3579abda819f2781617f895a1a84aff45d9fc673c38e5b5fd5ef01137f526f61

Analysis

max time kernel
147s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
Size

4.6MB
MD5

bec406850664cc16ea97480273819a00
SHA1

2f8f4253647e890df67a20c318b61ce7acdcd4b3
SHA256

3579abda819f2781617f895a1a84aff45d9fc673c38e5b5fd5ef01137f526f61
SHA512

1b379172b58c77272255069b48a2e0c2bb582ff6174d313f1104ec9878b1418d351ec2532a1a51d55eebd205823fe14e8d80a111f237bbefe279dfd67432613a
SSDEEP

98304:F4+PG8W44ij9RvbGOZUR241QZgC51B+PRP0/iyB:dPG8W4HhbVURp11CjgJs

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeVCREDI~2.EXEGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exemscorsvw.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
1720	alg.exe
2904	aspnet_state.exe
2536	mscorsvw.exe
2396	mscorsvw.exe
1256	mscorsvw.exe
936	mscorsvw.exe
800	ehRecvr.exe
1784	ehsched.exe
2124	elevation_service.exe
2336	IEEtwCollector.exe
1020	VCREDI~2.EXE
1684	GROOVE.EXE
1632	maintenanceservice.exe
2496	msdtc.exe
2392	msiexec.exe
2800	mscorsvw.exe
920	OSE.EXE
1084	OSPPSVC.EXE
528	perfhost.exe
2160	locator.exe
2184	snmptrap.exe
880	vds.exe
2256	vssvc.exe
2524	wbengine.exe
884	WmiApSrv.exe
2664	wmpnetwk.exe
392	SearchIndexer.exe
2376	mscorsvw.exe
1752	mscorsvw.exe
2232	mscorsvw.exe
2520	mscorsvw.exe
1568	mscorsvw.exe
1972	mscorsvw.exe
2556	mscorsvw.exe
1664	mscorsvw.exe
856	mscorsvw.exe
692	mscorsvw.exe
2348	mscorsvw.exe
2812	mscorsvw.exe
2108	mscorsvw.exe
1068	mscorsvw.exe
1396	mscorsvw.exe
2404	mscorsvw.exe
2156	mscorsvw.exe
2424	mscorsvw.exe
2516	mscorsvw.exe
2816	mscorsvw.exe
872	mscorsvw.exe
2360	mscorsvw.exe
1620	mscorsvw.exe
1140	mscorsvw.exe
2968	dllhost.exe
1644	mscorsvw.exe
840	mscorsvw.exe
2804	mscorsvw.exe
980	mscorsvw.exe
2816	mscorsvw.exe
2492	mscorsvw.exe
1628	mscorsvw.exe
2700	mscorsvw.exe
2420	mscorsvw.exe
2800	mscorsvw.exe
2676	mscorsvw.exe

Loads dropped DLL 56 IoCs

Processes:

bec406850664cc16ea97480273819a00_NeikiAnalytics.exeVCREDI~2.EXEmsiexec.exeMsiExec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
468
468
468
468
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1020	VCREDI~2.EXE
1020	VCREDI~2.EXE
1020	VCREDI~2.EXE
468
468
2392	msiexec.exe
468
468
468
468
468
756
1628	MsiExec.exe
468
2816	mscorsvw.exe
2816	mscorsvw.exe
1628	mscorsvw.exe
1628	mscorsvw.exe
2420	mscorsvw.exe
2420	mscorsvw.exe
2676	mscorsvw.exe
2676	mscorsvw.exe
1928	mscorsvw.exe
1928	mscorsvw.exe
2688	mscorsvw.exe
2688	mscorsvw.exe
1736	mscorsvw.exe
1736	mscorsvw.exe
2152	mscorsvw.exe
2152	mscorsvw.exe
980	mscorsvw.exe
980	mscorsvw.exe
2316	mscorsvw.exe
2316	mscorsvw.exe
2812	mscorsvw.exe
2812	mscorsvw.exe
1772	mscorsvw.exe
1772	mscorsvw.exe
2080	mscorsvw.exe
2080	mscorsvw.exe
840	mscorsvw.exe
840	mscorsvw.exe
692	mscorsvw.exe
692	mscorsvw.exe
2812	mscorsvw.exe
2812	mscorsvw.exe
840	mscorsvw.exe
840	mscorsvw.exe
2216	mscorsvw.exe
2216	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

VCREDI~2.EXEbec406850664cc16ea97480273819a00_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	VCREDI~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

40 1508 msiexec.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
40	1508	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in System32 directory 23 IoCs

