvw.exe
932	mscorsvw.exe
1608	mscorsvw.exe
1608	mscorsvw.exe
2376	mscorsvw.exe
2376	mscorsvw.exe
3016	mscorsvw.exe
3016	mscorsvw.exe
2436	mscorsvw.exe
2436	mscorsvw.exe
1964	mscorsvw.exe
1964	mscorsvw.exe
1300	mscorsvw.exe
1300	mscorsvw.exe
880	mscorsvw.exe
880	mscorsvw.exe
2080	mscorsvw.exe
2080	mscorsvw.exe
2248	mscorsvw.exe
2248	mscorsvw.exe
2276	mscorsvw.exe
2276	mscorsvw.exe
1496	mscorsvw.exe
1496	mscorsvw.exe
2700	mscorsvw.exe
2700	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	800806923dd907856e90bf016f745b91dcf3082f9063f57d98b55022d0dceac2_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	800806923dd907856e90bf016f745b91dcf3082f9063f57d98b55022d0dceac2_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7700133e8ab55808.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	800806923dd907856e90bf016f745b91dcf3082f9063f57d98b55022d0dceac2_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	800806923dd907856e90bf016f745b91dcf3082f9063f57d98b55022d0dceac2_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	800806923dd907856e90bf016f745b91dcf3082f9063f57d98b55022d0dceac2_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5B1B.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP41A2.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	800806923dd907856e90bf016f745b91dcf3082f9063f57d98b55022d0dceac2_NeikiAnalytics.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	800806923dd907856e90bf016f745b91dcf3082f9063f57d98b55022d0dceac2_NeikiAnalytics.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4E20.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP58CA.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP497E.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030b1c6a17fc8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000106173a17fc8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{A4058307-8B72-4EB3-BB5D-7BEB9F52CFDC}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2592	ehRec.exe
2896	aspnet_state.exe
2896	aspnet_state.exe
2896	aspnet_state.exe
2896	aspnet_state.exe
2896	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2576	800806923dd907856e90bf016f745b91dcf3082f9063f57d98b55022d0dceac2_NeikiAnalytics.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: 33	1712	EhTray.exe
Token: SeIncBasePriorityPrivilege	1712	EhTray.exe
Token: SeDebugPrivilege	2592	ehRec.exe
Token: SeTakeOwnershipPrivilege	2896	aspnet_state.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeSecurityPrivilege	2112	msiexec.exe
Token: 33	1712	EhTray.exe
Token: SeIncBasePriorityPrivilege	1712	EhTray.exe
Token: SeBackupPrivilege	1684	vssvc.exe
Token: SeRestorePrivilege	1684	vssvc.exe
Token: SeAuditPrivilege	1684	vssvc.exe
Token: SeBackupPrivilege	2848	wbengine.exe
Token: SeRestorePrivilege	2848	wbengine.exe
Token: SeSecurityPrivilege	2848	wbengine.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeManageVolumePrivilege	2216	SearchIndexer.exe
Token: 33	2216	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2216	SearchIndexer.exe
Token: 33	2424	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2424	wmpnetwk.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeDebugPrivilege	2896	aspnet_state.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeDebugPrivilege	1660	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	1660	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1712	EhTray.exe
1712	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1712	EhTray.exe
1712	EhTray.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2564	SearchProtocolHost.exe
2564	SearchProtocolHost.exe
2564	SearchProtocolHost.exe
2564	SearchProtocolHost.exe
2564	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2500	SearchProtocolHost.exe
2564	SearchProtocolHost.exe
2500	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 3064	2968	mscorsvw.exe	44
PID 2968 wrote to memory of 3064	2968	mscorsvw.exe	44
PID 2968 wrote to memory of 3064	2968	mscorsvw.exe	44
PID 2968 wrote to memory of 2816	2968	mscorsvw.exe	51
PID 2968 wrote to memory of 2816	2968	mscorsvw.exe	51
PID 2968 wrote to memory of 2816	2968	mscorsvw.exe	51
PID 2216 wrote to memory of 2564	2216	SearchIndexer.exe	58
PID 2216 wrote to memory of 2564	2216	SearchIndexer.exe	58
PID 2216 wrote to memory of 2564	2216	SearchIndexer.exe	58
PID 2216 wrote to memory of 688	2216	SearchIndexer.exe	59
PID 2216 wrote to memory of 688	2216	SearchIndexer.exe	59
PID 2216 wrote to memory of 688	2216	SearchIndexer.exe	59
PID 1660 wrote to memory of 2404	1660	mscorsvw.exe	60
PID 1660 wrote to memory of 2404	1660	mscorsvw.exe	60
PID 1660 wrote to memory of 2404	1660	mscorsvw.exe	60
PID 1660 wrote to memory of 2404	1660	mscorsvw.exe	60
PID 1660 wrote to memory of 2408	1660	mscorsvw.exe	61
PID 1660 wrote to memory of 2408	1660	mscorsvw.exe	61
PID 1660 wrote to memory of 2408	1660	mscorsvw.exe	61
PID 1660 wrote to memory of 2408	1660	mscorsvw.exe	61
PID 1660 wrote to memory of 1324	1660	mscorsvw.exe	62
PID 1660 wrote to memory of 1324	1660	mscorsvw.exe	62
PID 1660 wrote to memory of 1324	1660	mscorsvw.exe	62
PID 1660 wrote to memory of 1324	1660	mscorsvw.exe	62
PID 1660 wrote to memory of 1640	1660	mscorsvw.exe	63
PID 1660 wrote to memory of 1640	1660	mscorsvw.exe	63
PID 1660 wrote to memory of 1640	1660	mscorsvw.exe	63
PID 1660 wrote to memory of 1640	1660	mscorsvw.exe	63
PID 1660 wrote to memory of 2824	1660	mscorsvw.exe	64
PID 1660 wrote to memory of 2824	1660	mscorsvw.exe	64
PID 1660 wrote to memory of 2824	1660	mscorsvw.exe	64
PID 1660 wrote to memory of 2824	1660	mscorsvw.exe	64
PID 1660 wrote to memory of 2236	1660	mscorsvw.exe	66
PID 1660 wrote to memory of 2236	1660	mscorsvw.exe	66
PID 1660 wrote to memory of 2236	1660	mscorsvw.exe	66
PID 1660 wrote to memory of 2236	1660	mscorsvw.exe	66
PID 1660 wrote to memory of 1280	1660	mscorsvw.exe	67
