Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 07:23
Static task
static1
Behavioral task
behavioral1
Sample
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
927cc80a83578f56d2eb5c5f90767160
-
SHA1
f2e81ec5a316febeaacd073ad1824c62074782c1
-
SHA256
61cf8d2e342099092263d916b77e3d03bee7166736fd815e9f00761ee5631c8e
-
SHA512
1b06c7ac467063a9fed37c52084ee3bb6b3950521e46d686ca5545a6e5391b06b5d3193ce54d51dd649a714815ed8c1304279ab604ec5851e8efe815ea9e9081
-
SSDEEP
98304:fHgNDfXQ1veFPk5FaoCRrgGUDxYRVlbnP9WXW7H6C:mDfgZeVmCJWlYHBVH
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeVCREDI~1.EXEGROOVE.EXEmaintenanceservice.exemsdtc.exeOSE.EXEmscorsvw.exeOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid Process 468 3020 alg.exe 2672 aspnet_state.exe 2420 mscorsvw.exe 1592 mscorsvw.exe 1348 mscorsvw.exe 1656 mscorsvw.exe 1504 ehRecvr.exe 2908 ehsched.exe 3016 elevation_service.exe 1724 IEEtwCollector.exe 1216 VCREDI~1.EXE 2424 GROOVE.EXE 2176 maintenanceservice.exe 2896 msdtc.exe 3040 OSE.EXE 548 mscorsvw.exe 1396 OSPPSVC.EXE 1920 perfhost.exe 2204 locator.exe 912 snmptrap.exe 2160 vds.exe 1764 wbengine.exe 1516 WmiApSrv.exe 2412 wmpnetwk.exe 2684 SearchIndexer.exe 1472 mscorsvw.exe 2828 mscorsvw.exe 832 mscorsvw.exe 1252 mscorsvw.exe 1220 mscorsvw.exe 2508 mscorsvw.exe 436 mscorsvw.exe 1848 mscorsvw.exe 2604 mscorsvw.exe 1648 mscorsvw.exe 2284 mscorsvw.exe 1180 mscorsvw.exe 1480 mscorsvw.exe 1472 mscorsvw.exe 1836 mscorsvw.exe 2876 mscorsvw.exe 1648 mscorsvw.exe 2708 mscorsvw.exe 2176 mscorsvw.exe 2132 mscorsvw.exe 436 mscorsvw.exe 2604 mscorsvw.exe 2984 mscorsvw.exe 1236 mscorsvw.exe 2604 dllhost.exe 2316 mscorsvw.exe 2692 mscorsvw.exe 324 mscorsvw.exe 2416 mscorsvw.exe 696 mscorsvw.exe 2104 mscorsvw.exe 1452 mscorsvw.exe 2452 mscorsvw.exe 2776 mscorsvw.exe 2052 mscorsvw.exe 3032 mscorsvw.exe 2324 mscorsvw.exe 2864 mscorsvw.exe -
Loads dropped DLL 52 IoCs
Processes:
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exeVCREDI~1.EXEMsiExec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid Process 468 468 468 468 468 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 1216 VCREDI~1.EXE 1216 VCREDI~1.EXE 1216 VCREDI~1.EXE 468 468 468 468 468 468 756 2460 MsiExec.exe 468 696 mscorsvw.exe 696 mscorsvw.exe 1452 mscorsvw.exe 1452 mscorsvw.exe 2776 mscorsvw.exe 2776 mscorsvw.exe 3032 mscorsvw.exe 3032 mscorsvw.exe 2864 mscorsvw.exe 2864 mscorsvw.exe 1728 mscorsvw.exe 1728 mscorsvw.exe 944 mscorsvw.exe 944 mscorsvw.exe 240 mscorsvw.exe 240 mscorsvw.exe 980 mscorsvw.exe 980 mscorsvw.exe 612 mscorsvw.exe 612 mscorsvw.exe 1680 mscorsvw.exe 1680 mscorsvw.exe 1112 mscorsvw.exe 1112 mscorsvw.exe 2296 mscorsvw.exe 2296 mscorsvw.exe 1912 mscorsvw.exe 1912 mscorsvw.exe 292 mscorsvw.exe 292 mscorsvw.exe 1832 mscorsvw.exe 1832 mscorsvw.exe 1056 mscorsvw.exe 1056 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exeVCREDI~1.EXEdescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" VCREDI~1.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exemsiexec.exeflow pid Process 40 1624 msiexec.exe 52 3060 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in System32 directory 23 IoCs
Processes:
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exealg.exeGROOVE.EXESearchProtocolHost.exeaspnet_state.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\System32\alg.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5a14235cae4ef42b.bin alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\dllhost.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exealg.exeaspnet_state.exemsiexec.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll msiexec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe -
Drops file in Windows directory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exe927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exemsiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exedescription ioc Process File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File created C:\Windows\Installer\$PatchCache$\Managed\F942F94A19C0F79468FD2B85E5E8677B\8.0.50727\ul_msvcr80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E msiexec.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\Installer\MSI8B04.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP77BF.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240601072422279.0\mfc80ITA.dll msiexec.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP72EF.