Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe
-
Size
616KB
-
MD5
78202f5b6acbaec3923c4311e04542a0
-
SHA1
f42218554f6eed6ad7fdaaa240b09f974e2b77e6
-
SHA256
f5ae496bf325d3642134990dfa2f684208521725d7b8796a6b5b0889b74480cc
-
SHA512
dadc2a779af92344b6dd2cf1d2b215df8394d76cfc707de25d27f2071e32e6d0f83343f04f20b79c72573160910bcc342dc1b2463238ab6a455acae06f026afd
-
SSDEEP
12288:MiV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMsO:M6Vg9N9JMlDlfjRiVuVsWt5MJMsO
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 468 Process not Found 988 alg.exe 2860 aspnet_state.exe 2824 mscorsvw.exe 2992 mscorsvw.exe 2572 mscorsvw.exe 2584 mscorsvw.exe 2128 ehRecvr.exe 844 ehsched.exe 2380 elevation_service.exe 2360 IEEtwCollector.exe 972 GROOVE.EXE 2276 dllhost.exe 2732 maintenanceservice.exe 2512 OSE.EXE 1364 OSPPSVC.EXE 2824 mscorsvw.exe 1680 mscorsvw.exe 548 mscorsvw.exe 2672 mscorsvw.exe 2412 mscorsvw.exe 2188 mscorsvw.exe 2292 mscorsvw.exe 1760 mscorsvw.exe 768 mscorsvw.exe 2176 mscorsvw.exe 1716 mscorsvw.exe 2676 mscorsvw.exe 2600 mscorsvw.exe 2992 mscorsvw.exe 2832 mscorsvw.exe 1876 mscorsvw.exe 2196 mscorsvw.exe 2720 mscorsvw.exe 784 mscorsvw.exe 1584 mscorsvw.exe 2940 mscorsvw.exe 2568 mscorsvw.exe 2652 mscorsvw.exe 2964 mscorsvw.exe 2828 mscorsvw.exe 1152 mscorsvw.exe 1304 mscorsvw.exe 2660 mscorsvw.exe 2564 mscorsvw.exe 1832 mscorsvw.exe 2068 mscorsvw.exe 1824 mscorsvw.exe 2984 mscorsvw.exe 2232 mscorsvw.exe 1520 mscorsvw.exe 1980 mscorsvw.exe 1700 mscorsvw.exe 3024 mscorsvw.exe 2676 mscorsvw.exe 2384 mscorsvw.exe 1696 mscorsvw.exe 1956 mscorsvw.exe 1424 mscorsvw.exe 668 mscorsvw.exe 2336 mscorsvw.exe 2264 mscorsvw.exe 1968 mscorsvw.exe 1380 mscorsvw.exe -
Loads dropped DLL 48 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 1832 mscorsvw.exe 1832 mscorsvw.exe 1824 mscorsvw.exe 1824 mscorsvw.exe 2232 mscorsvw.exe 2232 mscorsvw.exe 1980 mscorsvw.exe 1980 mscorsvw.exe 3024 mscorsvw.exe 3024 mscorsvw.exe 2384 mscorsvw.exe 2384 mscorsvw.exe 1956 mscorsvw.exe 1956 mscorsvw.exe 668 mscorsvw.exe 668 mscorsvw.exe 2264 mscorsvw.exe 2264 mscorsvw.exe 1380 mscorsvw.exe 1380 mscorsvw.exe 2548 mscorsvw.exe 2548 mscorsvw.exe 2852 mscorsvw.exe 2852 mscorsvw.exe 1940 mscorsvw.exe 1940 mscorsvw.exe 1604 mscorsvw.exe 1604 mscorsvw.exe 1684 mscorsvw.exe 1684 mscorsvw.exe 1584 mscorsvw.exe 1584 mscorsvw.exe 904 mscorsvw.exe 904 mscorsvw.exe 588 mscorsvw.exe 588 mscorsvw.exe 2316 mscorsvw.exe 2316 mscorsvw.exe 1676 mscorsvw.exe 1676 mscorsvw.exe 920 mscorsvw.exe 920 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe mscorsvw.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6a18e057ae4ef42b.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe mscorsvw.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe alg.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe mscorsvw.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9BE2.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP92ED.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPACF2.tmp\ehiVidCtl.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{87ACE2F1-3FAB-46E2-98EB-E26A66C81DFA}.crmlog dllhost.exe File opened for modification C:\Windows\ehome\ehsched.exe mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7A8D.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE560.tmp\Microsoft.Office.Tools.Common.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2008 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2148 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: 33 1600 EhTray.exe Token: SeIncBasePriorityPrivilege 1600 EhTray.exe Token: SeDebugPrivilege 2008 ehRec.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: 33 1600 EhTray.exe Token: SeIncBasePriorityPrivilege 1600 EhTray.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeDebugPrivilege 988 alg.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeDebugPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe Token: SeShutdownPrivilege 2584 mscorsvw.exe Token: SeShutdownPrivilege 2572 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1600 EhTray.exe 1600 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1600 EhTray.exe 1600 EhTray.