Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
-
Size
4.6MB
-
MD5
bec406850664cc16ea97480273819a00
-
SHA1
2f8f4253647e890df67a20c318b61ce7acdcd4b3
-
SHA256
3579abda819f2781617f895a1a84aff45d9fc673c38e5b5fd5ef01137f526f61
-
SHA512
1b379172b58c77272255069b48a2e0c2bb582ff6174d313f1104ec9878b1418d351ec2532a1a51d55eebd205823fe14e8d80a111f237bbefe279dfd67432613a
-
SSDEEP
98304:F4+PG8W44ij9RvbGOZUR241QZgC51B+PRP0/iyB:dPG8W4HhbVURp11CjgJs
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeVCREDI~2.EXEGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exemscorsvw.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 468 1720 alg.exe 2904 aspnet_state.exe 2536 mscorsvw.exe 2396 mscorsvw.exe 1256 mscorsvw.exe 936 mscorsvw.exe 800 ehRecvr.exe 1784 ehsched.exe 2124 elevation_service.exe 2336 IEEtwCollector.exe 1020 VCREDI~2.EXE 1684 GROOVE.EXE 1632 maintenanceservice.exe 2496 msdtc.exe 2392 msiexec.exe 2800 mscorsvw.exe 920 OSE.EXE 1084 OSPPSVC.EXE 528 perfhost.exe 2160 locator.exe 2184 snmptrap.exe 880 vds.exe 2256 vssvc.exe 2524 wbengine.exe 884 WmiApSrv.exe 2664 wmpnetwk.exe 392 SearchIndexer.exe 2376 mscorsvw.exe 1752 mscorsvw.exe 2232 mscorsvw.exe 2520 mscorsvw.exe 1568 mscorsvw.exe 1972 mscorsvw.exe 2556 mscorsvw.exe 1664 mscorsvw.exe 856 mscorsvw.exe 692 mscorsvw.exe 2348 mscorsvw.exe 2812 mscorsvw.exe 2108 mscorsvw.exe 1068 mscorsvw.exe 1396 mscorsvw.exe 2404 mscorsvw.exe 2156 mscorsvw.exe 2424 mscorsvw.exe 2516 mscorsvw.exe 2816 mscorsvw.exe 872 mscorsvw.exe 2360 mscorsvw.exe 1620 mscorsvw.exe 1140 mscorsvw.exe 2968 dllhost.exe 1644 mscorsvw.exe 840 mscorsvw.exe 2804 mscorsvw.exe 980 mscorsvw.exe 2816 mscorsvw.exe 2492 mscorsvw.exe 1628 mscorsvw.exe 2700 mscorsvw.exe 2420 mscorsvw.exe 2800 mscorsvw.exe 2676 mscorsvw.exe -
Loads dropped DLL 56 IoCs
Processes:
bec406850664cc16ea97480273819a00_NeikiAnalytics.exeVCREDI~2.EXEmsiexec.exeMsiExec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 468 468 468 468 468 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1020 VCREDI~2.EXE 1020 VCREDI~2.EXE 1020 VCREDI~2.EXE 468 468 2392 msiexec.exe 468 468 468 468 468 756 1628 MsiExec.exe 468 2816 mscorsvw.exe 2816 mscorsvw.exe 1628 mscorsvw.exe 1628 mscorsvw.exe 2420 mscorsvw.exe 2420 mscorsvw.exe 2676 mscorsvw.exe 2676 mscorsvw.exe 1928 mscorsvw.exe 1928 mscorsvw.exe 2688 mscorsvw.exe 2688 mscorsvw.exe 1736 mscorsvw.exe 1736 mscorsvw.exe 2152 mscorsvw.exe 2152 mscorsvw.exe 980 mscorsvw.exe 980 mscorsvw.exe 2316 mscorsvw.exe 2316 mscorsvw.exe 2812 mscorsvw.exe 2812 mscorsvw.exe 1772 mscorsvw.exe 1772 mscorsvw.exe 2080 mscorsvw.exe 2080 mscorsvw.exe 840 mscorsvw.exe 840 mscorsvw.exe 692 mscorsvw.exe 692 mscorsvw.exe 2812 mscorsvw.exe 2812 mscorsvw.exe 840 mscorsvw.exe 840 mscorsvw.exe 2216 mscorsvw.exe 2216 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
VCREDI~2.EXEbec406850664cc16ea97480273819a00_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" VCREDI~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bec406850664cc16ea97480273819a00_NeikiAnalytics.exe -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 40 1508 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Drops file in System32 directory 23 IoCs
Processes:
bec406850664cc16ea97480273819a00_NeikiAnalytics.exealg.exeGROOVE.EXESearchProtocolHost.exeaspnet_state.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\65e43a02ae4ef42b.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\snmptrap.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
Processes:
aspnet_state.exebec406850664cc16ea97480273819a00_NeikiAnalytics.exealg.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe -
Drops file in Windows directory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemsiexec.exealg.exemscorsvw.exemscorsvw.exebec406850664cc16ea97480273819a00_NeikiAnalytics.exemscorsvw.exemscorsvw.exemscorsvw.exeDrvInst.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedescription ioc process File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Installer\f777723.msi msiexec.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240524164129116.0\8.0.50727.42.policy msiexec.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File opened for modification C:\Windows\Installer\MSI8681.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240524164128336.0\mfc80.dll msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7D79.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240524164128773.0 msiexec.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7F1F.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240524164128056.0\msvcm80.dll msiexec.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6C98.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6FF2.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240524164129085.0\8.0.50727.42.policy msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240524164128773.0\mfc80CHT.dll msiexec.exe File opened for modification C:\Windows\Installer\f777726.ipi msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240524164128773.0\mfc80KOR.dll msiexec.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\Installer\f777723.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240524164128773.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_661fdcb0.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240524164128336.0\mfc80u.dll msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe bec406850664cc16ea97480273819a00_NeikiAnalytics.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9176.