Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
cc598c4ffb86fe6515b9d1aa25a70440
-
SHA1
b0062c0f12a50fb027e24ec56bfdc8aed718335d
-
SHA256
17c0da57aab4e73976614df015860d5540f514b6e5dd6bf3004ea2fbdd3aea6f
-
SHA512
eee3d108e3f2a848ff57c5f5e767670a337f1149cee6294b225cc84fca2834b0f4ede09be40e4ea09960d54cbaaa29d7c45a7418e816e05e3072bb0114f24030
-
SSDEEP
49152:NFoHgEIXrjXfE44zAKveF+7YdOcYTBZEjUqxZgJGLfgqjJUDYWbX9/i3da1YS6oN:gHgNDfXQ1veFPk5FaoCRrgGUDx9/iyB
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 468 Process not Found 3020 alg.exe 2964 aspnet_state.exe 2628 mscorsvw.exe 2876 mscorsvw.exe 1364 mscorsvw.exe 2724 mscorsvw.exe 1904 ehRecvr.exe 2464 ehsched.exe 2812 elevation_service.exe 1888 IEEtwCollector.exe 1620 VCREDI~1.EXE 1988 GROOVE.EXE 2828 maintenanceservice.exe 1940 msdtc.exe 2776 msiexec.exe 1188 OSE.EXE 2584 OSPPSVC.EXE 2540 mscorsvw.exe 1504 perfhost.exe 2992 locator.exe 1480 snmptrap.exe 1144 vds.exe 2608 wbengine.exe 1652 mscorsvw.exe 1436 mscorsvw.exe 1100 WmiApSrv.exe 2116 wmpnetwk.exe 1092 SearchIndexer.exe 2448 mscorsvw.exe 2440 mscorsvw.exe 1600 mscorsvw.exe 1068 mscorsvw.exe 1728 mscorsvw.exe 1664 mscorsvw.exe 1672 mscorsvw.exe 2236 mscorsvw.exe 2044 mscorsvw.exe 2632 mscorsvw.exe 676 mscorsvw.exe 1672 mscorsvw.exe 1160 mscorsvw.exe 2620 mscorsvw.exe 2236 mscorsvw.exe 2736 mscorsvw.exe 2900 mscorsvw.exe 1516 mscorsvw.exe 2424 mscorsvw.exe 1400 mscorsvw.exe 1604 mscorsvw.exe 2196 mscorsvw.exe 1116 dllhost.exe 1688 mscorsvw.exe 692 mscorsvw.exe 1104 mscorsvw.exe 2652 mscorsvw.exe 2660 mscorsvw.exe 1756 mscorsvw.exe 1688 mscorsvw.exe 2080 mscorsvw.exe 1992 mscorsvw.exe 2456 mscorsvw.exe 2828 mscorsvw.exe 896 mscorsvw.exe -
Loads dropped DLL 56 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 1620 VCREDI~1.EXE 1620 VCREDI~1.EXE 1620 VCREDI~1.EXE 468 Process not Found 468 Process not Found 2776 msiexec.exe 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 756 Process not Found 2648 MsiExec.exe 468 Process not Found 2660 mscorsvw.exe 2660 mscorsvw.exe 1688 mscorsvw.exe 1688 mscorsvw.exe 1992 mscorsvw.exe 1992 mscorsvw.exe 2828 mscorsvw.exe 2828 mscorsvw.exe 1900 mscorsvw.exe 1900 mscorsvw.exe 2884 mscorsvw.exe 2884 mscorsvw.exe 2012 mscorsvw.exe 2012 mscorsvw.exe 2352 mscorsvw.exe 2352 mscorsvw.exe 2636 mscorsvw.exe 2636 mscorsvw.exe 1104 mscorsvw.exe 1104 mscorsvw.exe 2344 mscorsvw.exe 2344 mscorsvw.exe 1688 mscorsvw.exe 1688 mscorsvw.exe 1972 mscorsvw.exe 1972 mscorsvw.exe 832 mscorsvw.exe 832 mscorsvw.exe 2628 mscorsvw.exe 2628 mscorsvw.exe 1972 mscorsvw.exe 1972 mscorsvw.exe 1400 mscorsvw.exe 1400 mscorsvw.exe 2676 mscorsvw.exe 2676 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" VCREDI~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 40 364 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\dllhost.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f8d871fcae4ef42b.bin alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\locator.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240515110023835.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515110028016.0 msiexec.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Installer\f777436.msi msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515110028094.0 msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\WinSxS\InstallTemp\20240515110028110.0\8.0.50727.42.policy msiexec.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Installer\f777439.ipi msiexec.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515110025801.0 msiexec.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240515110025801.0\mfc80JPN.dll msiexec.exe File created C:\Windows\Installer\f77743b.msi msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240515110025801.0\mfc80ITA.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515110027813.0 msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7916.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File created C:\Windows\WinSxS\InstallTemp\20240515110028016.0\8.0.50727.42.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515110023835.0 msiexec.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP73AA.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP64AC.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP929F.tmp\stdole.dll mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240515110023742.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841.manifest msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\F942F94A19C0F79468FD2B85E5E8677B\8.0.50727\ul_msvcr80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E msiexec.