PID 1660 wrote to memory of 1280	1660	mscorsvw.exe	67
PID 1660 wrote to memory of 1280	1660	mscorsvw.exe	67
PID 1660 wrote to memory of 1280	1660	mscorsvw.exe	67
PID 1660 wrote to memory of 1760	1660	mscorsvw.exe	68
PID 1660 wrote to memory of 1760	1660	mscorsvw.exe	68
PID 1660 wrote to memory of 1760	1660	mscorsvw.exe	68
PID 1660 wrote to memory of 1760	1660	mscorsvw.exe	68
PID 1660 wrote to memory of 2932	1660	mscorsvw.exe	76
PID 1660 wrote to memory of 2932	1660	mscorsvw.exe	76
PID 1660 wrote to memory of 2932	1660	mscorsvw.exe	76
PID 1660 wrote to memory of 2932	1660	mscorsvw.exe	76
PID 2216 wrote to memory of 2500	2216	SearchIndexer.exe	70
PID 2216 wrote to memory of 2500	2216	SearchIndexer.exe	70
PID 2216 wrote to memory of 2500	2216	SearchIndexer.exe	70
PID 1660 wrote to memory of 2984	1660	mscorsvw.exe	71
PID 1660 wrote to memory of 2984	1660	mscorsvw.exe	71
PID 1660 wrote to memory of 2984	1660	mscorsvw.exe	71
PID 1660 wrote to memory of 2984	1660	mscorsvw.exe	71
PID 1660 wrote to memory of 432	1660	mscorsvw.exe	72
PID 1660 wrote to memory of 432	1660	mscorsvw.exe	72
PID 1660 wrote to memory of 432	1660	mscorsvw.exe	72
PID 1660 wrote to memory of 432	1660	mscorsvw.exe	72
PID 1660 wrote to memory of 2812	1660	mscorsvw.exe	73
PID 1660 wrote to memory of 2812	1660	mscorsvw.exe	73
PID 1660 wrote to memory of 2812	1660	mscorsvw.exe	73
PID 1660 wrote to memory of 2812	1660	mscorsvw.exe	73
PID 1660 wrote to memory of 2924	1660	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\800806923dd907856e90bf016f745b91dcf3082f9063f57d98b55022d0dceac2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\800806923dd907856e90bf016f745b91dcf3082f9063f57d98b55022d0dceac2_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 260 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 260 -NGENProcess 274 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 26c -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 27c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 274 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 1e4 -NGENProcess 200 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 258 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 200 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 24c -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 200 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 270 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 264 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 24c -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 24c -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 280 -NGENProcess 264 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 264 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 288 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:1324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 280 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:1228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2d0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e4 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f0 -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 304 -NGENProcess 2fc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 30c -NGENProcess 2c8 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 308 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2e4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2c8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2e4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2c8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2e4 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2c8 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2e4 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2c8 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2e4 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2c8 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 308 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2e4 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2c8 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 308 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2e4 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2c8 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 308 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 308 -NGENProcess 35c -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 36c -NGENProcess 2c8 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 368 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 35c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 2c8 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 308 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 35c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 2c8 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 308 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 388 -NGENProcess 384 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 378 -NGENProcess 308 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 390 -NGENProcess 380 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 384 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 308 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  PID:2864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 308 -NGENProcess 394 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 3a0 -NGENProcess 384 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 39c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 394 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 384 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 39c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 394 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 384 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 39c -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1768