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240524164128056.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3fea50ad.cat msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\Installer\f777726.ipi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240524164128773.0\mfc80CHS.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240524164129023.0 msiexec.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240524164129179.0\8.0.50727.42.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240524164128773.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_661fdcb0.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240524164129116.0\8.0.50727.42.cat msiexec.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exeSearchFilterHost.exemscorsvw.exeSearchProtocolHost.exemsiexec.exeehRec.exeOSPPSVC.EXEmscorsvw.exeDrvInst.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@gameux.dll,-10055 = "FreeCell" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@gameux.dll,-10060 = "Solitaire" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002073603df9adda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe -
Modifies registry class 56 IoCs
Processes:
msiexec.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Clients = 3a0000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e0049004c005400540052005900320074004f005700650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e007e0078002d00360076007a0045007a007e003200650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Servicing_Key msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Version = "134268455" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e00530021004900240047002e004f005f0078006800650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6\8E58E8E6B4EC5FF4197F4099C9F9EAA6 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e004b0039007000540041002700650026005d002900650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e005a00310021003d00520046007900460072005700650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e00240062003000290043004b0076003d0035002700650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\ProductName = "Microsoft Visual C++ 2005 Redistributable (x64)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e00500054005d002700660025002b0027004b002800650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\PackageCode = "824BFCC8DA7C83E44A851335763B00A1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\PackageName = "vcredist.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e007a0050005400310026006e0073004b0064007a00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6\VC_Redist msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e007b004c0046003d0042004900620074004f002800650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Language = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e0069002a0048004e00530057007d0024007e005500650038004d006b0062004900640046007700550000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Net msiexec.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
ehRec.exebec406850664cc16ea97480273819a00_NeikiAnalytics.exemsiexec.exeaspnet_state.exepid process 2040 ehRec.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe 2392 msiexec.exe 2392 msiexec.exe 2904 aspnet_state.exe 2904 aspnet_state.exe 2904 aspnet_state.exe 2904 aspnet_state.exe 2904 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
bec406850664cc16ea97480273819a00_NeikiAnalytics.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exedescription pid process Token: SeTakeOwnershipPrivilege 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe Token: SeShutdownPrivilege 1256 mscorsvw.exe Token: SeShutdownPrivilege 936 mscorsvw.exe Token: 33 2168 EhTray.exe Token: SeIncBasePriorityPrivilege 2168 EhTray.exe Token: SeDebugPrivilege 2040 ehRec.exe Token: SeShutdownPrivilege 1256 mscorsvw.exe Token: SeShutdownPrivilege 936 mscorsvw.exe Token: SeShutdownPrivilege 1508 msiexec.exe Token: SeIncreaseQuotaPrivilege 1508 msiexec.exe Token: SeShutdownPrivilege 1256 mscorsvw.exe Token: SeShutdownPrivilege 1256 mscorsvw.exe Token: SeShutdownPrivilege 936 mscorsvw.exe Token: SeShutdownPrivilege 936 mscorsvw.exe Token: SeRestorePrivilege 2392 msiexec.exe Token: SeTakeOwnershipPrivilege 2392 msiexec.exe Token: SeSecurityPrivilege 2392 msiexec.exe Token: SeCreateTokenPrivilege 1508 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1508 msiexec.exe Token: SeLockMemoryPrivilege 1508 msiexec.exe Token: SeIncreaseQuotaPrivilege 1508 msiexec.exe Token: SeMachineAccountPrivilege 1508 msiexec.exe Token: SeTcbPrivilege 1508 msiexec.exe Token: SeSecurityPrivilege 1508 msiexec.exe Token: SeTakeOwnershipPrivilege 1508 msiexec.exe Token: SeLoadDriverPrivilege 1508 msiexec.exe Token: SeSystemProfilePrivilege 1508 msiexec.exe Token: SeSystemtimePrivilege 1508 msiexec.exe Token: SeProfSingleProcessPrivilege 1508 msiexec.exe Token: SeIncBasePriorityPrivilege 1508 msiexec.exe Token: SeCreatePagefilePrivilege 1508 msiexec.exe Token: SeCreatePermanentPrivilege 1508 msiexec.exe Token: SeBackupPrivilege 1508 msiexec.exe Token: SeRestorePrivilege 1508 msiexec.exe Token: SeShutdownPrivilege 1508 msiexec.exe Token: SeDebugPrivilege 1508 msiexec.exe Token: SeAuditPrivilege 1508 msiexec.exe Token: SeSystemEnvironmentPrivilege 1508 msiexec.exe Token: SeChangeNotifyPrivilege 1508 msiexec.exe Token: SeRemoteShutdownPrivilege 1508 msiexec.exe Token: SeUndockPrivilege 1508 msiexec.exe Token: SeSyncAgentPrivilege 1508 msiexec.exe Token: SeEnableDelegationPrivilege 1508 msiexec.exe