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2148 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2824 2572 mscorsvw.exe 47 PID 2572 wrote to memory of 2824 2572 mscorsvw.exe 47 PID 2572 wrote to memory of 2824 2572 mscorsvw.exe 47 PID 2572 wrote to memory of 2824 2572 mscorsvw.exe 47 PID 2572 wrote to memory of 1680 2572 mscorsvw.exe 48 PID 2572 wrote to memory of 1680 2572 mscorsvw.exe 48 PID 2572 wrote to memory of 1680 2572 mscorsvw.exe 48 PID 2572 wrote to memory of 1680 2572 mscorsvw.exe 48 PID 2572 wrote to memory of 548 2572 mscorsvw.exe 49 PID 2572 wrote to memory of 548 2572 mscorsvw.exe 49 PID 2572 wrote to memory of 548 2572 mscorsvw.exe 49 PID 2572 wrote to memory of 548 2572 mscorsvw.exe 49 PID 2572 wrote to memory of 2672 2572 mscorsvw.exe 50 PID 2572 wrote to memory of 2672 2572 mscorsvw.exe 50 PID 2572 wrote to memory of 2672 2572 mscorsvw.exe 50 PID 2572 wrote to memory of 2672 2572 mscorsvw.exe 50 PID 2572 wrote to memory of 2412 2572 mscorsvw.exe 51 PID 2572 wrote to memory of 2412 2572 mscorsvw.exe 51 PID 2572 wrote to memory of 2412 2572 mscorsvw.exe 51 PID 2572 wrote to memory of 2412 2572 mscorsvw.exe 51 PID 2572 wrote to memory of 2188 2572 mscorsvw.exe 52 PID 2572 wrote to memory of 2188 2572 mscorsvw.exe 52 PID 2572 wrote to memory of 2188 2572 mscorsvw.exe 52 PID 2572 wrote to memory of 2188 2572 mscorsvw.exe 52 PID 2572 wrote to memory of 2292 2572 mscorsvw.exe 53 PID 2572 wrote to memory of 2292 2572 mscorsvw.exe 53 PID 2572 wrote to memory of 2292 2572 mscorsvw.exe 53 PID 2572 wrote to memory of 2292 2572 mscorsvw.exe 53 PID 2572 wrote to memory of 1760 2572 mscorsvw.exe 54 PID 2572 wrote to memory of 1760 2572 mscorsvw.exe 54 PID 2572 wrote to memory of 1760 2572 mscorsvw.exe 54 PID 2572 wrote to memory of 1760 2572 mscorsvw.exe 54 PID 2572 wrote to memory of 768 2572 mscorsvw.exe 55 PID 2572 wrote to memory of 768 2572 mscorsvw.exe 55 PID 2572 wrote to memory of 768 2572 mscorsvw.exe 55 PID 2572 wrote to memory of 768 2572 mscorsvw.exe 55 PID 2572 wrote to memory of 2176 2572 mscorsvw.exe 56 PID 2572 wrote to memory of 2176 2572 mscorsvw.exe 56 PID 2572 wrote to memory of 2176 2572 mscorsvw.exe 56 PID 2572 wrote to memory of 2176 2572 mscorsvw.exe 56 PID 2572 wrote to memory of 1716 2572 mscorsvw.exe 57 PID 2572 wrote to memory of 1716 2572 mscorsvw.exe 57 PID 2572 wrote to memory of 1716 2572 mscorsvw.exe 57 PID 2572 wrote to memory of 1716 2572 mscorsvw.exe 57 PID 2572 wrote to memory of 2676 2572 mscorsvw.exe 58 PID 2572 wrote to memory of 2676 2572 mscorsvw.exe 58 PID 2572 wrote to memory of 2676 2572 mscorsvw.exe 58 PID 2572 wrote to memory of 2676 2572 mscorsvw.exe 58 PID 2572 wrote to memory of 2600 2572 mscorsvw.exe 59 PID 2572 wrote to memory of 2600 2572 mscorsvw.exe 59 PID 2572 wrote to memory of 2600 2572 mscorsvw.exe 59 PID 2572 wrote to memory of 2600 2572 mscorsvw.exe 59 PID 2572 wrote to memory of 2992 2572 mscorsvw.exe 60 PID 2572 wrote to memory of 2992 2572 mscorsvw.exe 60 PID 2572 wrote to memory of 2992 2572 mscorsvw.exe 60 PID 2572 wrote to memory of 2992 2572 mscorsvw.exe 60 PID 2572 wrote to memory of 2832 2572 mscorsvw.exe 61 PID 2572 wrote to memory of 2832 2572 mscorsvw.exe 61 PID 2572 wrote to memory of 2832 2572 mscorsvw.exe 61 PID 2572 wrote to memory of 2832 2572 mscorsvw.exe 61 PID 2572 wrote to memory of 1876 2572 mscorsvw.exe 62 PID 2572 wrote to memory of 1876 2572 mscorsvw.exe 62 PID 2572 wrote to memory of 1876 2572 mscorsvw.exe 62 PID 2572 wrote to memory of 1876 2572 mscorsvw.exe 62 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2148
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:988
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2860
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2824
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2992
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 258 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1f4 -NGENProcess 260 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2412