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240601072420968.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072420968.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240601072421421.0 msiexec.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240601072422279.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072422950.0\8.0.50727.42.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240601072422856.0 msiexec.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe File opened for modification C:\Windows\Installer\f777caf.msi msiexec.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8B2F.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File created C:\Windows\WinSxS\InstallTemp\20240601072422856.0\8.0.50727.42.policy msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240601072421702.0\mfcm80u.dll msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAB4D.tmp\stdole.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP980B.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\WinSxS\InstallTemp\20240601072422903.0\8.0.50727.42.policy msiexec.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exeDrvInst.exemscorsvw.exemscorsvw.exemscorsvw.exeehRec.exeSearchFilterHost.exemscorsvw.exewmpnetwk.exeSearchIndexer.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020dcfbbef4b3da01 SearchProtocolHost.exe -
Modifies registry class 56 IoCs
Processes:
msiexec.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\Servicing_Key msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Version = "134268455" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\PackageName = "vcredist.msi" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0021004d00210026005a005a006300300025006e00650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006900450024005b004d00310025002e0064002700650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\VC_Redist msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\ProductName = "Microsoft Visual C++ 2005 Redistributable" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Language = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\PackageCode = "FA1F9ADB128EB664EAA9BA3CE244C0B1" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
ehRec.exe927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exemsiexec.exeaspnet_state.exepid Process 1836 ehRec.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3060 msiexec.exe 3060 msiexec.exe 2672 aspnet_state.exe 2672 aspnet_state.exe 2672 aspnet_state.exe 2672 aspnet_state.exe 2672 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exemscorsvw.exemscorsvw.exeEhTray.exemsiexec.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exeDrvInst.exedescription pid Process Token: SeTakeOwnershipPrivilege 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe Token: SeShutdownPrivilege 1348 mscorsvw.exe Token: SeShutdownPrivilege 1656 mscorsvw.exe Token: 33 2820 EhTray.exe Token: SeIncBasePriorityPrivilege 2820 EhTray.exe Token: SeShutdownPrivilege 1624 msiexec.exe Token: SeIncreaseQuotaPrivilege 1624 msiexec.exe Token: SeShutdownPrivilege 1348 mscorsvw.exe Token: SeDebugPrivilege 1836 ehRec.exe Token: SeShutdownPrivilege 1656 mscorsvw.exe Token: SeShutdownPrivilege 1348 mscorsvw.exe Token: SeShutdownPrivilege 1348 mscorsvw.exe Token: SeRestorePrivilege 3060 msiexec.exe Token: SeTakeOwnershipPrivilege 3060 msiexec.exe Token: SeSecurityPrivilege 3060 msiexec.exe Token: SeShutdownPrivilege 1656 mscorsvw.exe Token: SeShutdownPrivilege 1656 mscorsvw.exe Token: SeCreateTokenPrivilege 1624 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1624 msiexec.exe Token: SeLockMemoryPrivilege 1624 msiexec.exe Token: SeIncreaseQuotaPrivilege 1624 msiexec.exe Token: SeMachineAccountPrivilege 1624 msiexec.exe Token: SeTcbPrivilege 1624 msiexec.exe Token: SeSecurityPrivilege 1624 msiexec.exe Token: SeTakeOwnershipPrivilege 1624 msiexec.exe Token: SeLoadDriverPrivilege 1624 msiexec.exe Token: SeSystemProfilePrivilege 1624 msiexec.exe Token: SeSystemtimePrivilege 1624 msiexec.exe Token: SeProfSingleProcessPrivilege 1624 msiexec.exe Token: SeIncBasePriorityPrivilege 1624 msiexec.exe Token: SeCreatePagefilePrivilege 1624 msiexec.exe Token: SeCreatePermanentPrivilege 1624 msiexec.exe Token: SeBackupPrivilege 1624 msiexec.exe Token: SeRestorePrivilege 1624 msiexec.exe Token: SeShutdownPrivilege 1624 msiexec.exe