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{46F4CE7F-8AC9-4061-821C-E1E66838BDC1}.crmlog dllhost.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File created C:\Windows\WinSxS\InstallTemp\20240515110023835.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515110027751.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867.manifest msiexec.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6864.tmp\Microsoft.Office.Tools.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240515110028063.0\8.0.50727.42.cat msiexec.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7C41.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@gameux.dll,-10057 = "Minesweeper" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000607a9c21b7a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000403e3a1cb7a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@gameux.dll,-10056 = "Hearts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services" SearchProtocolHost.exe -
Modifies registry class 56 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Clients = 3a0000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\VC_Redist msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\ProductName = "Microsoft Visual C++ 2005 Redistributable" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Language = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0021004d00210026005a005a006300300025006e00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006900450024005b004d00310025002e0064002700650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\PackageCode = "FA1F9ADB128EB664EAA9BA3CE244C0B1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Version = "134268455" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\Servicing_Key msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\InstanceType = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\PackageName = "vcredist.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 1248 ehRec.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 2776 msiexec.exe 2776 msiexec.exe 2964 aspnet_state.exe 2964 aspnet_state.exe 2964 aspnet_state.exe 2964 aspnet_state.exe 2964 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe Token: SeShutdownPrivilege 1364 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: 33 1716 EhTray.exe Token: SeIncBasePriorityPrivilege 1716 EhTray.exe Token: SeDebugPrivilege 1248 ehRec.exe Token: SeShutdownPrivilege 364 msiexec.exe Token: SeIncreaseQuotaPrivilege 364 msiexec.exe Token: SeShutdownPrivilege 1364 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 1364 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 1364 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeRestorePrivilege 2776 msiexec.exe Token: SeTakeOwnershipPrivilege 2776 msiexec.exe Token: SeSecurityPrivilege 2776 msiexec.exe Token: SeCreateTokenPrivilege 364 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 364 msiexec.exe Token: SeLockMemoryPrivilege 364 msiexec.exe Token: SeIncreaseQuotaPrivilege 364 msiexec.exe Token: SeMachineAccountPrivilege 364 msiexec.exe Token: SeTcbPrivilege 364 msiexec.exe Token: SeSecurityPrivilege 364 msiexec.exe Token: SeTakeOwnershipPrivilege 364 msiexec.exe Token: SeLoadDriverPrivilege 364 msiexec.exe Token: SeSystemProfilePrivilege 364 msiexec.exe Token: SeSystemtimePrivilege 364 msiexec.exe Token: SeProfSingleProcessPrivilege 364 msiexec.exe Token: SeIncBasePriorityPrivilege 364 msiexec.exe Token: SeCreatePagefilePrivilege 364 msiexec.exe Token: SeCreatePermanentPrivilege 364 msiexec.exe Token: SeBackupPrivilege 364 msiexec.exe Token: SeRestorePrivilege 364 msiexec.exe Token: SeShutdownPrivilege 364 msiexec.exe Token: SeDebugPrivilege 364 msiexec.exe Token: SeAuditPrivilege 364 msiexec.exe Token: SeSystemEnvironmentPrivilege 364 msiexec.exe Token: SeChangeNotifyPrivilege 364 msiexec.exe Token: SeRemoteShutdownPrivilege 364 msiexec.exe Token: SeUndockPrivilege 364 msiexec.exe Token: SeSyncAgentPrivilege 364 msiexec.exe Token: SeEnableDelegationPrivilege 364 msiexec.exe Token: SeManageVolumePrivilege 364 msiexec.exe Token: SeImpersonatePrivilege 364 msiexec.exe Token: SeCreateGlobalPrivilege 364 msiexec.exe Token: 33 1716 EhTray.exe Token: SeIncBasePriorityPrivilege 1716 EhTray.exe Token: SeBackupPrivilege 2272 vssvc.exe Token: SeRestorePrivilege 2272 vssvc.exe Token: SeAuditPrivilege 2272 vssvc.exe Token: SeBackupPrivilege 2776 msiexec.exe Token: SeRestorePrivilege 2776 msiexec.exe Token: SeBackupPrivilege 2608 wbengine.exe Token: SeRestorePrivilege 2608 wbengine.exe Token: SeSecurityPrivilege 2608 wbengine.exe Token: SeManageVolumePrivilege 1092 SearchIndexer.exe Token: 33 1092 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1092 SearchIndexer.exe Token: 33 2116 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2116 wmpnetwk.exe Token: SeShutdownPrivilege 1364 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeDebugPrivilege 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 364 msiexec.exe 1716 EhTray.exe 1716 EhTray.exe 364 msiexec.