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1976

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2584

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2176

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1896

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2256

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1344

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2564
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:688
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
521586c7d1ccf7f5a95b3e9da74ac066

SHA1
3206c3f1a33da63769387f49e8076bb763d63335

SHA256
858831a43818d2fe6e2901cccf9eaef76b8c438c05cf5f3124677566afb564a9

SHA512
54ee094a0851265a4f1c3fec091541cc5b0b20ec03a53ebf2299a63c032e80e5cee8e73876e4fed2443bce53727e2809d256fd7a685b12ce7234eb1cad45aea5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
4a99964b09735125b278444a3df75c42

SHA1
d38ce5475a381a729928254ee181a1f9df78a161

SHA256
a84da469a8490b44d9fb9f120548a8eeb0d40d81070014c37bba1e67a78fe576

SHA512
c856b3e1ba19ed61a1ec57e7fea3abc10ef4eaf6a63218267c7bfe998ca4716b388f69623fb9c14532ac935f8cbf57b3bc99f2c75c1c2dfc98f7899c66dd1f24

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
6d15c8e7eab52a3c57eabd51ff229d04

SHA1
0cb93eafa07432565375f52fac50df1e6989126c

SHA256
727f1b649955fe692098e865cdc32f80cd7ced4291cc48708895bd303078b667

SHA512
a6ddb6f42e23da040c92dffb8fc677620f8982a7f7f00083f373e1a9ac70408ccb0673ecd7e08a3105df4f7fe65907cbcc825a7aedcb5a24d186b315bb00005d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
501d5a64eb4f41b430b506ecd9f47364

SHA1
0405fc5df8a27a489185a4ba7d559526e6d59cae

SHA256
98ad28ca97e95a329d585ba2e7108b7d3e69fa44205b1436c7b09a804d3d0fe6

SHA512
82ff90242557e53164b39e05bc0f8b894cb41298ef245bbf053178dcc1a962edb4356dbead688aad973a1581a2b58813b7cd61374bcbea74f985de5985367320

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4d63e38fc0a6a92751251ee82fe3e4ec

SHA1
c8aae7361b2b619682a0173349a90b55c5d10b43

SHA256
83a7561ee9e9c9e8a73cd152b8d2d8ddbbedda6af67c01262f2db02a0208927c

SHA512
607848153268d289c364724b8287c71a9d435ae0e41e1ec6cb310d6f2eaa582abf92bc6548ad5d68742f52114c16ee1fcb34207d76f5459a7237a01a3c5cfc60

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
6055cf892a89d7a80ac91f0125a0a6fa

SHA1
5af1dedba22b09023d03de76835bc4768bc83c6c

SHA256
c7ce31c965c402bd66d9dc2e42f0bcc29779308c94a2d0885da493349d464b99

SHA512
cc37c0078e792b93ac75d4dc4469dab3cfde4dfe9c64af8a4c0284b183f9ea9949baf11b3cef646e778af91ea9b7f4fe4d82a531098cac595ffbe335a841ed6c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
8a2cfdd8c5e0c4e407de2b53c85dc300