Token: SeDebugPrivilege 1624 msiexec.exe Token: SeAuditPrivilege 1624 msiexec.exe Token: SeSystemEnvironmentPrivilege 1624 msiexec.exe Token: SeChangeNotifyPrivilege 1624 msiexec.exe Token: SeRemoteShutdownPrivilege 1624 msiexec.exe Token: SeUndockPrivilege 1624 msiexec.exe Token: SeSyncAgentPrivilege 1624 msiexec.exe Token: SeEnableDelegationPrivilege 1624 msiexec.exe Token: SeManageVolumePrivilege 1624 msiexec.exe Token: SeImpersonatePrivilege 1624 msiexec.exe Token: SeCreateGlobalPrivilege 1624 msiexec.exe Token: SeBackupPrivilege 2596 vssvc.exe Token: SeRestorePrivilege 2596 vssvc.exe Token: SeAuditPrivilege 2596 vssvc.exe Token: SeBackupPrivilege 1764 wbengine.exe Token: SeRestorePrivilege 1764 wbengine.exe Token: SeSecurityPrivilege 1764 wbengine.exe Token: 33 2820 EhTray.exe Token: SeIncBasePriorityPrivilege 2820 EhTray.exe Token: SeBackupPrivilege 3060 msiexec.exe Token: SeRestorePrivilege 3060 msiexec.exe Token: SeManageVolumePrivilege 2684 SearchIndexer.exe Token: 33 2684 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2684 SearchIndexer.exe Token: 33 2412 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2412 wmpnetwk.exe Token: SeShutdownPrivilege 1348 mscorsvw.exe Token: SeShutdownPrivilege 1656 mscorsvw.exe Token: SeRestorePrivilege 644 DrvInst.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exeEhTray.exepid Process 1624 msiexec.exe 2820 EhTray.exe 2820 EhTray.exe 1624 msiexec.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid Process 2820 EhTray.exe 2820 EhTray.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid Process 2492 SearchProtocolHost.exe 2492 SearchProtocolHost.exe 2492 SearchProtocolHost.exe 2492 SearchProtocolHost.exe 2492 SearchProtocolHost.exe 1996 SearchProtocolHost.exe 1996 SearchProtocolHost.exe 1996 SearchProtocolHost.exe 1996 SearchProtocolHost.exe 1996 SearchProtocolHost.exe 1996 SearchProtocolHost.exe 1996 SearchProtocolHost.exe 1996 SearchProtocolHost.exe 1996 SearchProtocolHost.exe 1996 SearchProtocolHost.exe 1996 SearchProtocolHost.exe 1996 SearchProtocolHost.exe 1996 SearchProtocolHost.exe 1996 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exeVCREDI~1.EXEmscorsvw.exeSearchIndexer.exedescription pid Process procid_target PID 2888 wrote to memory of 1216 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 39 PID 2888 wrote to memory of 1216 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 39 PID 2888 wrote to memory of 1216 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 39 PID 2888 wrote to memory of 1216 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 39 PID 2888 wrote to memory of 1216 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 39 PID 2888 wrote to memory of 1216 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 39 PID 2888 wrote to memory of 1216 2888 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 39 PID 1216 wrote to memory of 1624 1216 VCREDI~1.EXE 41 PID 1216 wrote to memory of 1624 1216 VCREDI~1.EXE 41 PID 1216 wrote to memory of 1624 1216 VCREDI~1.EXE 41 PID 1216 wrote to memory of 1624 1216 VCREDI~1.EXE 41 PID 1216 wrote to memory of 1624 1216 VCREDI~1.EXE 41 PID 1216 wrote to memory of 1624 1216 VCREDI~1.EXE 41 PID 1216 wrote to memory of 1624 1216 VCREDI~1.EXE 41 PID 1348 wrote to memory of 548 1348 mscorsvw.exe 47 PID 1348 wrote to memory of 548 1348 mscorsvw.exe 47 PID 1348 wrote to memory of 548 1348 mscorsvw.exe 47 PID 1348 wrote to memory of 548 1348 mscorsvw.exe 47 PID 1348 wrote to memory of 1472 1348 mscorsvw.exe 77 PID 1348 wrote to memory of 1472 1348 mscorsvw.exe 77 PID 1348 wrote to memory of 1472 1348 mscorsvw.exe 77 PID 1348 wrote to memory of 1472 1348 mscorsvw.exe 77 PID 1348 wrote to memory of 2828 1348 mscorsvw.exe 62 PID 1348 wrote to memory of 2828 1348 mscorsvw.exe 62 PID 1348 wrote to memory of 2828 1348 mscorsvw.exe 62 PID 1348 wrote to memory of 2828 1348 mscorsvw.exe 62 PID 2684 wrote to memory of 2492 2684 SearchIndexer.exe 63 PID 2684 wrote to memory of 2492 2684 SearchIndexer.exe 63 PID 2684 wrote to memory of 2492 2684 SearchIndexer.exe 63 PID 2684 wrote to memory of 2352 2684 SearchIndexer.exe 64 PID 2684 wrote to memory of 2352 2684 SearchIndexer.exe 64 PID 2684 wrote to memory of 2352 2684 SearchIndexer.exe 64 PID 1348 wrote to memory of 832 1348 mscorsvw.exe 65 PID 1348 wrote to memory of 832 1348 mscorsvw.exe 65 PID 1348 wrote to memory of 832 1348 