Processes:

bec406850664cc16ea97480273819a00_NeikiAnalytics.exealg.exeGROOVE.EXESearchProtocolHost.exeaspnet_state.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\65e43a02ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\snmptrap.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

aspnet_state.exebec406850664cc16ea97480273819a00_NeikiAnalytics.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemsiexec.exealg.exemscorsvw.exemscorsvw.exebec406850664cc16ea97480273819a00_NeikiAnalytics.exemscorsvw.exemscorsvw.exemscorsvw.exeDrvInst.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Installer\f777723.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164129116.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\Installer\MSI8681.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164128336.0\mfc80.dll	msiexec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7D79.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240524164128773.0	msiexec.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7F1F.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164128056.0\msvcm80.dll	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6C98.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6FF2.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164129085.0\8.0.50727.42.policy	msiexec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164128773.0\mfc80CHT.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\f777726.ipi	msiexec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164128773.0\mfc80KOR.dll	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Installer\f777723.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164128773.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_661fdcb0.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164128336.0\mfc80u.dll	msiexec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9176.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164128056.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3fea50ad.cat	msiexec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Installer\f777726.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164128773.0\mfc80CHS.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240524164129023.0	msiexec.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164129179.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164128773.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_661fdcb0.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164129116.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exeSearchFilterHost.exemscorsvw.exeSearchProtocolHost.exemsiexec.exeehRec.exeOSPPSVC.EXEmscorsvw.exeDrvInst.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002073603df9adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe

Modifies registry class 56 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e0049004c005400540052005900320074004f005700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e007e0078002d00360076007a0045007a007e003200650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Version = "134268455"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e00530021004900240047002e004f005f0078006800650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6\8E58E8E6B4EC5FF4197F4099C9F9EAA6	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e004b0039007000540041002700650026005d002900650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e005a00310021003d00520046007900460072005700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e00240062003000290043004b0076003d0035002700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\ProductName = "Microsoft Visual C++ 2005 Redistributable (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e00500054005d002700660025002b0027004b002800650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\PackageCode = "824BFCC8DA7C83E44A851335763B00A1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\PackageName = "vcredist.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e007a0050005400310026006e0073004b0064007a00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6\VC_Redist	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e007b004c0046003d0042004900620074004f002800650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e0069002a0048004e00530057007d0024007e005500650038004d006b0062004900640046007700550000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

ehRec.exebec406850664cc16ea97480273819a00_NeikiAnalytics.exemsiexec.exeaspnet_state.exe

pid	process
2040	ehRec.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
2392	msiexec.exe
2392	msiexec.exe
2904	aspnet_state.exe
2904	aspnet_state.exe
2904	aspnet_state.exe
2904	aspnet_state.exe
2904	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