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d8 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 250 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 270 -NGENProcess 1f4 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f4 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 264 -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 250 -NGENProcess 28c -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 28c -NGENProcess 274 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 284 -NGENProcess 1d8 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 294 -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2196
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 28c -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 280 -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 264 -NGENProcess 288 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 264 -NGENProcess 280 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 288 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 274 -NGENProcess 264 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2d8 -NGENProcess 1d8 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2660
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e0 -NGENProcess 264 -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 1d8 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 264 -NGENProcess 1d8 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2f0 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e8 -NGENProcess 2e4 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f8 -NGENProcess 1d8 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2232
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 1d8 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 300 -NGENProcess 2cc -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2cc -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2dc -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 30c -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2cc -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2384
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 318 -NGENProcess 2f0 -Pipe 308 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2cc -NGENProcess 314 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 310 -NGENProcess 31c -Pipe 324 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 31c -NGENProcess 318 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2336
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 328 -NGENProcess 314 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2264
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 314 -NGENProcess 310 -Pipe 30c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 330 -NGENProcess 318 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 328 -NGENProcess 338 -Pipe 314 -Comment "NGen Worker Process"2⤵PID:1980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 304 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
PID:2548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 318 -NGENProcess 334 -Pipe 330 -Comment "NGen Worker Process"2⤵PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 334 -NGENProcess 328 -Pipe 344 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 328 -NGENProcess 340 -Pipe 2f0 -Comment "NGen Worker Process"2⤵PID:2384
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 348 -NGENProcess 304 -Pipe 338 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 304 -NGENProcess 334 -Pipe 320 -Comment "NGen Worker Process"2⤵PID:1876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 350 -NGENProcess 340 -Pipe 318 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 340 -NGENProcess 348 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:2804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 358 -NGENProcess 334 -Pipe 328 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 334 -NGENProcess 350 -Pipe 354 -Comment "NGen Worker Process"2⤵PID:2896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 360 -NGENProcess 348 -Pipe 304 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 348 -NGENProcess 358 -Pipe 35c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 368 -NGENProcess 350 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:1812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 364 -Pipe 310 -Comment "NGen Worker Process"2⤵PID:1924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 36c -NGENProcess 368 -Pipe 358 -Comment "NGen Worker