mscorsvw.exe 65 PID 1348 wrote to memory of 832 1348 mscorsvw.exe 65 PID 1348 wrote to memory of 1252 1348 mscorsvw.exe 66 PID 1348 wrote to memory of 1252 1348 mscorsvw.exe 66 PID 1348 wrote to memory of 1252 1348 mscorsvw.exe 66 PID 1348 wrote to memory of 1252 1348 mscorsvw.exe 66 PID 1348 wrote to memory of 1220 1348 mscorsvw.exe 67 PID 1348 wrote to memory of 1220 1348 mscorsvw.exe 67 PID 1348 wrote to memory of 1220 1348 mscorsvw.exe 67 PID 1348 wrote to memory of 1220 1348 mscorsvw.exe 67 PID 1348 wrote to memory of 2508 1348 mscorsvw.exe 68 PID 1348 wrote to memory of 2508 1348 mscorsvw.exe 68 PID 1348 wrote to memory of 2508 1348 mscorsvw.exe 68 PID 1348 wrote to memory of 2508 1348 mscorsvw.exe 68 PID 1348 wrote to memory of 436 1348 mscorsvw.exe 84 PID 1348 wrote to memory of 436 1348 mscorsvw.exe 84 PID 1348 wrote to memory of 436 1348 mscorsvw.exe 84 PID 1348 wrote to memory of 436 1348 mscorsvw.exe 84 PID 1348 wrote to memory of 1848 1348 mscorsvw.exe 70 PID 1348 wrote to memory of 1848 1348 mscorsvw.exe 70 PID 1348 wrote to memory of 1848 1348 mscorsvw.exe 70 PID 1348 wrote to memory of 1848 1348 mscorsvw.exe 70 PID 1348 wrote to memory of 2604 1348 mscorsvw.exe 85 PID 1348 wrote to memory of 2604 1348 mscorsvw.exe 85 PID 1348 wrote to memory of 2604 1348 mscorsvw.exe 85 PID 1348 wrote to memory of 2604 1348 mscorsvw.exe 85 PID 1348 wrote to memory of 1648 1348 mscorsvw.exe 80 PID 1348 wrote to memory of 1648 1348 mscorsvw.exe 80 PID 1348 wrote to memory of 1648 1348 mscorsvw.exe 80 PID 1348 wrote to memory of 1648 1348 mscorsvw.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\msiexec.exemsiexec /i vcredist.msi3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1624
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3020
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2672
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2420
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:1592
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 25c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 1e4 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 1dc -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 244 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1252
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 260 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1220
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 244 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2508
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 1dc -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 280 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 28c -NGENProcess 244 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1480
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1dc -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 270 -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 298 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 244 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 29c -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 280 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 2a0 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 298 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 294 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 21c -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1e4 -NGENProcess 288 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1e4 -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 264 -NGENProcess 288 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2416
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 248 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 288 -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1c8 -NGENProcess 258 -Pipe 220 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 258 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 294 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 268 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2052