bec406850664cc16ea97480273819a00_NeikiAnalytics.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
Token: SeShutdownPrivilege	1256	mscorsvw.exe
Token: SeShutdownPrivilege	936	mscorsvw.exe
Token: 33	2168	EhTray.exe
Token: SeIncBasePriorityPrivilege	2168	EhTray.exe
Token: SeDebugPrivilege	2040	ehRec.exe
Token: SeShutdownPrivilege	1256	mscorsvw.exe
Token: SeShutdownPrivilege	936	mscorsvw.exe
Token: SeShutdownPrivilege	1508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1508	msiexec.exe
Token: SeShutdownPrivilege	1256	mscorsvw.exe
Token: SeShutdownPrivilege	1256	mscorsvw.exe
Token: SeShutdownPrivilege	936	mscorsvw.exe
Token: SeShutdownPrivilege	936	mscorsvw.exe
Token: SeRestorePrivilege	2392	msiexec.exe
Token: SeTakeOwnershipPrivilege	2392	msiexec.exe
Token: SeSecurityPrivilege	2392	msiexec.exe
Token: SeCreateTokenPrivilege	1508	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1508	msiexec.exe
Token: SeLockMemoryPrivilege	1508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1508	msiexec.exe
Token: SeMachineAccountPrivilege	1508	msiexec.exe
Token: SeTcbPrivilege	1508	msiexec.exe
Token: SeSecurityPrivilege	1508	msiexec.exe
Token: SeTakeOwnershipPrivilege	1508	msiexec.exe
Token: SeLoadDriverPrivilege	1508	msiexec.exe
Token: SeSystemProfilePrivilege	1508	msiexec.exe
Token: SeSystemtimePrivilege	1508	msiexec.exe
Token: SeProfSingleProcessPrivilege	1508	msiexec.exe
Token: SeIncBasePriorityPrivilege	1508	msiexec.exe
Token: SeCreatePagefilePrivilege	1508	msiexec.exe
Token: SeCreatePermanentPrivilege	1508	msiexec.exe
Token: SeBackupPrivilege	1508	msiexec.exe
Token: SeRestorePrivilege	1508	msiexec.exe
Token: SeShutdownPrivilege	1508	msiexec.exe
Token: SeDebugPrivilege	1508	msiexec.exe
Token: SeAuditPrivilege	1508	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1508	msiexec.exe
Token: SeChangeNotifyPrivilege	1508	msiexec.exe
Token: SeRemoteShutdownPrivilege	1508	msiexec.exe
Token: SeUndockPrivilege	1508	msiexec.exe
Token: SeSyncAgentPrivilege	1508	msiexec.exe
Token: SeEnableDelegationPrivilege	1508	msiexec.exe
Token: SeManageVolumePrivilege	1508	msiexec.exe
Token: SeImpersonatePrivilege	1508	msiexec.exe
Token: SeCreateGlobalPrivilege	1508	msiexec.exe
Token: SeBackupPrivilege	2256	vssvc.exe
Token: SeRestorePrivilege	2256	vssvc.exe
Token: SeAuditPrivilege	2256	vssvc.exe
Token: 33	2168	EhTray.exe
Token: SeIncBasePriorityPrivilege	2168	EhTray.exe
Token: SeBackupPrivilege	2524	wbengine.exe
Token: SeRestorePrivilege	2524	wbengine.exe
Token: SeSecurityPrivilege	2524	wbengine.exe
Token: SeBackupPrivilege	2392	msiexec.exe
Token: SeRestorePrivilege	2392	msiexec.exe
Token: SeManageVolumePrivilege	392	SearchIndexer.exe
Token: 33	392	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	392	SearchIndexer.exe
Token: 33	2664	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2664	wmpnetwk.exe
Token: SeShutdownPrivilege	1256	mscorsvw.exe
Token: SeShutdownPrivilege	936	mscorsvw.exe
Token: SeDebugPrivilege	1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msiexec.exeEhTray.exe

pid process

1508 msiexec.exe
2168 EhTray.exe
2168 EhTray.exe
1508 msiexec.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

2168 EhTray.exe
2168 EhTray.exe

pid	process
1508	msiexec.exe
2168	EhTray.exe
2168	EhTray.exe
1508	msiexec.exe

pid	process
2168	EhTray.exe
2168	EhTray.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
2720	SearchProtocolHost.exe
2720	SearchProtocolHost.exe
2720	SearchProtocolHost.exe
2720	SearchProtocolHost.exe
2720	SearchProtocolHost.exe
2720	SearchProtocolHost.exe
2720	SearchProtocolHost.exe
2720	SearchProtocolHost.exe
2720	SearchProtocolHost.exe
2720	SearchProtocolHost.exe
2720	SearchProtocolHost.exe
2720	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bec406850664cc16ea97480273819a00_NeikiAnalytics.exeVCREDI~2.EXEmscorsvw.exeSearchIndexer.exe

description	pid	process	target process
PID 1100 wrote to memory of 1020	1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe	VCREDI~2.EXE
PID 1100 wrote to memory of 1020	1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe	VCREDI~2.EXE
PID 1100 wrote to memory of 1020	1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe	VCREDI~2.EXE
PID 1100 wrote to memory of 1020	1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe	VCREDI~2.EXE
PID 1100 wrote to memory of 1020	1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe	VCREDI~2.EXE
PID 1100 wrote to memory of 1020	1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe	VCREDI~2.EXE
PID 1100 wrote to memory of 1020	1100	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe	VCREDI~2.EXE
PID 1020 wrote to memory of 1508	1020	VCREDI~2.EXE	msiexec.exe
PID 1020 wrote to memory of 1508	1020	VCREDI~2.EXE	msiexec.exe
PID 1020 wrote to memory of 1508	1020	VCREDI~2.EXE	msiexec.exe
PID 1020 wrote to memory of 1508	1020	VCREDI~2.EXE	msiexec.exe
PID 1020 wrote to memory of 1508	1020	VCREDI~2.EXE	msiexec.exe
PID 1020 wrote to memory of 1508	1020	VCREDI~2.EXE	msiexec.exe
PID 1020 wrote to memory of 1508	1020	VCREDI~2.EXE	msiexec.exe
PID 1256 wrote to memory of 2800	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2800	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2800	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2800	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2376	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2376	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2376	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2376	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1752	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1752	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1752	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1752	1256	mscorsvw.exe	mscorsvw.exe
PID 392 wrote to memory of 888	392	SearchIndexer.exe	SearchProtocolHost.exe
PID 392 wrote to memory of 888	392	SearchIndexer.exe	SearchProtocolHost.exe
PID 392 wrote to memory of 888	392	SearchIndexer.exe	SearchProtocolHost.exe
PID 392 wrote to memory of 2600	392	SearchIndexer.exe	SearchFilterHost.exe
PID 392 wrote to memory of 2600	392	SearchIndexer.exe	SearchFilterHost.exe
PID 392 wrote to memory of 2600	392	SearchIndexer.exe	SearchFilterHost.exe
PID 1256 wrote to memory of 2232	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2232	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2232	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2232	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2520	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2520	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2520	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2520	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1568	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1568	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1568	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1568	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1972	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1972	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1972	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1972	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2556	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2556	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2556	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 2556	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1664	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1664	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1664	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 1664	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 856	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 856	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 856	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 856	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 692	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 692	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 692	1256	mscorsvw.exe	mscorsvw.exe
PID 1256 wrote to memory of 692	1256	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bec406850664cc16ea97480273819a00_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1508