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1716 EhTray.exe 1716 EhTray.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 1888 SearchProtocolHost.exe 1888 SearchProtocolHost.exe 1888 SearchProtocolHost.exe 1888 SearchProtocolHost.exe 1888 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2896 wrote to memory of 1620 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 40 PID 2896 wrote to memory of 1620 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 40 PID 2896 wrote to memory of 1620 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 40 PID 2896 wrote to memory of 1620 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 40 PID 2896 wrote to memory of 1620 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 40 PID 2896 wrote to memory of 1620 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 40 PID 2896 wrote to memory of 1620 2896 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 40 PID 1620 wrote to memory of 364 1620 VCREDI~1.EXE 42 PID 1620 wrote to memory of 364 1620 VCREDI~1.EXE 42 PID 1620 wrote to memory of 364 1620 VCREDI~1.EXE 42 PID 1620 wrote to memory of 364 1620 VCREDI~1.EXE 42 PID 1620 wrote to memory of 364 1620 VCREDI~1.EXE 42 PID 1620 wrote to memory of 364 1620 VCREDI~1.EXE 42 PID 1620 wrote to memory of 364 1620 VCREDI~1.EXE 42 PID 1364 wrote to memory of 2540 1364 mscorsvw.exe 48 PID 1364 wrote to memory of 2540 1364 mscorsvw.exe 48 PID 1364 wrote to memory of 2540 1364 mscorsvw.exe 48 PID 1364 wrote to memory of 2540 1364 mscorsvw.exe 48 PID 1364 wrote to memory of 1652 1364 mscorsvw.exe 57 PID 1364 wrote to memory of 1652 1364 mscorsvw.exe 57 PID 1364 wrote to memory of 1652 1364 mscorsvw.exe 57 PID 1364 wrote to memory of 1652 1364 mscorsvw.exe 57 PID 1364 wrote to memory of 1436 1364 mscorsvw.exe 59 PID 1364 wrote to memory of 1436 1364 mscorsvw.exe 59 PID 1364 wrote to memory of 1436 1364 mscorsvw.exe 59 PID 1364 wrote to memory of 1436 1364 mscorsvw.exe 59 PID 1364 wrote to memory of 2448 1364 mscorsvw.exe 63 PID 1364 wrote to memory of 2448 1364 mscorsvw.exe 63 PID 1364 wrote to memory of 2448 1364 mscorsvw.exe 63 PID 1364 wrote to memory of 2448 1364 mscorsvw.exe 63 PID 1364 wrote to memory of 2440 1364 mscorsvw.exe 64 PID 1364 wrote to memory of 2440 1364 mscorsvw.exe 64 PID 1364 wrote to memory of 2440 1364 mscorsvw.exe 64 PID 1364 wrote to memory of 2440 1364 mscorsvw.exe 64 PID 1364 wrote to memory of 1600 1364 mscorsvw.exe 65 PID 1364 wrote to memory of 1600 1364 mscorsvw.exe 65 PID 1364 wrote to memory of 1600 1364 mscorsvw.exe 65 PID 1364 wrote to memory of 1600 1364 mscorsvw.exe 65 PID 1364 wrote to memory of 1068 1364 mscorsvw.exe 66 PID 1364 wrote to memory of 1068 1364 mscorsvw.exe 66 PID 1364 wrote to memory of 1068 1364 mscorsvw.exe 66 PID 1364 wrote to memory of 1068 1364 mscorsvw.exe 66 PID 1364 wrote to memory of 1728 1364 mscorsvw.exe 67 PID 1364 wrote to memory of 1728 1364 mscorsvw.exe 67 PID 1364 wrote to memory of 1728 1364 mscorsvw.exe 67 PID 1364 wrote to memory of 1728 1364 mscorsvw.exe 67 PID 1364 wrote to memory of 1664 1364 mscorsvw.exe 68 PID 1364 wrote to memory of 1664 1364 mscorsvw.exe 68 PID 1364 wrote to memory of 1664 1364 mscorsvw.exe 68 PID 1364 wrote to memory of 1664 1364 mscorsvw.exe 68 PID 1364 wrote to memory of 1672 1364 mscorsvw.exe 74 PID 1364 wrote to memory of 1672 1364 mscorsvw.exe 74 PID 1364 wrote to memory of 1672 1364 mscorsvw.exe 74 PID 1364 wrote to memory of 1672 1364 mscorsvw.exe 74 PID 1364 wrote to memory of 2236 1364 mscorsvw.exe 77 PID 1364 wrote to memory of 2236 1364 mscorsvw.exe 77 PID 1364 wrote to memory of 2236 1364 mscorsvw.exe 77 PID 1364 wrote to memory of 2236 1364 mscorsvw.exe 77 PID 1364 wrote to memory of 2044 1364 mscorsvw.exe 71 PID 1364 wrote to memory of 2044 1364 mscorsvw.exe 71 PID 1364 wrote to memory of 2044 1364 mscorsvw.exe 71 PID 1364 wrote to memory of 2044 1364 mscorsvw.exe 71 PID 1364 wrote to memory of 2632 1364 mscorsvw.exe 72 PID 1364 wrote to memory of 2632 1364 mscorsvw.exe 72 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\msiexec.exemsiexec /i vcredist.msi3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:364