Process"2⤵PID:2556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 334 -NGENProcess 364 -Pipe 328 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 364 -NGENProcess 370 -Pipe 348 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 370 -NGENProcess 32c -Pipe 368 -Comment "NGen Worker Process"2⤵PID:2668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 380 -NGENProcess 378 -Pipe 360 -Comment "NGen Worker Process"2⤵PID:2944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 37c -Pipe 36c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 370 -NGENProcess 38c -Pipe 380 -Comment "NGen Worker Process"2⤵PID:1872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 334 -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"2⤵PID:2452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 390 -NGENProcess 384 -Pipe 350 -Comment "NGen Worker Process"2⤵PID:2688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 38c -Pipe 364 -Comment "NGen Worker Process"2⤵PID:2100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 334 -NGENProcess 39c -Pipe 390 -Comment "NGen Worker Process"2⤵PID:2864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 32c -NGENProcess 38c -Pipe 388 -Comment "NGen Worker Process"2⤵PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 3a0 -NGENProcess 394 -Pipe 378 -Comment "NGen Worker Process"2⤵PID:844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 39c -Pipe 370 -Comment "NGen Worker Process"2⤵PID:2972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 32c -NGENProcess 3ac -Pipe 3a0 -Comment "NGen Worker Process"2⤵PID:2556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 37c -NGENProcess 39c -Pipe 398 -Comment "NGen Worker Process"2⤵PID:528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 3b0 -NGENProcess 3a4 -Pipe 384 -Comment "NGen Worker Process"2⤵PID:1748
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 3ac -Pipe 334 -Comment "NGen Worker Process"2⤵PID:2180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3ac -NGENProcess 32c -Pipe 3bc -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 38c -NGENProcess 3b8 -Pipe 3a8 -Comment "NGen Worker Process"2⤵PID:2520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3c0 -NGENProcess 3b0 -Pipe 394 -Comment "NGen Worker Process"2⤵PID:2792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 32c -Pipe 39c -Comment "NGen Worker Process"2⤵PID:3024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3c4 -NGENProcess 3c0 -Pipe 3b8 -Comment "NGen Worker Process"2⤵PID:1496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 3b4 -NGENProcess 20c -Pipe 3c8 -Comment "NGen Worker Process"2⤵PID:1656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b0 -NGENProcess 3ac -Pipe 3cc -Comment "NGen Worker Process"2⤵PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a4 -NGENProcess 3a8 -Pipe 3c0 -Comment "NGen Worker Process"2⤵PID:1808
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3d0 -NGENProcess 20c -Pipe 3c4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1428
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3ac -Pipe 210 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3ac -NGENProcess 3b0 -Pipe 3dc -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 32c -NGENProcess 3d8 -Pipe 3b4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3d8 -NGENProcess 32c -Pipe 3e0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3e4 -NGENProcess 3b0 -Pipe 3a8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3b0 -NGENProcess 3d0 -Pipe 3ec -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2160
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a4 -NGENProcess 3e8 -Pipe 3d4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3f0 -NGENProcess 3d8 -Pipe 20c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3d0 -Pipe 38c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1088
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3e8 -Pipe 3ac -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2428