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 248 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 248 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 248 -NGENProcess 270 -Pipe 1c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 270 -NGENProcess 268 -Pipe 294 -Comment "NGen Worker Process"2⤵PID:1472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 21c -NGENProcess 298 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 298 -NGENProcess 1e4 -Pipe 268 -Comment "NGen Worker Process"2⤵PID:2772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 2ac -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2ac -NGENProcess 21c -Pipe 2b0 -Comment "NGen Worker Process"2⤵PID:692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 258 -NGENProcess 2b8 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2b8 -NGENProcess 1e4 -Pipe 21c -Comment "NGen Worker Process"2⤵PID:2780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2bc -NGENProcess 2ac -Pipe 270 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2ac -NGENProcess 258 -Pipe 28c -Comment "NGen Worker Process"2⤵PID:1540
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2c4 -NGENProcess 2bc -Pipe 2a0 -Comment "NGen Worker Process"2⤵PID:2324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2bc -NGENProcess 1e4 -Pipe 2c0 -Comment "NGen Worker Process"2⤵PID:1848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2cc -NGENProcess 258 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 258 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:2776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2d4 -NGENProcess 1e4 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 1e4 -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:2084
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1112
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"2⤵PID:2056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 258 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2296
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"2⤵PID:3032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:2380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
PID:292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:2100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2fc -NGENProcess 2dc -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 298 -NGENProcess 2e4 -Pipe 2d4 -Comment "NGen Worker Process"2⤵PID:240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 308 -NGENProcess 2f4 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2fc -NGENProcess 310 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 310 -NGENProcess 2dc -Pipe 2f4 -Comment "NGen Worker Process"2⤵PID:2228
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 308 -Pipe 2ec -Comment "NGen Worker Process"2⤵PID:2104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 304 -Pipe 300 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2dc -Pipe 30c -Comment "NGen Worker Process"2⤵PID:2868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 308 -Pipe 280 -Comment "NGen Worker Process"2⤵PID:1484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:2052
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2dc -Pipe 310 -Comment "NGen Worker Process"2⤵PID:1332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 308 -Pipe 314 -Comment "NGen Worker Process"2⤵PID:1848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"2⤵PID:2464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 304 -NGENProcess 324 -Pipe 338 -Comment "NGen Worker Process"2⤵PID:1948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 31c -NGENProcess 334 -Pipe 320 -Comment "NGen Worker Process"2⤵PID:2272
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 328 -NGENProcess 32c -Pipe 340 -Comment "NGen Worker Process"2⤵PID:692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 32c -NGENProcess 328 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:2248
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 344 -NGENProcess 334 -Pipe 308 -Comment "NGen Worker Process"2⤵PID:2000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2e4 -Pipe 330 -Comment "NGen Worker Process"2⤵PID:644
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 328 -Pipe 304 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2136
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 334 -Pipe 33c -Comment "NGen Worker Process"2⤵PID:2436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"2⤵PID:1272
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 35c -NGENProcess 328 -Pipe 358 -Comment "NGen Worker Process"2⤵PID:1440