Token: SeManageVolumePrivilege 1508 msiexec.exe Token: SeImpersonatePrivilege 1508 msiexec.exe Token: SeCreateGlobalPrivilege 1508 msiexec.exe Token: SeBackupPrivilege 2256 vssvc.exe Token: SeRestorePrivilege 2256 vssvc.exe Token: SeAuditPrivilege 2256 vssvc.exe Token: 33 2168 EhTray.exe Token: SeIncBasePriorityPrivilege 2168 EhTray.exe Token: SeBackupPrivilege 2524 wbengine.exe Token: SeRestorePrivilege 2524 wbengine.exe Token: SeSecurityPrivilege 2524 wbengine.exe Token: SeBackupPrivilege 2392 msiexec.exe Token: SeRestorePrivilege 2392 msiexec.exe Token: SeManageVolumePrivilege 392 SearchIndexer.exe Token: 33 392 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 392 SearchIndexer.exe Token: 33 2664 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2664 wmpnetwk.exe Token: SeShutdownPrivilege 1256 mscorsvw.exe Token: SeShutdownPrivilege 936 mscorsvw.exe Token: SeDebugPrivilege 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exeEhTray.exepid process 1508 msiexec.exe 2168 EhTray.exe 2168 EhTray.exe 1508 msiexec.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 2168 EhTray.exe 2168 EhTray.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid process 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe 2720 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bec406850664cc16ea97480273819a00_NeikiAnalytics.exeVCREDI~2.EXEmscorsvw.exeSearchIndexer.exedescription pid process target process PID 1100 wrote to memory of 1020 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe VCREDI~2.EXE PID 1100 wrote to memory of 1020 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe VCREDI~2.EXE PID 1100 wrote to memory of 1020 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe VCREDI~2.EXE PID 1100 wrote to memory of 1020 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe VCREDI~2.EXE PID 1100 wrote to memory of 1020 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe VCREDI~2.EXE PID 1100 wrote to memory of 1020 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe VCREDI~2.EXE PID 1100 wrote to memory of 1020 1100 bec406850664cc16ea97480273819a00_NeikiAnalytics.exe VCREDI~2.EXE PID 1020 wrote to memory of 1508 1020 VCREDI~2.EXE msiexec.exe PID 1020 wrote to memory of 1508 1020 VCREDI~2.EXE msiexec.exe PID 1020 wrote to memory of 1508 1020 VCREDI~2.EXE msiexec.exe PID 1020 wrote to memory of 1508 1020 VCREDI~2.EXE msiexec.exe PID 1020 wrote to memory of 1508 1020 VCREDI~2.EXE msiexec.exe PID 1020 wrote to memory of 1508 1020 VCREDI~2.EXE msiexec.exe PID 1020 wrote to memory of 1508 1020 VCREDI~2.EXE msiexec.exe PID 1256 wrote to memory of 2800 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2800 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2800 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2800 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2376 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2376 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2376 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2376 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1752 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1752 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1752 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1752 1256 mscorsvw.exe mscorsvw.exe PID 392 wrote to memory of 888 392 SearchIndexer.exe SearchProtocolHost.exe PID 392 wrote to memory of 888 392 SearchIndexer.exe SearchProtocolHost.exe PID 392 wrote to memory of 888 392 SearchIndexer.exe SearchProtocolHost.exe PID 392 wrote to memory of 2600 392 SearchIndexer.exe SearchFilterHost.exe PID 392 wrote to memory of 2600 392 SearchIndexer.exe SearchFilterHost.exe PID 392 wrote to memory of 2600 392 SearchIndexer.exe SearchFilterHost.exe PID 1256 wrote to memory of 2232 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2232 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2232 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2232 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2520 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2520 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2520 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2520 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1568 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1568 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1568 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1568 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1972 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1972 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1972 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1972 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2556 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2556 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2556 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 2556 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1664 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1664 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1664 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 1664 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 856 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 856 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 856 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 856 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 692 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 692 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 692 1256 mscorsvw.exe