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1e0 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1e8 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 260 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 1e8 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e8 -NGENProcess 1f0 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 26c -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 1e8 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 268 -NGENProcess 1e8 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 258 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 284 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 270 -NGENProcess 294 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 298 -NGENProcess 26c -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 268 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 270 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a8 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 268 -NGENProcess 270 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 268 -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 218 -NGENProcess 1e8 -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1d4 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 1d4 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1d4 -NGENProcess 27c -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c4 -NGENProcess 254 -Pipe 21c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d4 -NGENProcess 2a0 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 23c -NGENProcess 254 -Pipe 218 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1f0 -NGENProcess 270 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 248 -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1f0 -NGENProcess 23c -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
PID:2144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 27c -NGENProcess 28c -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 28c -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
2⤵
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a8 -NGENProcess 23c -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 23c -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"
2⤵
PID:2520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 26c -NGENProcess 248 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 2a8 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 290 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 27c -NGENProcess 26c -Pipe 288 -Comment "NGen Worker Process"
2⤵
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2b8 -NGENProcess 2a8 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a0 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 248 -NGENProcess 270 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c4 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c0 -NGENProcess 270 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 270 -NGENProcess 2cc -Pipe 248 -Comment "NGen Worker Process"
2⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 270 -NGENProcess 2c0 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2c0 -NGENProcess 2a0 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d4 -NGENProcess 270 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e8 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2a0 -NGENProcess 2e0 -Pipe 27c -Comment "NGen Worker Process"
2⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2f0 -NGENProcess 270 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 270 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f0 -NGENProcess 300 -Pipe 270 -Comment "NGen Worker Process"
2⤵
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e4 -NGENProcess 2e0 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 300 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f0 -NGENProcess 308 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 314 -NGENProcess 2e4 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2dc -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 308 -NGENProcess 2f0 -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f4 -NGENProcess 320 -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 328 -NGENProcess 318 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f0 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 320 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 318 -NGENProcess 328 -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 308 -NGENProcess 338 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 340 -NGENProcess 330 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 328 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 338 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 338 -NGENProcess 308 -Pipe 350 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 334 -NGENProcess 34c -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 354 -NGENProcess 344 -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 308 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 34c -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 308 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 34c -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 344 -Pipe 354 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 308 -Pipe 358 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 34c -Pipe 35c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 344 -Pipe 360 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 370 -NGENProcess 37c -Pipe 36c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 364 -NGENProcess 344 -Pipe 368 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 384 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 344 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 308 -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 37c -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 344 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 344 -NGENProcess 38c -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:2092

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1140

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:800

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1784

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2168

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1684

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 718118DB479F6EE927F4DCAD3C5F8503
2⤵
- Loads dropped DLL
PID:1628

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:920

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1084

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:528

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:884

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:888

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
- Modifies data under HKEY_USERS
PID:2600

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003AC" "00000000000005C4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2408

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
cee750ae1f88c24b32efa8475d6efb14

SHA1
e5c35b0137f1b1350001c48395190f974991eb8b

SHA256
e8e808e120d4d4b7dcfa26d47d43e810832113b4e3ab243233c832b75eb0669b

SHA512
d1ea3f5f34bcf6b231a98b2cf6477718a76d499068c3ae1625bd652b32b241e1e6903b166f850487f3c72f5532916a9186fda8fa54d83d59a7cc3e291a26f25e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
cda00c42dd89cb89f9172a92fc1584fd