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3020
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2964
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2628
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2876
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2540
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2440
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1d4 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 254 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 258 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 270 -NGENProcess 284 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 284 -NGENProcess 26c -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 24c -NGENProcess 1d4 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d4 -NGENProcess 27c -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1160
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 294 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d8 -NGENProcess 27c -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d8 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 28c -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a4 -NGENProcess 270 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1516
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2a4 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2a4 -NGENProcess 1d4 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1400
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1ec -NGENProcess 1f8 -Pipe 22c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 25c -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 264 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f0 -NGENProcess 1f8 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 23c -NGENProcess 280 -Pipe 218 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2660
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 280 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 21c -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 23c -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d0 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 250 -NGENProcess 21c -Pipe 1c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 26c -NGENProcess 248 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d0 -NGENProcess 28c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1e8 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 248 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"2⤵PID:368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 28c -Pipe 1f8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 28c -NGENProcess 1e8 -Pipe 2a4 -Comment "NGen Worker Process"2⤵PID:2432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 270 -NGENProcess 268 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2012
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 1d4 -Pipe 2a0 -Comment "NGen Worker Process"2⤵PID:896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 1e8 -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
PID:2352
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1e8 -NGENProcess 270 -Pipe 27c -Comment "NGen Worker Process"2⤵PID:368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 1e8 -NGENProcess 28c -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 28c -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"2⤵PID:1760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 268 -NGENProcess 2b4 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2bc -NGENProcess 2c4 -Pipe 28c -Comment "NGen Worker Process"2⤵PID:2108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 248 -NGENProcess 2b4 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2344
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2b4 -NGENProcess 1d8 -Pipe 268 -Comment "NGen Worker Process"2⤵PID:1068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2cc -NGENProcess 2c4 -Pipe 21c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 248 -NGENProcess 2d4 -Pipe 2b4 -Comment "NGen Worker Process"2⤵PID:2804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d8 -NGENProcess 2c4 -Pipe 2d4 -Comment "NGen Worker Process"2⤵PID:2076