mscorsvw.exe PID 1256 wrote to memory of 692 1256 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bec406850664cc16ea97480273819a00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\bec406850664cc16ea97480273819a00_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec /i vcredist.msi3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1e0 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1e8 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 260 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 1e8 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e8 -NGENProcess 1f0 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 26c -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 1e8 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 268 -NGENProcess 1e8 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 258 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 284 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 270 -NGENProcess 294 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 298 -NGENProcess 26c -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 268 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 270 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a8 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 268 -NGENProcess 270 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 268 -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 218 -NGENProcess 1e8 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1d4 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 1d4 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1d4 -NGENProcess 27c -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c4 -NGENProcess 254 -Pipe 21c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d4 -NGENProcess 2a0 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 23c -NGENProcess 254 -Pipe 218 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1f0 -NGENProcess 270 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 248 -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1f0 -NGENProcess 23c -Pipe 1d0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 27c -NGENProcess 28c -Pipe 1c4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 28c -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a8 -NGENProcess 23c -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 23c -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 26c -NGENProcess 248 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 2a8 -Pipe 294 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 290 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 27c -NGENProcess 26c -Pipe 288 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2b8 -NGENProcess 2a8 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a0 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2bc -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 248 -NGENProcess 270 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c4 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c0 -NGENProcess 270 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 270 -NGENProcess 2cc -Pipe 248 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 270 -NGENProcess 2c0 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2c0 -NGENProcess 2a0 -Pipe 2cc -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d4 -NGENProcess 270 -Pipe 2d0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e8 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2a0 -NGENProcess 2e0 -Pipe 27c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2f0 -NGENProcess 270 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 270 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f0 -NGENProcess 300 -Pipe 270 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e4 -NGENProcess 2e0 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 300 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f0 -NGENProcess 308 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 314 -NGENProcess 2e4 -Pipe 310 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2dc -Pipe 2e8 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 304 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 308 -NGENProcess 2f0 -Pipe 324 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f4 -NGENProcess 320 -Pipe 30c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 328 -NGENProcess 318 -Pipe 2fc -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f0 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 320 -Pipe 314 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 318 -NGENProcess 328 -Pipe 33c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 308 -NGENProcess 338 -Pipe 2f4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 340 -NGENProcess 330 -Pipe 2dc -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 328 -Pipe 2f0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 338 -Pipe 32c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 338 -NGENProcess 308 -Pipe 350 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 334 -NGENProcess 34c -Pipe 318 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 354 -NGENProcess 344 -Pipe 320 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 308 -Pipe 330 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 34c -Pipe 340 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 308 -Pipe 338 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 34c -Pipe 334 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 344 -Pipe 354 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 