SHA1
8b2aa7e016ae3b7f8fd6105f069da14d295257cf

SHA256
a27310f83bdc102d7e192ed210a357c62ec642450068d828ea0bd7c218dc2921

SHA512
293eb2b5a280f1f7fa88289904141c6280f974d730e442417b36f65ec8f140a59f0df65236bd755f6de10ca443df67246409f6f3c9c1cf670465350110d431e1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
374dab3adb54c3f4c7f07fb3860725b2

SHA1
1391135fdcecdff9deb67c16b483025c889e8300

SHA256
a0a02a694192b38bfc0d24e390547652fc327eb64fcac08c111b4369d7e2914a

SHA512
b9f8f3ff4b9d1133b74056765ee5bacaf2b81de3e8b63e3d48cdd3f18759540b7b3709ca0ae0cd51cb4f42bcaf97fab8c378c82d611f37a326b5e3845dd2d08c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
bb206e123a6a276e83ed81b0c41f6aaf

SHA1
a0e262dcc24e85663e6af87ccb6858802edfc255

SHA256
342edacaa8e9d4a0efd8884c16cf30da77fe257c8ccf92c0cf5d74ac0628942b

SHA512
cbc1b9d8f3de1ff51caeaebd8e8f029b70f3cb35513f3c6d308e20e4b9035621dd9c1bced8d6a8102964548bc0942dcb24e2d0e9cc6cc5d00d7fad54cd540baf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
41eef8cbadccfba9a34d8f5c8a206cae

SHA1
e05c24241e865412d2f7b77638c1264405a81f7f

SHA256
aab7104a073ba6bd7e4e8c18e95928fd0b43fe23fc0c9155931b04df9cf0c307

SHA512
9e2d205b605564b4b188def9094944e951e00bfce1b04f3f5acdcb39864cc7e82a74dc1e0509ac4bd8111aa8405d0a955393a0c035c35818d73c8dbc4c61b819

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
f66f9b78d81132690158b785d3298862

SHA1
03e4cb6a4ae78a9fb5e69f2f96a3628dccf57113

SHA256
48b1f48e0d26d0a46f212538621c38ca391efde7fc80dd6621d19bb17396b11f

SHA512
243bd49d4e304748820b5362a5274476560d560319fd3ddefaf09ae54cee86bc4ff4372e550ffd048d30497cd609181c19cfb58ef0c8fbfc108d04bd4de9c294

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab77AF.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi
Filesize
3.8MB

MD5
fa135204bb6146fca799cf06d30c444c

SHA1
774b9fd7ca76502ae6c732432377d71dfd75a15a

SHA256
cd7eb3fe76c008e2af85cab033f620e04e22af941797083a5fb51e269bb8fcbb

SHA512
b2c20573b92766353db601a31d4409397fd5de3a32f9bde4b3e627b48c5b859d33c93f96ecb0c177eb16768f5dd744394857a078a7302fdf0f0e4f5d2543b73a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
4433a7d7d56dfffcc33ee5c6af0d830e

SHA1
d9a90d4a0d0ecb3c2de6b89b55da0cd0adfe47b6

SHA256
7548279905affc498ac9343daee27f8cdae79900684cc38f7823d891b38f6cf3

SHA512
6c3560dbade60e549dda989adb9eafe31762df7e58939a382e4b9a97f0189f1ae61c0557bc383ce4f76185aaa24b7e53c918a98a735a3ffb97b9f121c0bfa84a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
e21c0065bac0e5b85971617709ff7688

SHA1
1731be199326e524aef6e700767054c5edb200da

SHA256
57756320be6cecfa5b2ce297c15588d3dcf55a6cba83136b1b77ab16626b65b8

SHA512
7777b8926d822e4493be7722570d8678619cd6bbbc923e6a9ef225c8064d233a32f15cd5daef80cefe4bb0372e523d7c0cf92556e248fc585d444a8a669ec138

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
1bea86627b31b9e55f34cf8ce8ba6262

SHA1
54c0fb7f55f92eccaa4a37cbd4c2c02ab45c94d1

SHA256
6f222b3eee16b90dd81d1e5cd672a293cfa3bc98e0d72b8fffbfc9b73fb74356

SHA512
23d392c2d504407660555da99bb48311fdec54cbaf1e42493d63c2eae3f9cc01a9de46f5242e36d48a4e066d0c5c5112814b4c91d5cfe8204d842aaab44a3a4c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
3aa07a6d181aebf1aeb7a8c0ce50824e