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 248 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 248 -NGENProcess 2c8 -Pipe 2bc -Comment "NGen Worker Process"2⤵PID:2244
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2e4 -NGENProcess 2c4 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2c4 -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"2⤵PID:2312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ec -NGENProcess 2c8 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 248 -Comment "NGen Worker Process"2⤵PID:2228
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2f8 -NGENProcess 2ec -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:1784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 1e8 -Comment "NGen Worker Process"2⤵PID:632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2c8 -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1400
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2c8 -NGENProcess 2f8 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"2⤵PID:2256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 30c -NGENProcess 304 -Pipe 2b8 -Comment "NGen Worker Process"2⤵PID:364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 308 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2196
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2f0 -Pipe 300 -Comment "NGen Worker Process"2⤵PID:2448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 304 -Pipe 2e4 -Comment "NGen Worker Process"2⤵PID:832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:2948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"2⤵PID:2628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"2⤵PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f0 -Pipe 314 -Comment "NGen Worker Process"2⤵PID:1980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"2⤵PID:632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:2576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 308 -NGENProcess 32c -Pipe 320 -Comment "NGen Worker Process"2⤵PID:892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 33c -NGENProcess 304 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:1436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2f0 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:1460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 32c -Pipe 338 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2160
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 304 -Pipe 330 -Comment "NGen Worker Process"2⤵PID:596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2f0 -Pipe 334 -Comment "NGen Worker Process"2⤵PID:1620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 32c -Pipe 308 -Comment "NGen Worker Process"2⤵PID:832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 304 -Pipe 33c -Comment "NGen Worker Process"2⤵PID:2592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2f0 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 32c -Pipe 344 -Comment "NGen Worker Process"2⤵PID:2428
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 304 -Pipe 348 -Comment "NGen Worker Process"2⤵PID:324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2f0 -Pipe 34c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 32c -Pipe 344 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 304 -Pipe 354 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 2f0 -Pipe 358 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 2f0 -NGENProcess 370 -Pipe 374 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 2f0 -NGENProcess 36c -Pipe 304 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 360 -NGENProcess 370 -Pipe 364 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:3008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 380 -NGENProcess 32c -Pipe 2dc -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 36c -Pipe 37c -Comment "NGen Worker Process"2⤵PID:1452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 384 -NGENProcess 380 -Pipe 370 -Comment "NGen Worker Process"2⤵PID:2632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 368 -NGENProcess 36c -Pipe 378 -Comment "NGen Worker Process"2⤵PID:2136
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 390 -NGENProcess 360 -Pipe 35c -Comment "NGen Worker Process"2⤵PID:2464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 388 -NGENProcess 380 -Pipe 398 -Comment "NGen Worker Process"2⤵PID:1180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 380 -NGENProcess 368 -Pipe 394 -Comment "NGen Worker Process"2⤵PID:832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 39c -NGENProcess 360 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:1360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 388 -NGENProcess 3a4 -Pipe 380 -Comment "NGen Worker Process"2⤵PID:1744