308 -Pipe 358 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 34c -Pipe 35c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 344 -Pipe 360 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 370 -NGENProcess 37c -Pipe 36c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 364 -NGENProcess 344 -Pipe 368 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 384 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 344 -Pipe 374 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 308 -Pipe 378 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 37c -Pipe 370 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 344 -Pipe 374 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 344 -NGENProcess 38c -Pipe 3a0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 718118DB479F6EE927F4DCAD3C5F85032⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003AC" "00000000000005C4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
706KB
MD5cee750ae1f88c24b32efa8475d6efb14
SHA1e5c35b0137f1b1350001c48395190f974991eb8b
SHA256e8e808e120d4d4b7dcfa26d47d43e810832113b4e3ab243233c832b75eb0669b
SHA512d1ea3f5f34bcf6b231a98b2cf6477718a76d499068c3ae1625bd652b32b241e1e6903b166f850487f3c72f5532916a9186fda8fa54d83d59a7cc3e291a26f25e
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXEFilesize
30.1MB
MD5cda00c42dd89cb89f9172a92fc1584fd
SHA18b2aa7e016ae3b7f8fd6105f069da14d295257cf
SHA256a27310f83bdc102d7e192ed210a357c62ec642450068d828ea0bd7c218dc2921
SHA512293eb2b5a280f1f7fa88289904141c6280f974d730e442417b36f65ec8f140a59f0df65236bd755f6de10ca443df67246409f6f3c9c1cf670465350110d431e1
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
781KB
MD5374dab3adb54c3f4c7f07fb3860725b2
SHA11391135fdcecdff9deb67c16b483025c889e8300
SHA256a0a02a694192b38bfc0d24e390547652fc327eb64fcac08c111b4369d7e2914a
SHA512b9f8f3ff4b9d1133b74056765ee5bacaf2b81de3e8b63e3d48cdd3f18759540b7b3709ca0ae0cd51cb4f42bcaf97fab8c378c82d611f37a326b5e3845dd2d08c
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEFilesize
5.2MB
MD5bb206e123a6a276e83ed81b0c41f6aaf
SHA1a0e262dcc24e85663e6af87ccb6858802edfc255
SHA256342edacaa8e9d4a0efd8884c16cf30da77fe257c8ccf92c0cf5d74ac0628942b
SHA512cbc1b9d8f3de1ff51caeaebd8e8f029b70f3cb35513f3c6d308e20e4b9035621dd9c1bced8d6a8102964548bc0942dcb24e2d0e9cc6cc5d00d7fad54cd540baf
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exeFilesize
2.1MB
MD541eef8cbadccfba9a34d8f5c8a206cae
SHA1e05c24241e865412d2f7b77638c1264405a81f7f
SHA256aab7104a073ba6bd7e4e8c18e95928fd0b43fe23fc0c9155931b04df9cf0c307
SHA5129e2d205b605564b4b188def9094944e951e00bfce1b04f3f5acdcb39864cc7e82a74dc1e0509ac4bd8111aa8405d0a955393a0c035c35818d73c8dbc4c61b819
-
C:\Program Files\Windows Media Player\wmpnetwk.exeFilesize
2.0MB
MD5f66f9b78d81132690158b785d3298862
SHA103e4cb6a4ae78a9fb5e69f2f96a3628dccf57113
SHA25648b1f48e0d26d0a46f212538621c38ca391efde7fc80dd6621d19bb17396b11f
SHA512243bd49d4e304748820b5362a5274476560d560319fd3ddefaf09ae54cee86bc4ff4372e550ffd048d30497cd609181c19cfb58ef0c8fbfc108d04bd4de9c294
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logFilesize
1024KB
MD5e4e8bd22f7cb41cb482ed6d096f5454a
SHA1fd9e9fbb155380f3cebd918891f934e7e2b9939f
SHA2564e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7
SHA512a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a
-
C:\Users\Admin\AppData\Local\Temp\Cab77AF.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msiFilesize
3.8MB
MD5fa135204bb6146fca799cf06d30c444c
SHA1774b9fd7ca76502ae6c732432377d71dfd75a15a
SHA256cd7eb3fe76c008e2af85cab033f620e04e22af941797083a5fb51e269bb8fcbb
SHA512b2c20573b92766353db601a31d4409397fd5de3a32f9bde4b3e627b48c5b859d33c93f96ecb0c177eb16768f5dd744394857a078a7302fdf0f0e4f5d2543b73a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-msFilesize
24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeFilesize
648KB
MD54433a7d7d56dfffcc33ee5c6af0d830e
SHA1d9a90d4a0d0ecb3c2de6b89b55da0cd0adfe47b6
SHA2567548279905affc498ac9343daee27f8cdae79900684cc38f7823d891b38f6cf3
SHA5126c3560dbade60e549dda989adb9eafe31762df7e58939a382e4b9a97f0189f1ae61c0557bc383ce4f76185aaa24b7e53c918a98a735a3ffb97b9f121c0bfa84a
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.logFilesize
872KB
MD5e21c0065bac0e5b85971617709ff7688
SHA11731be199326e524aef6e700767054c5edb200da
SHA25657756320be6cecfa5b2ce297c15588d3dcf55a6cba83136b1b77ab16626b65b8
SHA5127777b8926d822e4493be7722570d8678619cd6bbbc923e6a9ef225c8064d233a32f15cd5daef80cefe4bb0372e523d7c0cf92556e248fc585d444a8a669ec138
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
678KB
MD51bea86627b31b9e55f34cf8ce8ba6262
SHA154c0fb7f55f92eccaa4a37cbd4c2c02ab45c94d1
SHA2566f222b3eee16b90dd81d1e5cd672a293cfa3bc98e0d72b8fffbfc9b73fb74356
SHA51223d392c2d504407660555da99bb48311fdec54cbaf1e42493d63c2eae3f9cc01a9de46f5242e36d48a4e066d0c5c5112814b4c91d5cfe8204d842aaab44a3a4c
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
625KB
MD53aa07a6d181aebf1aeb7a8c0ce50824e
SHA1248b7a18852e55f17a6ec35cc745032f17fdb7d9
SHA256219c6bbd6869d28490ce09189e0e64006f49fd1f22e18344084771e7647904b4
SHA51286af2bb6734d9014ca96ead19aae75a6487ba2eed665221f6fcb7c74cf07381992d708998a745186af5e2eedaaad91d0edb5ef417f727a3a120583db18e4a3b9
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.logFilesize
1003KB
MD55734eec406a94aa6cad9d55e09c2e334
SHA19e9b7434c1e826ad03f78225ce42a666fb21d610
SHA25697f66a6028173ffbadc776b81e8070e5a7a58652d5fa00eea2a5d3de12dd4b6e
SHA512483620374769e8feb6751b00306357c0dd1a636350ead277b56d7de3675ea4e6ecfe215164cd2cb53011c2d89f30f3254cd2b121e59881ad78366fbc179e0638