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 32c -NGENProcess 324 -Pipe 344 -Comment "NGen Worker Process"2⤵PID:2236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 360 -NGENProcess 2e4 -Pipe 348 -Comment "NGen Worker Process"2⤵PID:1544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 328 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:2208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 324 -Pipe 350 -Comment "NGen Worker Process"2⤵PID:1704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2e4 -Pipe 354 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 328 -Pipe 35c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 368 -Pipe 364 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 32c -NGENProcess 328 -Pipe 360 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 328 -NGENProcess 32c -Pipe 37c -Comment "NGen Worker Process"2⤵PID:1564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 380 -NGENProcess 368 -Pipe 378 -Comment "NGen Worker Process"2⤵PID:1756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 334 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 32c -Pipe 370 -Comment "NGen Worker Process"2⤵PID:2888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 368 -Pipe 36c -Comment "NGen Worker Process"2⤵PID:2300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 334 -Pipe 374 -Comment "NGen Worker Process"2⤵PID:1084
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2984
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1236
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
PID:1504
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2908
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2820
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3016
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1724
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADA4DBCFD0B286A7FC27081C9C3C86592⤵
- Loads dropped DLL
PID:2460
-
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2176
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3040
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:1396
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1920
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2204
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:912
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2160
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1516
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 596 600 608 65536 6042⤵
- Modifies data under HKEY_USERS
PID:2352
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1996
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000005C8"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:644
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5bd63926503e6fdb5ef5e08574513369b
SHA14406e47498a9ac09fd33f4be61db281c071d3942
SHA256ce5fc5ef5e86e2eda6729d80c6d0d7b89d40baac728def241ea6eb606f202f88
SHA5129b60740481e6095789267c678789a7f168e5a3f877e97601dab1482a98760642a8fe8b98a5862c8fc524b4c1ac2733d53b601cd0c35dc389d250fe0b9586310b
-
Filesize
30.1MB
MD535f531335e9445fdfc6fef2f801bfc60
SHA1c7d389d7353aed56abb76f995a923993915d52c2
SHA25674de05a63d1a802cecb6bfea6758d63da4330ef2b8b4ae4fc7db140f4e36dfc9
SHA5124757eb210b990b4551bdf6411799106ccda1bfb3440a0cfa8e9d73867dd9b3e86a0cc55664d229cb6cf5a8422d6ff9db9b8074f1893dd2783464c41d6eae8ae6
-
Filesize
1.4MB
MD5f8f200abd5ee563296796a471b5a626d
SHA13cde232225ad04f30f5e078a8f42802437e96d9e
SHA2561828790bca2523277c7ff297349531ddb008b662bc200d344e533941c59774d0
SHA512d841742a47516eea911e913fd0b3139406fa1b37213f6d54f4bf039304504cba1c18d0e413a647b72bbac1b0c9e91efcafdc2e39e07fb6e7fa3644382adcdab2
-
Filesize
5.2MB
MD55366052e754c23b9733e6c198b963a90
SHA174563a0c300e6aec3e84232b2fa8fd18c502317a
SHA256d70b7b3eeb847a477e9fe1912c6e745980500be9004bb3a6948b1af8cab13383
SHA512bf5828378fd9aef5638439e579fe5862a8f821bf40626cceb0d7dd0e0d57fec5ab3513ac16ec39d9b9cd2f69f2e62062f248e72da155e7b11da2a8f5eb329531
-
Filesize
2.1MB
MD59f3ac811bf4713f2dec9da5cf1e3524d
SHA1636ee9d67e9ac692b71b953dc66ee1e00a967fb9
SHA2569a24680c98f0c0659f123d6365c6eb4c08ba0212e08bed48c36ce19f35b97a12
SHA5127672744a4090225984c1576a998c14a2220db185118d581f421b688a1d44435c5f9481360ed719ea5503f31e4ea91a2f2695b65d0922e72d1e98b44e91d0d02a
-
Filesize
2.0MB
MD5e01b8bdb87c6c7ad18cbd29fa93e44bd
SHA1bfcc3ac74f6d2fd578d3efbaf47954ecb9099bad
SHA2562293f86fe35c84ae28e39a585862d00d47cb6a4163954c826c842379356a2e2d
SHA512ef576f127407d1c72f4e02c57b5c8d3795af48abc5fd8d7306a0f89f09e2d095fca664a7ef6d75533b4774b689ef093bfc414563549ae5111cc4b5f306d6a34e
-
Filesize