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 384 -NGENProcess 360 -Pipe 390 -Comment "NGen Worker Process"2⤵PID:1456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 360 -NGENProcess 3a0 -Pipe 39c -Comment "NGen Worker Process"2⤵PID:2420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 3ac -NGENProcess 3a4 -Pipe 2f0 -Comment "NGen Worker Process"2⤵PID:3040
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1604
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2196
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
PID:1904
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2464
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1716
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2812
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1888
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1988
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2828
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1940
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7D99F515E5951A338F43CDF17A0AA292⤵
- Loads dropped DLL
PID:2648
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1188
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:2584
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1504
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2992
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1480
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1144
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1100
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1888
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:1484
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D8" "00000000000005CC"1⤵
- Modifies data under HKEY_USERS
PID:632
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5c8fbe84893746faf158f0456b5daa232
SHA15d1621bc458569b8900cbedae0f1feb6691104d6
SHA256822d26f66c467e10101f93e9906fae88ee04f851eef1cb4216d6cf9784d9b543
SHA5123f3a088a228c8293e3ff1e9219fe5654c36413c41a89e10034131f6804acab0c06b7dfd3a282c614a1cdcced203038584756cf04967cc4486dcd6efc7b5a1631
-
Filesize
30.1MB
MD5aa0164f092bf4a6bdb8184ae36b0f1bf
SHA1aa614d84b36eee5b28dcb6ac6ee3837281153b00
SHA2561a44fa3c86b9e2d0d872edc972d83c8ab9ecc3229f4a559b3baecf1392a1f5f0
SHA51216e23025c1ff4a427deb9c365113a3b0d67404692f195b2cad4aeda4527f357352503c3ba504233f912d8b7134b86de9439c0a3bd592ff68fc6d880de2d61ddc
-
Filesize
781KB
MD5f2e45fe326d92d7171f49476fd21779b
SHA1bb07da62c1c34324ea86c3ffd56721063f4128dd
SHA256a9f82c573f3537d701cbb123fe0b59858f3debbfa9488646232c4f935669da74
SHA51231a6c22c2e10b25f62a02f50f6551e298e9245c8e9d66cf895639608fe57c35b368b366edac6bf5b68624a61a90c3abda279f2647ffccec2c1bddc53585598db
-
Filesize
5.2MB
MD52649eadb53865c371bb7c86ad4adf13e
SHA19259e60793a7d5f851c2515cd48d0b8fb2895a8e
SHA256f276e0f2c3509f4b085e892068c43dfffcaebb252dc6d5652d9f3a33827e05d0
SHA512b6ca632ed217387531681b7719a9f46896ed9675291d1745d0b4e59ca85aeead50a8ea3189a151616c64a145b71e5e1ccc62736374c0299cd46fc91548662cc2
-
Filesize
2.1MB
MD5e760a6ee77a989d5e736cdadc7a2f97f
SHA1e94f4b1c6e7b9f7ad47900b99a6dddbc69091359
SHA2567aac83f068db5cf63e509c440f9e5971c34b74d84fa3573bcb73a259925ad4bd
SHA5124caf6fd2bf9882525936445bfa23ada219f817bc8aabe3b4128411e7b56031b0ccad932406a8c3cadc1117846892346b2f85ac06e6cd37a972841211cfaf29f6
-
Filesize
2.0MB
MD5a2c0d1389ab598361a0fee2b46df2b9d
SHA193251b701a330a72336a9381dacb6b90f5401070
SHA2562e236f024d1e9c568b6d4e9441a2a426979e9f996fba4c9ef38a9dfd22b8e86f
SHA51289b3a9f97f85088ddf2e0c08e5e7cd1e17493058503f2264bd93b0670b19f4df4177486bca6abc0ddbf15652a7da18e8eaa1401b954f4d9343de3367eacc222d
-
Filesize
1024KB
MD5e4e8bd22f7cb41cb482ed6d096f5454a
SHA1fd9e9fbb155380f3cebd918891f934e7e2b9939f
SHA2564e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7
SHA512a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000
Filesize240B
MD57ca2da6f1e7bca562d7d9376700a912f
SHA167feaa004013eee76282e3b3fc196279f2577dcb
SHA25604fd7654331261ff9ec331c31b238ba7770f082abfb817d7881813ec02084a4e
SHA5124f2f67dee86af03dae15145649f5eb65cd158686381d26005b91aab89f017b692289050f0b1def00f8c2e724aedba4025db0baa6b55f76d402ded8006c48b38d
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
2.4MB
MD5b31b234cb0f534069ba32aaaeacd7b2d
SHA1d6f90459f8bdbf7e75cc85affe9b137dc5e304e2