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
656KB
MD5fd0afdd7fcaa111713393fcd3dbf2bd2
SHA18a1717e7e7e2244c3bee15884159efd2e933c137
SHA256ec40382847343582d805485e35bb828dad7e3dcf6b5389af0243f6e06af3ba72
SHA512582e72e2bebb2803aceebded4158f5a9e71da14121a802d5210f85671a9d8a346df15798bfcfb14dcad1a0d9d46ae6f6debc5a15b90245c65e397dc885c16f23
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.logFilesize
8KB
MD55e71aa269bfd550570b862b1f0685f8a
SHA12e7df453386e4e9147c7202500f8809a7a0749e3
SHA2562e91bdb8cdba8e738baa053f9fcce377dac4a6c2deab59ad20fc54d95a25d35b
SHA512c7ede18f64faf7cf4408a6facfff1904c28e35ea88d809534587e0371dd596684ae144ba8879c1b23439de852c538cfc215432431d9752c6be8d9d5843c9d816
-
C:\Windows\SysWOW64\perfhost.exeFilesize
587KB
MD501341ba71cc41050284344f939bbc8db
SHA1cd7514d264f546239cfccc12847044d275656a66
SHA2563396e2e77178938c5ec6a3553a3e5ae2a47455d8c8f904d4c83a05e5d36cc3e5
SHA512570728d1d36013ec6df8c53fa194f41d2cbab36bf1f04cd82344eba0e7763add36c5b046d51011a0f3b5ac483d05cddc6ca90adf4a38a4943f309e76f82423f1
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.1MB
MD5012edcd9798d00dee436ea91f0fbffa0
SHA183a2009d5195eb26eca87795724eb9a346cca829
SHA2569cc84877a771524e88c13cc3d45b3965ec70e6817ec4cfdbe337c9b4543ccf43
SHA512352072199b7e33c6c723d17002e60b83479828aeeca22c4993afa76b40650a3d032f1f05d60e879643c0ca2bae2c8cd2a7da64f7c8ed004b8cdf93b5f8925ecb
-
C:\Windows\System32\VSSVC.exeFilesize
2.1MB
MD5602bccb3863a99fe4a60b7cf5e082670
SHA1decab26abb8c71abd82e1637bf9dc39b975a2fb1
SHA2567748a69f628223b5c7ceb60bd5001975080120165e5012e8c6469a01302fb084
SHA5122341432f5cc3e25067de1a85d8aab7052f966b79ed8918c20d1751ba8ed4b3ea0f6074f36a20c8a37251267393ec7de4dff1e60a48ce8eb713afac91f3045c1b
-
C:\Windows\System32\msdtc.exeFilesize
705KB
MD5d865736436d0142930fcca8e426647d6
SHA13450ebd832e0f882d12c1a18e281548b472de69c
SHA2568905e87c33081edf10a6bb0cfb3ea8fd16b917c96c5f070958179e03b4dc55b3
SHA512f5f968539542ac4d9898c8763c9b15f8cfadd80091d7d578725bdeef80c80c4b4616d829a0d72beb3a6dd39a46a50b0ff592f00b6e928b80e5961aa8bbae3e46
-
C:\Windows\System32\snmptrap.exeFilesize
581KB
MD5c06cf96a18f729ffcafcafff20ec35b6
SHA1cfa8634ac01878685c21860b06cf3d3ee62b9561
SHA25667072544b05298b1eb823fceb752698a874b030b390fe7a7fd8de844a6786cae
SHA5125bdc84c699fe2d021ef139e264079751bddc1207f655dd05d356b6d6cc0c1b53975e3ce6b78b126f31a3380c36010d5bce4cd75e283a37209e3bff14eafdf660
-
C:\Windows\System32\vds.exeFilesize
1.1MB
MD5bbe03c8a94cde500b2e80bf3047afae8
SHA11b56ff71759207a413322d46d1029214654ae8a5
SHA256fbdabcf413ff5771adec98a7686caf16d69daf9bc9d711e38ec54bc3b82157ed
SHA512458b2d7464d5b822c39e579cab4ad3612815a3104bb587e5102acfa1887ffdaba2dfc98f751e234ce2643e649cba6595b1a73a7b88be44af0bb8df71a91cad43
-
C:\Windows\System32\wbem\WmiApSrv.exeFilesize
765KB
MD542afeadfb042802093f3410eacfc1b22
SHA157f9b9e028893d9a7bc8abe50869c6f22b0dcf23
SHA256b460d9639fd28136dd00f8cb231a323fb6568fef80744dfaa521bcb9baa666bc
SHA512716ffc707c7d7b795050e616c2329b42d8d8e37767c8fde46a2bc05383b0bce79172d82c71c522059df3ced6b86a096a113fdfae63628d3a5d9d829b35f1c6af
-
C:\Windows\System32\wbengine.exeFilesize
2.0MB
MD5dc43451d17bc5cabd612f0f72c6fed66
SHA18a79783987e01f1189d292c08401cb994f5d9e89
SHA256182b612cf9c2591cada1bd238c498fdf6036707a1bf95efdfd1eadfe6db4fc8a
SHA5127fa544935894e158c81a9ebca95fee986e2c68e85e4da7785e1affcdd41ace631b107601880b5acda6fdb3d0665a5dcd866bec7be1d8effb4dafa05fe9a2d09b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dllFilesize
148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dllFilesize
34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dllFilesize
109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dllFilesize
41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7582ab72a95c801b0d18a7791b84e72d\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dllFilesize
180KB
MD59b534962b3ee7d22440b057a546a09f9
SHA156a927d5fab48fcdd5f603526aa7478fb4ac92f3
SHA2561720b106ec599df2e7ee1b74f0d528ca98ffb97ae48fafa5c59601959ed51d40
SHA51229afdd2e1bb898b8a3ff17b6130f84deeaa08a187a46df0c3ed4773d7823af26908bb81c7ec42d2911082118ee53d0ce16736979051bcb125d80ddc4c3cb2308
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dllFilesize
210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dllFilesize
53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dllFilesize
28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c57fffb73d65a082286bb4fa487a34c6\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dllFilesize
187KB
MD58b14ae348c5e150b24d295509727821a
SHA1d7ac8320e8374b0a8627bc964f248bc519b08637
SHA2566ab1b53649dfd9044a21929abd0d31f7718f52abe3810fa5e897b7609e7efe0f
SHA5124279bff0c863d20585d406817f7eb48158e4b8376ff0098de9a4021a2f7bf7ee2c62fa230dc77425a9169857be71a39d36fee1030d2321db0d6776a39f1fdace
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dllFilesize
27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dllFilesize
57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e6cb17365c7c6aa6dc7e423c3716cc8e\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dllFilesize
83KB
MD568db807198d050b16a70bec6a4ed2c40
SHA1d59ecd0e5fbacc2550b7a9bdd3f27ec73f5d2309
SHA2561681eecd9d4bf67411eb9b4a6245c860fb334e559a2454101f88a0d0fdbc782f
SHA5125bc8727eb4f5464af713b490fc94da1aa148c5b0668e937a41f4a89ac322d909e107eea2472fb2089f80fec4a6b90e139a14e124b60da3aeef8eedccf7dd24f3
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dllFilesize
130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dllFilesize
143KB
MD5f786ebe6116b55d4dc62a63dfede2ca6