1024KB
MD5e4e8bd22f7cb41cb482ed6d096f5454a
SHA1fd9e9fbb155380f3cebd918891f934e7e2b9939f
SHA2564e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7
SHA512a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000
Filesize240B
MD57ca2da6f1e7bca562d7d9376700a912f
SHA167feaa004013eee76282e3b3fc196279f2577dcb
SHA25604fd7654331261ff9ec331c31b238ba7770f082abfb817d7881813ec02084a4e
SHA5124f2f67dee86af03dae15145649f5eb65cd158686381d26005b91aab89f017b692289050f0b1def00f8c2e724aedba4025db0baa6b55f76d402ded8006c48b38d
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
2.4MB
MD5b31b234cb0f534069ba32aaaeacd7b2d
SHA1d6f90459f8bdbf7e75cc85affe9b137dc5e304e2
SHA256b5a652a1025f194f59e1349a1f26709d7ff7760067439b2d52d988a55d9340f0
SHA512138cb14f6018d3bddd78012c5b36a591fe70d1b2b7f9d3774230639302401be57e1a4d6098c66a83c47e67138ac6dbe79f64548e4c317bb804a4e9a3ffdf94ea
-
Filesize
1.3MB
MD5aaeef04f32bb756030e77fde65727b26
SHA136547656f30b05a2fcdb3b8f46914322d25caa8d
SHA256bb0afc6c5b3e4ab1e5482e1a2adda46b9b2c6fdbd3cfdb4900e1041564d0b82d
SHA512f97fd09a3b9ccbf841a3436ba30ef160f61d2cca048e72d9c9de3ed34380e4a68939cc214cb54aab7808561ed9fa65b1665ac64ab5d5f07b1f4c430cc7229561
-
Filesize
872KB
MD5f74cd144e667130be8133d08e3537c3a
SHA13b9ad66b47dcfbc50645094934f03d62fb83a18a
SHA256c81bbcff8c8486c4ce34531512820e4bc319a7ee95e15d22f40320059e598107
SHA5120a10763db19454c96f20b97a0d469535aa4ddfef46f6b2b5ff6470a05447a0704ee5a2689ad33b476a4d4524eed6f3e18b12c0b018a440e001bae4c81ccecacc
-
Filesize
1.3MB
MD5f440c8a8cad093b3373e8e6d3a08250d
SHA16d3e9b5b60438215a32ba576b647d8e7885969e8
SHA256ca5a354376096b798527643600144ad3d033871ff2ec4270b2fcc8dfbecb2836
SHA512a5b3d9496f88bf55a691fdb97bd62d3f71ac7e66797132b203d4680bfce2521ae72bdbf8f04e06f76915448c78152737c4501d57acd82c14f4a5bd86cb290b7c
-
Filesize
1.3MB
MD549b959f2b5505c1fa207136604aa13e9
SHA12fde0077737e6ba77b109c3204fc2e0b178aa16a
SHA256eabef78a58064c98674cb2a64d4235c357c4003bc4468712c4025d2ba9ecb51b
SHA512101e6dfd1c28e1460ee05bb08c9e4c80b0a017e942e6a7e5c975b2b190c75a86aba92b6f472ad5e44cf4771cc41d672ec815e84f1138714f527369e4fe12704f
-
Filesize
1003KB
MD59e30bcb0a84fb0bfa1698a893364d323
SHA127ed1be3c4708e9556ee4a2f239a613e66e74d07
SHA256fbeb3dfff96910d804869bf688b67f03bd6c5b3bd4f1029714403578f425e3e3
SHA512f77791114d70568192b1a81f70523c88ab34c5b05279df44c2653f0f5c8ee7fc0b239a021f46f14348d7476b182d8509223859d832104b04c0e44b49fab9fcb7
-
Filesize
1.3MB
MD52a53f5fc75de6da40526f7e3250e6e5e
SHA1103b91089a11baf807a0f2c102f1cd4318dc155d
SHA25665b84bb7c3ea04aaeae3eff8b8f4599b4f1df2fdd421137b179eabf58e5002f6
SHA5129d2f0463d5c7208aa018a6b1b00590e980a16fa7542cbf2860f59705b090a707c90d60fb9b86e31013c3974a4354f7c24c63ed86880a79410839212cb62f3010
-
Filesize
8KB
MD5b59e1f066e9539fdce98342e176a2d12
SHA158e740eb74c45ab3f1d2194410b4fafb95996001
SHA256969d3c058fe3234d57fa53b793ddf05b62ee63fadaa5631337f12e412b325a9e
SHA512489c5af5e36faee30cdac09f222d481415863febf60ef4c4a11f6016cd432cf64554b248cf0e9be16a529cb47d396793deeafbf5527a710de59cebdce949ed6c
-
Filesize
1.3MB
MD58852554fb499fe38cfeb75e53494b1f7
SHA16ce6846b154ff8033fa5319ed3979585648b5438
SHA2566615d260da5a75c23aba1759869952403d690dea2caee4e9654456f72cc6146c
SHA512cfba3fe92227040a101878343169b800108ac4ba95b164d02fcc0a07ef3708ea913ab9192c330ac51e362f553f4f0eabffe958154425c2e36382a7a8e8cca390
-
Filesize
1.1MB
MD531320d84062129580f84d491f09e0b1a
SHA155cc75d7f5f31d4e12578686b05cf572db70ec16
SHA256ef81a30405d1582bbe162cce5c1565a3fd8a66e3a3786efe80f0b28401ffa29b
SHA512029c502e8d027150d3e9d52b7eb285f6d26504186fa2c60bd06982f882cf14539e834b97c03f7a10115b80d86b08e22e669fa5162176abf0d3ba7d8ee44d4d1e
-
Filesize
1.3MB
MD517ee976c3a588302f58ba4d9969483f6
SHA1ed84133e780c7df470a4d9bb79f6505bdbc33b8f
SHA256ac31ec4c5bc5a305715dbe94006720238f7eb61c97bf20b40e71f3455b6d734d
SHA512faf0715b57fa69eae44d6f216149f1d9550ba95a2cf137f5eedcb2891c46e671e5f57c844a4328d8327d3ae6c097c880e64e3c781165f753fc4283d3e9a2b833
-
Filesize
1.4MB
MD50eb7a0991c25d83b69905ea916816230
SHA19d19edef8ee6ce2b5eaa0de18d7502e5e2ca81c6
SHA256c2f23c35e672ef397c9799c5d37719a18f68e5e128ac4608985616a5ada6cac1
SHA512e84d73106c893c7ef0152346151853058323dce44356639208196ea45cbb443913def5bd713c1d882d2b4ac746158b35f78a3ff0655ad5802d9fdcc334082985
-
Filesize
1.7MB
MD5093f938123907cf1b644aea60a438792
SHA1aaac7fab43879408fb1d8e4ab96a84635da491e2
SHA2567423c6025ec70fa08ece65999071c6a40dd9b82f5f4daa9f1f217c5169b9b6c8