SHA1
57660eca6e45d0c0d62f83153511380ab18e6901

SHA256
a9fd6ef752531680896f389b9e4f27f706af6d9fb13b372c37e883ce0cbb636e

SHA512
2d42397d74e0000d12d4650e924c33b3fd0b0f005a544b574274051f06095ee5da3ffef03b3118f37527a878414b362f5990c40bdf377d56f7ce6650b68ddb82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
8416365b3a07084c24e948f687934183

SHA1
6c6c469929e65fae9fb892a40834a703e6aba57f

SHA256
0dbe7fbcf81a48dd06ad944a780ee04b08dafd5135ab2e925b91f9e74a83984e

SHA512
0acb187d52261436435ec9bc017293da1ab0ab6fac0d5a144bd449d1ca5d85bf7627de65c708a031d3497cf2cca1869cf4f846d4fbdbbae565dc7ef2d007b9df

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
c4a144609e46b8266e246d59e46c70ac

SHA1
561cc0a4f6da9c3d424c4c5afa921bcecf595fb6

SHA256
d138a5c6f7e0a8c600f24769e4b2d3ad700fc5816e6635ce905c5194efc37aeb

SHA512
eef0c49b7b1a7d9f25bc601483f83f254b4d9e39803e61a0046d4d61cacc387d3951dbe4ef5060b185e0bf723782072eebe69c830f937a83ace17ed778b96a93

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
40b95f292665d24c054935174c0f2bf7

SHA1
41492f5019b4d65a02920bbaf78d0c9c6442fa00

SHA256
4388614b47b8a99a787ae3d29ec24beb608c8a8d4ed4237e0604627f9790ab33

SHA512
c9c4bf5ea3f539d8d8df6953b7d17735f5f98530c2de55c07fd1f87e89ed068e51013e6d842c5e0299ddfc15d40e3a6ca03ac34601860c321b7965c320f443f0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
486c868003d8d4178c6a16e4681cb89e

SHA1
edf5a1fef3ab3fb08f8c836481ed8608e1d03c3e

SHA256
ef0d4efcfde6236d592c65852d449a1b4080c2ea2bcfde7cf1a201b22feee79b

SHA512
291d0f3d81249cb885adbfe5e0b8e9f32707dabaf7b9af1a8b750c8bd9b10527f8e96684882f574c35a5a1ca6f32b4b47df07b172dcdeaec9311734bc5acc906

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
b9161d516fe72a29aaccc75742bcc83b

SHA1
5a36b1bdddd81a16c9b6d7296410430fb537b182

SHA256
fe3c48ce64d0efbcacd65d67e69012ab0fe6a9b0ddc51cf746d53d84b5527bc9

SHA512
79abde81e39beaf8b7fbc7335d262b777017c8c4de0053990a51f5cea3ba11de6320615cc81788cb8dabf334fa03bb5850cf65daa0489de441fa26cb82d93a07

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
7e4db3b5c05fd1cab220a04333650fdf

SHA1
44e2b7ec2432ebbfe16e1ba31911b9cf4f25ef2f

SHA256
ce107f548cc4364d90192ac28fbda35bc075fdda90942f52bc2834ac2851b4df

SHA512
f54122df1bf8f1c305cb47aa9cea5cd3c2238cc4d94dcf7195595958b3314e33640e9ad3adcdc226045f5fa4f745527889453f0e78bb8e84b24b67ab68fd2a87

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
33fa03b3da0e08243b11228c9d6b10f5

SHA1
3a1d5c9c2f0e1c990944bfeb285dafa85751d137

SHA256
29d01155098cf7f62d0f8b753131a0ad68393dc8279558a016fc4b52f44b0b94

SHA512
a484d64162aaef83270a6476e8a2ab7e740d12de2afa21df87c2c349518c43898f3cf3464ec90bac74046ba4a07f493b67f99a03d116e4b2e3c17f63845c6d5a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
9bd515163fed25dadc0ab35fd0efb2d4