SHA1
248b7a18852e55f17a6ec35cc745032f17fdb7d9

SHA256
219c6bbd6869d28490ce09189e0e64006f49fd1f22e18344084771e7647904b4

SHA512
86af2bb6734d9014ca96ead19aae75a6487ba2eed665221f6fcb7c74cf07381992d708998a745186af5e2eedaaad91d0edb5ef417f727a3a120583db18e4a3b9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
5734eec406a94aa6cad9d55e09c2e334

SHA1
9e9b7434c1e826ad03f78225ce42a666fb21d610

SHA256
97f66a6028173ffbadc776b81e8070e5a7a58652d5fa00eea2a5d3de12dd4b6e

SHA512
483620374769e8feb6751b00306357c0dd1a636350ead277b56d7de3675ea4e6ecfe215164cd2cb53011c2d89f30f3254cd2b121e59881ad78366fbc179e0638

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
fd0afdd7fcaa111713393fcd3dbf2bd2

SHA1
8a1717e7e7e2244c3bee15884159efd2e933c137

SHA256
ec40382847343582d805485e35bb828dad7e3dcf6b5389af0243f6e06af3ba72

SHA512
582e72e2bebb2803aceebded4158f5a9e71da14121a802d5210f85671a9d8a346df15798bfcfb14dcad1a0d9d46ae6f6debc5a15b90245c65e397dc885c16f23

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
5e71aa269bfd550570b862b1f0685f8a

SHA1
2e7df453386e4e9147c7202500f8809a7a0749e3

SHA256
2e91bdb8cdba8e738baa053f9fcce377dac4a6c2deab59ad20fc54d95a25d35b

SHA512
c7ede18f64faf7cf4408a6facfff1904c28e35ea88d809534587e0371dd596684ae144ba8879c1b23439de852c538cfc215432431d9752c6be8d9d5843c9d816

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
01341ba71cc41050284344f939bbc8db

SHA1
cd7514d264f546239cfccc12847044d275656a66

SHA256
3396e2e77178938c5ec6a3553a3e5ae2a47455d8c8f904d4c83a05e5d36cc3e5

SHA512
570728d1d36013ec6df8c53fa194f41d2cbab36bf1f04cd82344eba0e7763add36c5b046d51011a0f3b5ac483d05cddc6ca90adf4a38a4943f309e76f82423f1

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
012edcd9798d00dee436ea91f0fbffa0

SHA1
83a2009d5195eb26eca87795724eb9a346cca829

SHA256
9cc84877a771524e88c13cc3d45b3965ec70e6817ec4cfdbe337c9b4543ccf43

SHA512
352072199b7e33c6c723d17002e60b83479828aeeca22c4993afa76b40650a3d032f1f05d60e879643c0ca2bae2c8cd2a7da64f7c8ed004b8cdf93b5f8925ecb

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
602bccb3863a99fe4a60b7cf5e082670

SHA1
decab26abb8c71abd82e1637bf9dc39b975a2fb1

SHA256
7748a69f628223b5c7ceb60bd5001975080120165e5012e8c6469a01302fb084

SHA512
2341432f5cc3e25067de1a85d8aab7052f966b79ed8918c20d1751ba8ed4b3ea0f6074f36a20c8a37251267393ec7de4dff1e60a48ce8eb713afac91f3045c1b

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
705KB

MD5
d865736436d0142930fcca8e426647d6

SHA1
3450ebd832e0f882d12c1a18e281548b472de69c

SHA256
8905e87c33081edf10a6bb0cfb3ea8fd16b917c96c5f070958179e03b4dc55b3

SHA512
f5f968539542ac4d9898c8763c9b15f8cfadd80091d7d578725bdeef80c80c4b4616d829a0d72beb3a6dd39a46a50b0ff592f00b6e928b80e5961aa8bbae3e46

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
c06cf96a18f729ffcafcafff20ec35b6

SHA1
cfa8634ac01878685c21860b06cf3d3ee62b9561

SHA256
67072544b05298b1eb823fceb752698a874b030b390fe7a7fd8de844a6786cae

SHA512
5bdc84c699fe2d021ef139e264079751bddc1207f655dd05d356b6d6cc0c1b53975e3ce6b78b126f31a3380c36010d5bce4cd75e283a37209e3bff14eafdf660

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.1MB

MD5
bbe03c8a94cde500b2e80bf3047afae8

SHA1
1b56ff71759207a413322d46d1029214654ae8a5

SHA256
fbdabcf413ff5771adec98a7686caf16d69daf9bc9d711e38ec54bc3b82157ed

SHA512
458b2d7464d5b822c39e579cab4ad3612815a3104bb587e5102acfa1887ffdaba2dfc98f751e234ce2643e649cba6595b1a73a7b88be44af0bb8df71a91cad43