SHA512250b0f5d27d59ba66593318f42d9fe8b475576f0b9d44c0c23426f3d4fe520e3eebf7263953da4decc3abddbec18b7c44178882b46e4da00ebbc089298518f34
-
Filesize
2.0MB
MD517c3df19b91cb041a94fd0693bb20079
SHA167316e1768682e8fc87858f27c0b27c63b7b5b1a
SHA256d5b9fa7cdd69b5b3929d1691d1c06136f3259f8b7d05f5ac71fae7512a4cc9f2
SHA5120e015232c17ce614e8a6e95ef120d45f204ee5457bbecf6658518e5cee1b1159081ed6422a716789d1d25a173cc35eb27e33f98916da0c9b7f38f50275c6e391
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0d9b5e7b7aee94ece722f0921130ffeb\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD519f3758a676b47793486c472305d2fa8
SHA125c40c3807921627ea8331dd98b4f240b01ab53a
SHA2565dd390d8c46ba9d528c2b6a598aed013e56bcd79a45a1af045a05309002c53cd
SHA5124f49760b8ba7be64a8414f362c6234e4699f16d7ff8a10b8bbda7b100b96789bd59df3ef9164c0ccf240a6bc22355d92ea90f6b4604b2779fda0b6547be1c795
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2797c1dde19552e89051ac82c0e3d8fa\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD50f47d9b70d9965d689ba27ab67664c02
SHA18af15fa7cfed9bb3753b70000a4de24ed7b0805f
SHA256a443f0021307c00ed704619f6f443aa41c033b5e9aa347f0d4e41a32573e27c5
SHA512e625a31594a22310113dfe5b307f9971a2724c2f316e09cd458d1dca3b0cfebab7053d2506f9c3bf8f88ca39df2364639eea31202773718c29299eb0cd4122f1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2e699d1b929858a82f8d64e0dab28c60\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD57a80dce7aa7d90bcbbd75bf88af44f9f
SHA19c46e08c8a2e215a4097c8caaf0c8c3f03d9594e
SHA256e9ff0b3aa0ae015f37d12d8eaf8269298cc82935a86642acf2aefdb56dce64d6
SHA5127b8e08ff04aed6c91fd55c15a9daab2ce4ede54bd52690dd86ac63d73a53d0c04419b1f440618a3675a9cab4096dc4030e6737df6b039bb136ab676151164ac7
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD5f786ebe6116b55d4dc62a63dfede2ca6
SHA1ab82f3b24229cf9ad31484b3811cdb84d5e916e9
SHA2569805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12
SHA51280832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
2.5MB
MD5f031c0d2b460209b47b91c46a3d202fe
SHA195040f80b0d203e1abaec4e06e0ec0e01c507d03
SHA256492826e1aacd984a00dd67a438386e4de883cc923cb1f25e265525a4cf70ed7b
SHA51218840649d19c5310d274bac69010514872a554bb5ecadb4af5fa3667ad1a6bf9d644b31393edbc1b60ace6eff907c79c078f8213948cf90fa4d1529c68ccc629
-
Filesize
1.3MB
MD50ed9856302c1e454801ff304ed122423
SHA10887663fb95afe4421467780f54081685d2fe5ad
SHA256b2dda04cf7a8dc906f10778cae5d8de345a61cb00547207d3ac247c0239b4a6e
SHA512206b041c3f53ed06bf3a77949c544c03cddc87df4999b3f867600e1c11a232fc5652521f530d0248a7ff053f070c379be5c53f1040d3340e48152e61dda1b1b6
-
Filesize
1.2MB
MD52cf1cdcdac2c9eedf6cd006f87fc1821
SHA1bf12f1ffd4934115e1c432f25cac280956bef2c1
SHA25624a97ddde24e29726027fcc226d45347ba2f3483da3d6bd16a67b842de802024
SHA512f1f819e12d130cdec818ae830f28ab952a9b56ac3b0615cc9d908613b60f94d24437573de3993288104945ada4f88a6b892a3fd24f1179e2eb936fec51a80294
-
Filesize
1.3MB
MD57e85f9ef4ad6e1b876005808d4841191
SHA1cb6b020eb87fd41c143075420d863c3e6277ee10
SHA256dc76859c0175c2234bcfe77009d0794934d831ff1cf208a1dfcbb39d10e68a14
SHA512240334c3498c761f4dc0f34ee99881446360f2627981b75d1572cce0218e80df73520aa13c760e434be819aaf01c3fdd5d8112d85cd959a69f91582faa78b8e0
-
Filesize
1.3MB
MD55e7fa7e7a365f46275ab722029a1feca
SHA1e3e6e101398f58a7fd48d7af381a0122c444d1f7
SHA25613a18fa187dac4d7a499d93cc285eda1035c1e590f1d542fd5c54f2629990aa2
SHA5120dd16e83b495cf7c99577efb7205973c44bd92f47d435be185fa2513b7f40674f34acf1f27d32929aeaa270f17dd4a3508e16587ebdc25aa9024a369d6b86748
-
Filesize
1.4MB
MD5424fe69a56070cceb462e4007908f75f
SHA11dcca0c2261e9da07f02376ec6ebdc6e3d238e7d
SHA25632706af62bdc0476a599f234f27149b0c1fbc3fdbc78f0018a5496dd53077486
SHA5121a0bb9359f2e2ef202a7dae2a7d46c7bda94ab9373017856c2b9357fc8f83f585069cf4be5705957477459e9d571dae938191748e063be02414a8fc9150ed6b5
-
Filesize
1.2MB
MD53a41b85171922c5c108b211f04a0ba52
SHA189e2c8f98e7f2ad4573e60b9e3f904889411f10f
SHA25623ae23e512ccb1acedb5f774842079a7089e7a2248d306b69aa31cbb91801dfb
SHA51248c74b4dbd24230a9318c6b5ace0a80f097bcb14f675702862926b37f0fc126c337da8cd287b7363e5a6ee8e5f2e3416a1ca656c0aaed4d8060fbbdb01f053cb
-
Filesize
1.4MB
MD5df6d414b39d9a716d2aae3d3c5c6ec8d
SHA1957404ededdd78f619107b041e23e1fccaa90a5c
SHA256392524c0c59a8aa46265c398d2a2c49fb8e883496270132abddc480013ae651d
SHA512237b941e9476d233ff903b426ee42f3184ef914667b7d26d29dc4117ba217cc1c1a0ac93d207c2591c6014491608e689a4c94a575dcef4f8f13b57d16c9b59b7