SHA1
8f2ad510827093f33fcf28fa1709583f6bef22aa

SHA256
80c6d15de1cf3315f183305d45d0d5eaa6d1b66f1e1ee87cf1d2648ff82b60f5

SHA512
354a2bc2772af66cd0d02cccca2706cd22c92fc06ca68c6403695ccbdc32bd39e14dbdec01b9b95d63d1bfe6e34373373eebc63cf34e741c42fbe3a1437e0fc3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
90e5f29ef0ac2c3833168f6328d99be7

SHA1
e594da07c2215e76781389971b078b8fccea07bd

SHA256
0efb38d5adeea46b458dc0de54c5d4892861749266ee1756702314e6ddc71ace

SHA512
f43727d9ebf5f91528fd348c0f6672222f1912bae08dc05714ee2f75cabc17294ef210e2d6d899121b83533766bb4046875db5c0d74d2d868b8f72072869f83b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
a63a7d27d1d82d44426769055b0e361b

SHA1
810c6fea101d0502641d0aad0d6afc4cee4dbbd7

SHA256
a08972fc0c4446ecd73d260a89690de986279f4e227c22d1b3bd8a53ea150d71

SHA512
5f203ffe29faa680fbd0057190b681bc3a36bcc0f0ac39784b24bc27a0eb907a92269ffd7a8f4a48b42b4bee75d3c5022d608d91780e817a2fb2813244336699

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
7bcf311bf9ae472959c6906a00cfdfaf

SHA1
00e77129b225d0d3887e407424beb1aa67a59659

SHA256
df76c57026459cbe334f2a453a1f5881f75265617ef9776d7f5f7c5ee45697e7

SHA512
760179498a8717acb57d5c614578fb66600536f587f7aa9974f7f70982e0d965f3b6a2f8ea477830947b54baeadd483eb23aa676d1a6d0ba1113ff99271e8933

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
868f8c287a172ebef6e4634f9d05dc93

SHA1
57851b6a906975e5040a30618a508a19d1d5b2c8

SHA256
5605a92b2d7664854345143b56f5fdc9203916ffa9515a11eedc35d18f35e8d1

SHA512
e5e24c838fd7c5a4a496aed80a0aa02f6cac4e218b849acb0356233eee1f776492a27f38eecbd229892c0d2fc32dfa699a76555cdead62b7e339d010d659e13a

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
bb8fd4e54942e7e7539ef455999447c4

SHA1
c85f20484a232bc87fee462ee8f335d2323bad99

SHA256
693340e5a1c5178544522a8b8a867685d933b4ec81de77dc0b2d1b5b158207b0

SHA512
fd51ff44e40db805aacbff807180cdfa9a04f1a2b5a115b3037a9bcb411f824d8b58d220a96713a51d5d03a0e27f9fd904135e625b9b78abc65e44101f881421

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
c5e6086013779412c2a286db136f6e98

SHA1
1c37f2d7f803eb7b1b56e8a79e586e98ba7c78c0

SHA256
3f5b0831d8eb27f3ec1f5b7d93ece1fa65bed11a69012b0b2d96bafcb116f1f2

SHA512
db0824d9a151710cdb27787b96d6dcd6fefc6b9499a407dc271cb98c6e26004bb9cab8658ca1a8d9ae049f340af49b7179eb4d49a622467d7368f1096480aaf1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
fd785731ccf5c5960f4585b64006f78f

SHA1
9e17af57658cfddf9a184420b63edf0172d29331

SHA256
0a13d9729c94b405abe6eb07dabc79b634ec478693d1a26d4b585f17eb3a17a9

SHA512
dc3d62f72f50895c08332d727b5874694bfaaa3127b6ef2fb6c01c6835cd8f31a48c791b990e68345e2faca971ffff430e10728b73a78b80a4e300dcc0d3f6f1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
6ccf104b29280df85f70395e8815778b

SHA1
eded3ef48495e5c6a40fb82cfd22c4f3aea542e1

SHA256
59439c0f7b0150de3d4430068d2cd0fac7ef5688cb32a7a1fc2d13a818fec045

SHA512
6b91f15d29b421495b59fcdbc8e89c6cd392d130a3860b5a44da900718124509e5f6577e5f307bdc0c2a3e3d0805a3551bad76c14ba091df193c13a2c1521aec