SHA256b5a652a1025f194f59e1349a1f26709d7ff7760067439b2d52d988a55d9340f0
SHA512138cb14f6018d3bddd78012c5b36a591fe70d1b2b7f9d3774230639302401be57e1a4d6098c66a83c47e67138ac6dbe79f64548e4c317bb804a4e9a3ffdf94ea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
648KB
MD58c23503c1f5bf536987b16727a85d4d3
SHA1fff64d2f2626eaaf116a5115f3560dafd10f2953
SHA2562b1ca4527f893acdb17db607b568034f80418d4fb3fa65f791031ed08f16370e
SHA5126bbb51217a5c35f542b1f77514c5117e39acf04f131fd3ccd6fb4ff1cceea66ce693aa2a389747505228f1e69cf6cf65cbd4da3b5d18054a02454508c9e5d2b7
-
Filesize
872KB
MD5390c30eefb54d3d4ad62ce550930ff5d
SHA1b526a039477ef2467249c476e28007b4e654a8f6
SHA2562692f04be6608cc25d9484830ad0e4f53b512f0e29fd0fae15809af5a26ae983
SHA5125157076858c5777f3838bed5680ff820fe916fe6510e08c4296440903c489d5af6cf893cb17c2f7b5d8491bf9b0291192dab41002fb29552fe7d7dd4b0a655df
-
Filesize
678KB
MD51ca4cd469ca11d31a8af6b112aa48cb1
SHA1e6435558f1cb54b3abf0668d251e8ff1e8307d2a
SHA2562351c980ac96a4c9127fbd40f0b9bc5dfa8136cff4da70672f2daf696a86a0a2
SHA512b2e905f05519bfc8a8c1ea498d38da8da1553f5ddcf16caa685e4ad42303aabb10380a214e740af3bfe8f1ce2c964d0c05ef81237f261810d83a36ec50da97fb
-
Filesize
625KB
MD556999d5b8f89765f1c8ea20c05cbd8fc
SHA144b85b808925fa5e3ef058e33a4d9051da0300f7
SHA256d2b0c210ffcef216e9aba88b6141842d96fbb752afcf404ddccca9eca3c5581b
SHA512d4380922b5c83e222e6b2e095eeebe2616aa814ad5e5c2635a6bb2d7f6421d48fc17b42ce478123492a3ac089a9cae5964ca4799919071f09216a966775c8864
-
Filesize
1003KB
MD5dda5c50711b5046e6dc904569bbd3def
SHA1dafee16eebb8c6a8a5a63ec9961fdd86259714ed
SHA256039297cad2c3130cf3675e5419820dc3a3cb1707dd1d0115ccb608033871bf89
SHA5126822398892b868bd0c8a9db57404bc849450d663c754245320fde52237c651748f2667644f312eb789c5bdf93f91e3b3a31954413e6e42b4edce726ae81292c2
-
Filesize
656KB
MD5133e822bd4112a5e530c9d10240acdb3
SHA114279d00dc4e4a4d7cfa94d6fee55c55f53f51d3
SHA256a26c64a6262912f883133eea933bfdc3b2f4979199928f64b7976e5b30a1d25f
SHA512db69ff04cc1d9499e0b53ce1f599aed509bfe37c08cc13c7dd9015249ada6d48625fb7da4559947130610d7b1051b6e3c7e61ab1dd5ca42443da13cfe5769dad
-
Filesize
8KB
MD5b08770566f1282780b1a4bfcc16a07e4
SHA1db73cee6a48566c999d8f007bbeb622001846cf5
SHA256f7783e7d1a5821308e1ac9531af1dfa3d1b72e6e29e5e1487f2fbe6e099fd9d5
SHA512fbd13c3135b39bb87e4b697dd6f6c36c96caf281674739d482cda4c7504bafd7d7ea0f814834e784c601105cc33a29fba3e2af28c88797a65696065ca434f289
-
Filesize
587KB
MD5a79c04cfa1858239db9e7aa7a33f457b
SHA161f945075f6bce105aa7242d8813daf69951cf59
SHA256cfa1cbb7ab820df981721744b96f7813db0c31324b0357a0d66ed9b21cb4241e
SHA512f9605b4b8f2760d54d0774fda8d24b2d9623cb5fe24a461f3193a223e013966cc7f9f4bd356a2c28c8ff38d5cabe07bc70ed5209f94136c084d53e603549d2e0
-
Filesize
577KB
MD5718941415a24b2077071cbc770c5f32c
SHA14361370cee133bf86b60ef930ac5803f005ecb63
SHA256a854597416184cc4f92fb3559389ae67cc9d1a91544c578bd729e6f0bc08de48
SHA512d9ac81ee89b636137844174714b4609866239c3975da4d91c0a1063fe6238fca51a86dd54e14bbb026a57443d9ba164919be9e5500d8a024e4ba16b46cbae70f
-
Filesize
1.1MB
MD57a80e9f1166bb3ff333de1d1078e3418
SHA1f402715bae1c9b47d87efd4db68f9e753adbf725
SHA2568d2b434ecadd6009f559c79e4175fcf6255ad6f4af53528bfaa446c6227b12d5
SHA512c84d9cd3ff4bcae078aa30ecbb07f3112487eb19059a7c48f2daf6dee6135c5d1b4c44ed6db9eb149dd8a77f095ffcbb8d28902352a42af93145a68e1f3b9351
-
Filesize
644KB
MD583c19886dee2668a8282efc832c76f68
SHA1452ce7231390d5ba7f7123582bb0a9e7af66966d
SHA2569434be0d97fe23e52e3f1bcea8bfbc2697e51649a770196aa63b2744b4cae228
SHA51253ebf8b96afed976d76215a6f1f037bea6273dcabed564c49b00a43c3e0f247fc42b4fe2a99bd09854fe04ac7fe63c854c0d39959d48ff76d8baacbf99ba6621
-
Filesize
674KB
MD5914571d3e2d45d650acfebd6cb88e144
SHA12086b94b9393ab1aadb9b606a0d7cee01aa17974
SHA256234c946ee2d995c324a5a3d51527b8024bef789c7793e3e6b0b821f6d787aee4
SHA5122e240bf7cf0d12850f42234f7fe8090ea6b07491c0b7fc9477bce51fbb7494b71802b98fe8ec766c214fd20fc2bac5142935ff5049992269372bffdc12c09026
-
Filesize
705KB
MD55e84ec79add552fa2e7ad721da3233d4
SHA144ff538e678d1c98c4d0aef99304cd1c34a0e25e
SHA256dacb5cf085cebd64216ff8b282a5d4c2bdc63e3f65a9c6a90a2f1e952f72311a
SHA5125eb75368fcee891df6fd279cac5fa3741916d10b001b90f25c266d6e656baf14c744241a2e0ac684e12f4ef81762b2b01d868dc21e781d79e35c4df46fcfe17f
-
Filesize
581KB
MD5a25468dd275aee6bd7df9a11c696ab73
SHA1a32d2421600fff16ae05f90b3406e0f8c9b1156d
SHA256caf0e7cb63bb2d48121799280dd5ea1728f2842f7b2c28bf0d556657aae49f0f
SHA51201b0038f232a4bf22e6036047b9cb1f54a9bf272633fa11441127671efd15bf7329a5dd135c315ecc0869c3e67b4152f1eb2e68a23645710aa0b2ad9e2efeb27