SHA1ab82f3b24229cf9ad31484b3811cdb84d5e916e9
SHA2569805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12
SHA51280832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dllFilesize
59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dllFilesize
42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dllFilesize
855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dllFilesize
43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
C:\Windows\ehome\ehsched.exeFilesize
691KB
MD53dd2291a55f8ab9ab8fdbb648d478a2d
SHA1f89012492816e468bb06cf67e27cf1a507f7e2d2
SHA25604992de7b98aba34bfbfac10d8452f424d35fcd0cf01c853c01d32df45896a42
SHA5122227071789db65704362eaa8a0102b8bb6c1a4e84c6ca0e5fe23b3cc6281a9181ed64991cc4f7055e54e54130c6f6a3c1914f0281237d5a7d92518ca45990223
-
C:\Windows\system32\msiexec.exeFilesize
691KB
MD558e65b1323e2483d8ef79032e9b10e9e
SHA13a8cf8a8a4e583842f0f3fd6ecee7bc052fb3ea4
SHA25671f8e66f454bb275f62a97c35a305b35c67ab5eb012b97954be6f60a7cfafc84
SHA512349c4b939ab40f36163387fbfdda5db549ce9b7e4704f83f8ddf544158b628169ed4c9cf67d49230a10532d416112a63251abe612bb05d404cacda846b074d23
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXEFilesize
4.1MB
MD545109081338654c25e42aea404b7d40c
SHA17474003f1dffb4439381cb628ded660d28a41bdd
SHA25600fbdecf2f47d72cdd20a60d685d5d0f56e1f5ec571a7e43eebe1b178285eb76
SHA512cb89ea354aacf4560ab59ccbf1ae5f9d4913b0b4b6130bdaeb6f8eced7844c416875d0303e0f141165ca1681f6b9728d46a96fa44b3a2eb45616d904658179e2
-
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeFilesize
603KB
MD50b8b90a3ec91252a689cb2682d82f658
SHA18348ef77f96b5347f9779e8cc3cc67e53d66e851
SHA256bb57ddabba9ffbdfa26d69bce08b67ecc02ca01e8811b16dd0e9a182ea80c2e0
SHA5127a2f5220f66089b2708b9de880f272a7ef21937336cbd45056fb3584a682ee681d59ba74c84a2ac995bce64870e29c6f73a4ccd6ca49dcb94caa2ddcd5b8af11
-
\Windows\System32\Locator.exeFilesize
577KB
MD5a4911522240c60c0e2a14ca061c2f48c
SHA1bdc4fd95fe885db6942f2c44769460b778187be4
SHA256e1b4ea357fcaa3ac1f8a97ed9e4c23f0869b07d4159fbf1e24d44c602c91a828
SHA5123a7ac97ecd786e799ba9deab0c504e5b571a8d8e86d6721f3a05529b4ef6e1d08f7c0151c509abdd82e1f176972cca39affb83a83b144a8918d4a75bfdd818f4
-
\Windows\System32\alg.exeFilesize
644KB
MD5a993e3be32c96e2d3f5076ad03ef8262
SHA1f50f5b570e8f691b376c28d69aac0beea442c744
SHA256b17b9a4a1c7498b5511b9f351500e84cad99a662712a548edf3b1e4d8ffc33cc
SHA5127cd0d5c44f684817551881125db93f784ec1653368f21063b01af3932dd6bc5b1973f4ec3066b2be03371cd5224f22edb52bd285fd20c70cf088cb0cd1308a82
-
\Windows\System32\ieetwcollector.exeFilesize
674KB
MD5c26237109271319680c69406171b6dc0
SHA133c6a0029d40b30b432b7e581a910a19d347efc6
SHA256d492f62e53a423048417ada2abc69226f53fb1aaec60300102b8394ece7bc1b2
SHA5124e180d0e479ea247dc97638adc02fe8d93151e5fb1a51fcdc73d7d335719b6e0ec6a0a6d72bcffc7f0f56918d30f1af51832cde878cd1e0703575ec9be43d91a
-
\Windows\ehome\ehrecvr.exeFilesize
1.2MB
MD5b1489c7223dd8a32bc64268162b5090f
SHA11432f653ccade07b2ab55ca005b459412e84a502
SHA2568a612a1de7624fdc586e1cddae1b208ffe1f016ae6656d0cdbcaeeadccab9b69
SHA512ab8d3a5195814460a0fbc8d0fa71091e46ff8457700ee71c1e1d6502739f92c1908897fda59d0c4d83c26f122c90db1e742f373a30f435eccce85ccd5663b0ae
-
memory/392-731-0x0000000100000000-0x0000000100123000-memory.dmpFilesize
1.1MB
-
memory/392-423-0x0000000100000000-0x0000000100123000-memory.dmpFilesize
1.1MB
-
memory/528-321-0x0000000001000000-0x0000000001096000-memory.dmpFilesize
600KB
-
memory/528-460-0x0000000001000000-0x0000000001096000-memory.dmpFilesize
600KB
-
memory/692-737-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/692-761-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/800-117-0x0000000000430000-0x0000000000490000-memory.dmpFilesize
384KB
-
memory/800-111-0x0000000000430000-0x0000000000490000-memory.dmpFilesize
384KB
-
memory/800-119-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/800-304-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/856-740-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/856-732-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/880-639-0x0000000100000000-0x0000000100114000-memory.dmpFilesize
1.1MB
-
memory/880-358-0x0000000100000000-0x0000000100114000-memory.dmpFilesize
1.1MB
-
memory/884-699-0x0000000100000000-0x00000001000C4000-memory.dmpFilesize
784KB
-
memory/884-405-0x0000000100000000-0x00000001000C4000-memory.dmpFilesize
784KB
-
memory/920-422-0x000000002E000000-0x000000002E0B5000-memory.dmpFilesize
724KB
-
memory/920-293-0x000000002E000000-0x000000002E0B5000-memory.dmpFilesize
724KB
-
memory/936-93-0x0000000000AA0000-0x0000000000B00000-memory.dmpFilesize
384KB
-
memory/936-99-0x0000000000AA0000-0x0000000000B00000-memory.dmpFilesize
384KB
-
memory/936-102-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/1068-816-0x0000000003C50000-0x0000000003D0A000-memory.dmpFilesize
744KB
-
memory/1068-814-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1068-821-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1084-444-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/1084-305-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/1100-1-0x00000000008A0000-0x0000000000D46000-memory.dmpFilesize
4.6MB
-
memory/1100-76-0x0000000001000000-0x00000000014A6000-memory.dmpFilesize
4.6MB
-
memory/1100-2-0x00000000003A0000-0x0000000000407000-memory.dmpFilesize
412KB
-
memory/1100-10-0x0000000001000000-0x00000000014A6000-memory.dmpFilesize
4.6MB
-
memory/1100-0-0x0000000001000000-0x00000000014A6000-memory.dmpFilesize
4.6MB
-
memory/1100-7-0x00000000003A0000-0x0000000000407000-memory.dmpFilesize