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
765KB

MD5
42afeadfb042802093f3410eacfc1b22

SHA1
57f9b9e028893d9a7bc8abe50869c6f22b0dcf23

SHA256
b460d9639fd28136dd00f8cb231a323fb6568fef80744dfaa521bcb9baa666bc

SHA512
716ffc707c7d7b795050e616c2329b42d8d8e37767c8fde46a2bc05383b0bce79172d82c71c522059df3ced6b86a096a113fdfae63628d3a5d9d829b35f1c6af

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
dc43451d17bc5cabd612f0f72c6fed66

SHA1
8a79783987e01f1189d292c08401cb994f5d9e89

SHA256
182b612cf9c2591cada1bd238c498fdf6036707a1bf95efdfd1eadfe6db4fc8a

SHA512
7fa544935894e158c81a9ebca95fee986e2c68e85e4da7785e1affcdd41ace631b107601880b5acda6fdb3d0665a5dcd866bec7be1d8effb4dafa05fe9a2d09b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7582ab72a95c801b0d18a7791b84e72d\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
9b534962b3ee7d22440b057a546a09f9

SHA1
56a927d5fab48fcdd5f603526aa7478fb4ac92f3

SHA256
1720b106ec599df2e7ee1b74f0d528ca98ffb97ae48fafa5c59601959ed51d40

SHA512
29afdd2e1bb898b8a3ff17b6130f84deeaa08a187a46df0c3ed4773d7823af26908bb81c7ec42d2911082118ee53d0ce16736979051bcb125d80ddc4c3cb2308

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c57fffb73d65a082286bb4fa487a34c6\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
8b14ae348c5e150b24d295509727821a

SHA1
d7ac8320e8374b0a8627bc964f248bc519b08637

SHA256
6ab1b53649dfd9044a21929abd0d31f7718f52abe3810fa5e897b7609e7efe0f

SHA512
4279bff0c863d20585d406817f7eb48158e4b8376ff0098de9a4021a2f7bf7ee2c62fa230dc77425a9169857be71a39d36fee1030d2321db0d6776a39f1fdace

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e6cb17365c7c6aa6dc7e423c3716cc8e\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
68db807198d050b16a70bec6a4ed2c40

SHA1
d59ecd0e5fbacc2550b7a9bdd3f27ec73f5d2309

SHA256
1681eecd9d4bf67411eb9b4a6245c860fb334e559a2454101f88a0d0fdbc782f

SHA512
5bc8727eb4f5464af713b490fc94da1aa148c5b0668e937a41f4a89ac322d909e107eea2472fb2089f80fec4a6b90e139a14e124b60da3aeef8eedccf7dd24f3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
3dd2291a55f8ab9ab8fdbb648d478a2d

SHA1
f89012492816e468bb06cf67e27cf1a507f7e2d2

SHA256
04992de7b98aba34bfbfac10d8452f424d35fcd0cf01c853c01d32df45896a42

SHA512
2227071789db65704362eaa8a0102b8bb6c1a4e84c6ca0e5fe23b3cc6281a9181ed64991cc4f7055e54e54130c6f6a3c1914f0281237d5a7d92518ca45990223

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
691KB

MD5
58e65b1323e2483d8ef79032e9b10e9e

SHA1
3a8cf8a8a4e583842f0f3fd6ecee7bc052fb3ea4

SHA256
71f8e66f454bb275f62a97c35a305b35c67ab5eb012b97954be6f60a7cfafc84

SHA512
349c4b939ab40f36163387fbfdda5db549ce9b7e4704f83f8ddf544158b628169ed4c9cf67d49230a10532d416112a63251abe612bb05d404cacda846b074d23

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
Filesize
4.1MB

MD5
45109081338654c25e42aea404b7d40c

SHA1
7474003f1dffb4439381cb628ded660d28a41bdd

SHA256
00fbdecf2f47d72cdd20a60d685d5d0f56e1f5ec571a7e43eebe1b178285eb76

SHA512
cb89ea354aacf4560ab59ccbf1ae5f9d4913b0b4b6130bdaeb6f8eced7844c416875d0303e0f141165ca1681f6b9728d46a96fa44b3a2eb45616d904658179e2

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
0b8b90a3ec91252a689cb2682d82f658

SHA1
8348ef77f96b5347f9779e8cc3cc67e53d66e851

SHA256
bb57ddabba9ffbdfa26d69bce08b67ecc02ca01e8811b16dd0e9a182ea80c2e0

SHA512
7a2f5220f66089b2708b9de880f272a7ef21937336cbd45056fb3584a682ee681d59ba74c84a2ac995bce64870e29c6f73a4ccd6ca49dcb94caa2ddcd5b8af11