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\04792dd5db23c816b00cdb79ef036174\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
070651771585b826ef5a15472158097a

SHA1
808f8c8c055c6936277fdaf4a495b3dbc5e7b2be

SHA256
049fa265ac1224e0ae40be3e7f395c894b7807068611f9f7c738f7e5ec3a50da

SHA512
e177ae8f7390239b7435e2f3eb2c9752759cd665755823aeae51aaa9cb65da968e16091abdb2101c2128804b504fc29b07def8b3f9fc8eb0d3fca6cdbfe3a20f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\84b608f89889ad6984377af690ccbae8\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
b3117b82f14a8af23beea91b895e6edb

SHA1
3e6609baf3d9e1418f649d0158333c4e3bcb88f6

SHA256
5a7b1f5c37641023776b8b41c277dba00186de126b81fe2a3634469fe77b76ab

SHA512
be7fc91407d10d04abcaa162b073f405a015c0514c81e90ff1a04be5b87637ff21480b9664d1c7be32774401e715f0c76951818d2d9258672b0df670c939b070

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\93ea76a6f0f251b3394ee0d8ac8dd209\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
602ea01014826d481a17d1396a176e7d

SHA1
db556ce4c7303b96e35ae2991bace170f837c9b7

SHA256
64921433f44c1472292f2aa4dcc872fc88942e7a42d3581d9f85ad619c1ff5e7

SHA512
cda748009d87231bd05271cc8ebe290f5b9f681eda47d3e8ce5d499fbf6378bf07ca56d9ac007da750264fba6b6de2e31b3938830907ec4a7a54c41ca2c5d8ad

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fef8a9498a40be600b73db67d4454ad8\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
cbec175477b109bf9bbd1bc4df6c1b73

SHA1
c4ba023fd475ec5caf32125f3df329261cac475c

SHA256
6e303e81ac57db8de2bf1746de50b2a8be4f6a5356a8da78cb9958f1459392a2

SHA512
7ae076b195e4d8cfa6097e0618900ce0105a74efd72fd9eef06c02c0aaebba02313dcf71dc861b51b95e92561fed75e85cd9ef2fa696083a18841b0cb88394e5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
b08a682d1b96049d8bf69cb02f863b81

SHA1
66cdd7d512eb7ac0d1c76d10139c6d3af33279f7

SHA256
eb653f2e6a864b6b169d55728200ede3315726e23f91bb07f11b7ceddd49b454

SHA512
83602018d22fefa1e3f2a158576fffe5edf9a86ef89948fa1674d7c1824e21b45d621b54be38a42c2b1fe9cd9cc8c0f73323e638bba43a2c288f564f4ff5d744

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
3e56db90cdd44daf196ef0d04196bd93

SHA1
49c79687d2e0756a0ee833ca89360a1d530f3b53

SHA256
a441fbcbd78bebcfc6fe2562680b4e3e06a4998f3803fd0ac66763c9b1fab519

SHA512
12b5cfe1c7e6719c738b770fab97a30378aa72e73be9aa08f56dd17bfbac22fb088ee7b8b6a4126fc283ad3a739a3cc9221f802ea2a60fe0e15aeb3932a3ba73

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
1788996a944b588e8db9af89eab5ada9

SHA1
4f782eee9d5e5137bb56b281c05f3c09c818b331

SHA256
6130d4775bf8b7424c377f29a15b0a96c55e2a241b6ea88591e43046177ffdf4

SHA512
991915b765066d9411cbe61afedab6ee54ac16d1141576171d7d5da7b80038248f3dd803553e66793ef98d110f31f8a35d0d29673433b101ba73bc5fdc1a5327

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
55487191eee780ae7ce3fa05e724117b

SHA1
ce150e71826d7bbb41bdf495b73d324404faf95e

SHA256
0acb353437cfe593038df67868e694a86b33d7e7d9e4cbf6ced5ebb3178d88d9

SHA512
39cf7f26c5e4bb431f379a6beba3823a847001991c3f98aabb1642164a5a752f3f3d80b9b72a8362e82bd6134160d821499e0af35f4ea1dcbd14a265a4c35e37

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
424cf64dedec4faf7be31b2bfd810115