412KB
-
memory/1100-101-0x00000000008A0000-0x0000000000D46000-memory.dmpFilesize
4.6MB
-
memory/1256-77-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1256-83-0x0000000000240000-0x00000000002A7000-memory.dmpFilesize
412KB
-
memory/1256-78-0x0000000000240000-0x00000000002A7000-memory.dmpFilesize
412KB
-
memory/1256-280-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1396-843-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1396-820-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1568-686-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1568-650-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1632-246-0x0000000140000000-0x00000001400CA000-memory.dmpFilesize
808KB
-
memory/1632-228-0x0000000140000000-0x00000001400CA000-memory.dmpFilesize
808KB
-
memory/1664-712-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1664-735-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1684-216-0x000000002E000000-0x000000002FE1E000-memory.dmpFilesize
30.1MB
-
memory/1684-356-0x000000002E000000-0x000000002FE1E000-memory.dmpFilesize
30.1MB
-
memory/1720-123-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB
-
memory/1720-15-0x0000000000780000-0x00000000007E0000-memory.dmpFilesize
384KB
-
memory/1720-21-0x0000000000780000-0x00000000007E0000-memory.dmpFilesize
384KB
-
memory/1720-14-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB
-
memory/1752-623-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1752-454-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1784-132-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/1784-311-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/1972-681-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1972-698-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2108-799-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2108-813-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2124-146-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/2124-329-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/2156-871-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2160-332-0x0000000100000000-0x0000000100095000-memory.dmpFilesize
596KB
-
memory/2160-608-0x0000000100000000-0x0000000100095000-memory.dmpFilesize
596KB
-
memory/2184-357-0x0000000100000000-0x0000000100096000-memory.dmpFilesize
600KB
-
memory/2232-621-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2232-637-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2256-368-0x0000000100000000-0x0000000100219000-memory.dmpFilesize
2.1MB
-
memory/2256-648-0x0000000100000000-0x0000000100219000-memory.dmpFilesize
2.1MB
-
memory/2336-151-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/2336-874-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/2336-344-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/2348-758-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2348-787-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2376-445-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2376-464-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2392-403-0x0000000000320000-0x00000000003D2000-memory.dmpFilesize
712KB
-
memory/2392-282-0x0000000000320000-0x00000000003D2000-memory.dmpFilesize
712KB
-
memory/2392-402-0x0000000100000000-0x00000001000B2000-memory.dmpFilesize
712KB
-
memory/2392-263-0x0000000100000000-0x00000001000B2000-memory.dmpFilesize
712KB
-
memory/2396-55-0x0000000010000000-0x00000000100A7000-memory.dmpFilesize
668KB
-
memory/2396-62-0x0000000000310000-0x0000000000370000-memory.dmpFilesize
384KB
-
memory/2396-87-0x0000000010000000-0x00000000100A7000-memory.dmpFilesize
668KB
-
memory/2404-840-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2404-856-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2424-877-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2424-868-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2496-235-0x0000000140000000-0x00000001400B6000-memory.dmpFilesize
728KB
-
memory/2496-382-0x0000000140000000-0x00000001400B6000-memory.dmpFilesize
728KB
-
memory/2520-638-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2520-653-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2524-682-0x0000000100000000-0x0000000100202000-memory.dmpFilesize
2.0MB
-
memory/2524-383-0x0000000100000000-0x0000000100202000-memory.dmpFilesize
2.0MB
-
memory/2536-39-0x0000000010000000-0x000000001009F000-memory.dmpFilesize
636KB
-
memory/2536-41-0x00000000005C0000-0x0000000000627000-memory.dmpFilesize
412KB
-
memory/2536-45-0x00000000005C0000-0x0000000000627000-memory.dmpFilesize
412KB
-
memory/2536-73-0x0000000010000000-0x000000001009F000-memory.dmpFilesize
636KB
-
memory/2556-705-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2556-700-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2664-417-0x0000000100000000-0x000000010020A000-memory.dmpFilesize
2.0MB
-
memory/2664-711-0x0000000100000000-0x000000010020A000-memory.dmpFilesize
2.0MB
-
memory/2800-290-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2800-421-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2800-449-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2812-798-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2812-783-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2904-150-0x0000000140000000-0x000000014009D000-memory.dmpFilesize
628KB
-
memory/2904-27-0x0000000140000000-0x000000014009D000-memory.dmpFilesize
628KB
-
memory/2904-28-0x0000000000310000-0x0000000000370000-memory.dmpFilesize
384KB
-
memory/2904-36-0x0000000000310000-0x0000000000370000-memory.dmpFilesize
384KB