Download Submit
\Windows\System32\Locator.exe
Filesize
577KB

MD5
a4911522240c60c0e2a14ca061c2f48c

SHA1
bdc4fd95fe885db6942f2c44769460b778187be4

SHA256
e1b4ea357fcaa3ac1f8a97ed9e4c23f0869b07d4159fbf1e24d44c602c91a828

SHA512
3a7ac97ecd786e799ba9deab0c504e5b571a8d8e86d6721f3a05529b4ef6e1d08f7c0151c509abdd82e1f176972cca39affb83a83b144a8918d4a75bfdd818f4

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
a993e3be32c96e2d3f5076ad03ef8262

SHA1
f50f5b570e8f691b376c28d69aac0beea442c744

SHA256
b17b9a4a1c7498b5511b9f351500e84cad99a662712a548edf3b1e4d8ffc33cc

SHA512
7cd0d5c44f684817551881125db93f784ec1653368f21063b01af3932dd6bc5b1973f4ec3066b2be03371cd5224f22edb52bd285fd20c70cf088cb0cd1308a82

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
c26237109271319680c69406171b6dc0

SHA1
33c6a0029d40b30b432b7e581a910a19d347efc6

SHA256
d492f62e53a423048417ada2abc69226f53fb1aaec60300102b8394ece7bc1b2

SHA512
4e180d0e479ea247dc97638adc02fe8d93151e5fb1a51fcdc73d7d335719b6e0ec6a0a6d72bcffc7f0f56918d30f1af51832cde878cd1e0703575ec9be43d91a

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
b1489c7223dd8a32bc64268162b5090f

SHA1
1432f653ccade07b2ab55ca005b459412e84a502

SHA256
8a612a1de7624fdc586e1cddae1b208ffe1f016ae6656d0cdbcaeeadccab9b69

SHA512
ab8d3a5195814460a0fbc8d0fa71091e46ff8457700ee71c1e1d6502739f92c1908897fda59d0c4d83c26f122c90db1e742f373a30f435eccce85ccd5663b0ae

Download Submit
memory/392-731-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/392-423-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/528-321-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/528-460-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/692-737-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/692-761-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/800-117-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/800-111-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/800-119-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/800-304-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/856-740-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/856-732-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/880-639-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/880-358-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/884-699-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/884-405-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/920-422-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/920-293-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/936-93-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/936-99-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/936-102-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1068-816-0x0000000003C50000-0x0000000003D0A000-memory.dmp

Filesize
744KB

Download
memory/1068-814-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1068-821-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1084-444-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1084-305-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1100-1-0x00000000008A0000-0x0000000000D46000-memory.dmp

Filesize
4.6MB

Download
memory/1100-76-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/1100-2-0x00000000003A0000-0x0000000000407000-memory.dmp

Filesize
412KB

Download
memory/1100-10-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/1100-0-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/1100-7-0x00000000003A0000-0x0000000000407000-memory.dmp

Filesize
412KB

Download
memory/1100-101-0x00000000008A0000-0x0000000000D46000-memory.dmp

Filesize
4.6MB

Download
memory/1256-77-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1256-83-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1256-78-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1256-280-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1396-843-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1396-820-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1568-686-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1568-650-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1632-246-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1632-228-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1664-712-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1664-735-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1684-216-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1684-356-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1720-123-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1720-15-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1720-21-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1720-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1752-623-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1752-454-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1784-132-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1784-311-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1972-681-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1972-698-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2108-799-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2108-813-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-146-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2124-329-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2156-871-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2160-332-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2160-608-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2184-357-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2232-621-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2232-637-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2256-368-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2256-648-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2336-151-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2336-874-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2336-344-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2348-758-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2348-787-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2376-445-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2376-464-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2392-403-0x0000000000320000-0x00000000003D2000-memory.dmp

Filesize
712KB

Download
memory/2392-282-0x0000000000320000-0x00000000003D2000-memory.dmp

Filesize
712KB

Download
memory/2392-402-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2392-263-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2396-55-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2396-62-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2396-87-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2404-840-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2404-856-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2424-877-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2424-868-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2496-235-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2496-382-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2520-638-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2520-653-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-682-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2524-383-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2536-39-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2536-41-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2536-45-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2536-73-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2556-705-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2556-700-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-417-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2664-711-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2800-290-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2800-421-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2800-449-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2812-798-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2812-783-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2904-150-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2904-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2904-28-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2904-36-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download