SHA1
079933fcff3b7310c423c4f8d9a155c3865ee18d

SHA256
84385bddae4cf53ad29696097047a83c5cf985d2c9575dc9fb5eda7c09cc1e1b

SHA512
816590bcd3846f0c6bf8d1ffea5c72a5da0df2e16b74493de01d7c48a425644c38e91e6cf65f2195f8541799e1a61d719f933cec326ce9fbb24d8677562abc9f

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
9e7614fca465509ad49f29d5bbf4c631

SHA1
f93613f23ab4daf963674c84e826ceb6638f0c9a

SHA256
234f20df7040f1605a2c55ec4f09618561f83488aee447a335b4844486b113e4

SHA512
5abcc2712a0346ef1d725c0d94cd36384777866f108d40152ab585995c2e2171f5d45ff01c323bfb1640d9f603686494454c154b8d761cae2a1ca13dc5950062

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
48d9d1b7944a53362f6105129e25a4a7

SHA1
c8361d909d8627e7ff113ad642caa96a2ae437f4

SHA256
688edd093f227833a8e10642795d3cb975bc1bd13adb02cdcc5fd6a32ae47f79

SHA512
bf290bbe8d8f553f1ea1e60c7f66b54bd2da5e6f4de0997fd5f4533ebf4f0c8ffb1cfd66074aed1904739d4bc1c55b69e6368edeaa1485b27ddb64d1b41f2414

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
3567893ec97ecee107ba9744985408fc

SHA1
37f4d571030d33bdd09fbe8f8bba42e39cd63397

SHA256
31e54f7cd04d89a7249ef58879b0f8ae16ef73c00e21ae84f9978601b2b301fb

SHA512
60a5a4dfabceef2bfac47e805e24fab23e6421822ca11bd8bdb83c64858f6a8c812a81c31ef4e575530146672d4812816e68be7e525a5578c9fc80d9c2cebbf1

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
713e869ba6b7bdc716bbc7f3412fea62

SHA1
a884a26dea37370c1d72862997c04d0d3270b4cd

SHA256
9625a2336cf044bedb809805fff75631babf1b34ea50b355693c131f7f22ffaf

SHA512
e523b2fe9bb297ecee261a9456d48516190f68507f4b29fd4d8a0b46e06dbd5f171b65a3d6a7af04f51ed9652dad7f5ce231c1a135bcc2e597eade6d837e114e

Download Submit
memory/432-678-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/432-690-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/584-726-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/584-710-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/872-227-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/872-479-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/928-260-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/928-559-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/948-513-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/948-256-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1280-634-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1280-625-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-515-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-551-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1344-285-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1344-202-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1480-221-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1480-140-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1640-560-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1640-574-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1656-286-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1656-637-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1660-184-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1660-74-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/1660-68-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1660-69-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/1684-582-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1684-274-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1760-651-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1760-639-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1800-170-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1896-169-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1896-225-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1976-102-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1976-109-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1976-103-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1976-200-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2056-736-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2056-749-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2112-264-0x00000000004F0000-0x00000000005A2000-memory.dmp

Filesize
712KB

Download
memory/2112-182-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2112-259-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2112-185-0x00000000004F0000-0x00000000005A2000-memory.dmp

Filesize
712KB

Download
memory/2176-143-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2176-224-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2216-656-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2216-314-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2236-616-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2236-604-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2256-177-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2256-255-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2404-486-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2404-480-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2408-523-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2408-495-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2424-300-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2424-638-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2484-241-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2484-492-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2552-222-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2552-299-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2576-2-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2576-156-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2576-157-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2576-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2576-7-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2576-83-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2576-8-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2584-116-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2584-203-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2624-115-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2624-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2668-37-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/2668-66-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2668-32-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/2668-31-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2812-685-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2812-702-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2816-273-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2816-366-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2824-583-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2824-605-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2848-281-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2848-624-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2896-27-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2896-19-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2896-18-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2896-138-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2924-715-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2924-699-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2932-646-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2932-724-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2932-666-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2932-727-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

Filesize
744KB

Download
memory/2932-730-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2968-84-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2968-187-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2968-85-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2968-91-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2984-662-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2984-670-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3000-48-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/3000-46-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3000-56-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/3000-96-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3000-750-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3064-201-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3064-277-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download