-
Filesize
1.1MB
MD5d11c4aeadb7f0ca660c222c211a2ed96
SHA1d2000dd5b4835cc851d40b70a36d5dbd0dee0777
SHA256b7310ec5f2de530c0040cf8a1a3825f671dbc76857875585c0973164efba8458
SHA512ffb44bbe5ab6ae75dda5ae309795c4749adfa92fce4a226f749d66c26ccac86fa365c6c79610e1ed7fd26f84aaf5570fa5957dc7c99e289a6fc9164c30a6c782
-
Filesize
765KB
MD59315d7b7dc6bd5199567aa8f20f298d2
SHA1488831a5c5463a6294e00d33713c86cb7f13f827
SHA25640935ab9c17ffc170d6e5d1e7386cab9ad91bddefb22e9ffade64ee4f07b46e1
SHA5121f22dddadd66955c061fc4aeb7e7f76f5dd02680b2f606022f4c5d814b41800f5140c8d3cc435ffd58be7414e8abffc9c2a49fb62f14892eefb5a2b50d87117b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize797KB
MD5aeb0b6e6c5d32d1ada231285ff2ae881
SHA11f04a1c059503896336406aed1dc93340e90b742
SHA2564c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize163KB
MD5e88828b5a35063aa16c68ffb8322215d
SHA18225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA25699facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize1.3MB
MD5006498313e139299a5383f0892c954b9
SHA17b3aa10930da9f29272154e2674b86876957ce3a
SHA256489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA5126a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3fa0964a6ba0f71e94cf88e40d1615ad\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD5f5b243c43353cd71a00cb61c15195a83
SHA1393c363a225ba1ddce2b402288e3c82516172f1c
SHA256841701a8143d5d64df1751db6326dd0103f235e96beddf62fdca109d91b3543b
SHA512d610c3e5e27270212302b9ae069d22de5d61ca30f8513bafaa349477c90f3c4f95e6e7f4ae8cae216f6464216217a89f71dbbd9afc2ad96f2c0f2ed75aef4c3f
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5a7f0fdb48596845442b3e623bcb15c5\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD572db13d0363f0e05fa73061a20e7ff0e
SHA1ed0a18ae290033087f83d9c867b715fdeab06cac
SHA25626ea035f62f5f210767aad14e86ee65cf556d53701df588ae52a822a37c10dd7
SHA5126e329313d5589ed18c73ccdc4250c8ce2be18429424618ff455ee0ab0555b7b8c82ea08667cf2ea4a09141e49b5499a61b9424ff049ef2a63a1381876ccbfb9e
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8ceea77339e42ecbc8f61d0c6da06c14\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD5bad63b56a9555d5e56e3c0db4011e9a7
SHA1f3259e2da132bb57bb18632db8077769ddd25ba3
SHA256aedc68863516268899bfc151388b431daab6a7af306bfacd15d5a38963378e76
SHA5128f5659156a310929391611710a5562bcdbd5159cce7503c60021d1a2d286ce7772ebc9570a3aefa6e039bf08061a771f9c7a69f4e593a65c320367fd04c29642
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD5f786ebe6116b55d4dc62a63dfede2ca6
SHA1ab82f3b24229cf9ad31484b3811cdb84d5e916e9
SHA2569805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12
SHA51280832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
691KB
MD58d03042c51c0040aca87929850524753
SHA1ca476bc3ff77e4e9ef111880ab36b05dd376bc5a
SHA256a40b60140716eeeb272efd51c09268c53c6f9e0ff6d4bd99ec1ce31b57fc01a5
SHA512b83ef04ba8582643bab1f5975871b4ff0209d902fd59fdc0e7f6dcb9b8502be24baf365f8043ff46d21e59a89ff4f2c66c740ba0dddbce9cfd8911dec1a49621
-
Filesize
691KB
MD5477b2e13495e129f2ee0a994940b6d52
SHA112a5713eed2c02169cf82720db3320833cc0d979
SHA2565725f7e1b2b7df58efb2ec21f7b89d6ab95ad6c0e7d8785091019eed31372a3d
SHA512b8892d5b116716b82e0fffa15db3dc593975d1ab72d39e5384a8cade8b1e656f900ac642e6a0eea8bc5fb0470e42f55c620b56103aee535b4767790557c5719e
-
Filesize
2.5MB
MD5f031c0d2b460209b47b91c46a3d202fe
SHA195040f80b0d203e1abaec4e06e0ec0e01c507d03
SHA256492826e1aacd984a00dd67a438386e4de883cc923cb1f25e265525a4cf70ed7b
SHA51218840649d19c5310d274bac69010514872a554bb5ecadb4af5fa3667ad1a6bf9d644b31393edbc1b60ace6eff907c79c078f8213948cf90fa4d1529c68ccc629
-
Filesize
603KB
MD5eccf7e7fb5720319c48145af9a6e6444
SHA11b92cc35273e2730a24ea43c9ff7ceeffd29ad1d
SHA25610e00e987f491afabcc0289e8da8f96bba184c338e9ea1d0f9febdd54442509c
SHA5123184d1a7be5006fdbb77d400f9e0a72082f1f567fdd05dc6db7718f1c4b56c8d67bc4b9378475cc986fec1a937ee3927f74446f41f87bfec36ea94b46445ffce
-
Filesize
2.0MB
MD5e1a42244469b2bf2b35c82e178a84312
SHA17ed9c8a602fd68967017fdbf38fa2ce89c91564e
SHA256ca4bee418da03ce60c1c987d92ec83da981ff602ffc41331bd51f23092fea27a
SHA512a1f4bdf3ba59286d0d5ec16e10779967c2522ce86a6c46f5b466515e728ff16e524c30536a6e6871adbb5253e20fe5ff4549ca5415c821b1d693b219601532a1
-
Filesize
1.2MB
MD5dcdc63b978f1ce499ddddc38c4cf2371
SHA17804318e2ac03f309e5dcebb5c10e796b81581fd
SHA25620e0042a12a874324bde0f790bf39667eb1332ef2bdfb8c9c79afefb79045681
SHA512f27500ec06191d7949fa66df230971bc5961c97ce813496e64ff0f456b959026524acf6ba6078a4dd29780f2dd702cc6e542c80761cf75901de330d233530d76