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3d8 -Pipe 3e4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3d0 -Pipe 3b0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3d0 -NGENProcess 3f8 -Pipe 3e8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3a4 -NGENProcess 410 -Pipe 404 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 410 -NGENProcess 3d8 -Pipe 3f8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 414 -NGENProcess 3f4 -Pipe 410 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3f4 -NGENProcess 3d0 -Pipe 3d8 -Comment "NGen Worker Process"2⤵PID:1108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 41c -NGENProcess 3a4 -Pipe 408 -Comment "NGen Worker Process"2⤵PID:3028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 32c -Pipe 418 -Comment "NGen Worker Process"2⤵PID:2900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 32c -NGENProcess 3f4 -Pipe 3d0 -Comment "NGen Worker Process"2⤵PID:2632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 428 -NGENProcess 3a4 -Pipe 3fc -Comment "NGen Worker Process"2⤵PID:1536
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 424 -Pipe 414 -Comment "NGen Worker Process"2⤵PID:2888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 3f4 -Pipe 41c -Comment "NGen Worker Process"2⤵PID:2008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 3a4 -Pipe 40c -Comment "NGen Worker Process"2⤵PID:1064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 424 -Pipe 420 -Comment "NGen Worker Process"2⤵PID:1360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 3f4 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:1924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 42c -Pipe 428 -Comment "NGen Worker Process"2⤵PID:2340
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 424 -Pipe 3a4 -Comment "NGen Worker Process"2⤵PID:936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 25c -NGENProcess 3f4 -Pipe 260 -Comment "NGen Worker Process"2⤵PID:2068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 26c -NGENProcess 1f0 -Pipe 224 -Comment "NGen Worker Process"2⤵PID:1764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 444 -NGENProcess 438 -Pipe 25c -Comment "NGen Worker Process"2⤵PID:2064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 42c -NGENProcess 1f0 -Pipe 43c -Comment "NGen Worker Process"2⤵PID:3032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 3f0 -NGENProcess 440 -Pipe 230 -Comment "NGen Worker Process"2⤵PID:1068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 434 -NGENProcess 438 -Pipe 26c -Comment "NGen Worker Process"2⤵PID:1028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 430 -NGENProcess 1f0 -Pipe d0 -Comment "NGen Worker Process"2⤵PID:1844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 430 -NGENProcess 434 -Pipe 440 -Comment "NGen Worker Process"2⤵PID:2244
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 2a4 -NGENProcess 1f0 -Pipe 444 -Comment "NGen Worker Process"2⤵PID:548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 450 -NGENProcess 3f0 -Pipe 3f4 -Comment "NGen Worker Process"2⤵PID:1080
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2964
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2828
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
PID:2128
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:844
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1600
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2380
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2360
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:972
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2276
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2732
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2512
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:1364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5c74ef12381c97f9a46d3322963fd2d50
SHA127c7c23ad446292f77abc1a03b9cb7a87e298ce4
SHA256e0f9e5c775901d361595ba4a48b37b8412c889687c6ded673274ae6176e7a0bf
SHA512b232a1da1d7247fbc3724ede089be690f2d8584b1868182c44d751246240db3c38bf5d0b0e2b6d07ea41019108dde03aad42df83c01a9aa64fec1060ad7a169c
-
Filesize
1.6MB
MD57e06385865d4468a99c40356bbf8f62a
SHA140241a2bb79d3669942194ae8270dd699ec04dd7
SHA2566d7518cf7afe4171b4146704c41ae91bc3df4a99baa1cea6dc03506d7588ebfa
SHA512d555d29af1b0979110ec4270fdd9e3cff7d84d520299c25054f4e3f5f0e7e2668afc4f40883f1f090dcdf98851ffe0caf33265326b33e927305caab29da3c812
-
Filesize
1.3MB
MD5fac29aed982d44243cb4ecbde97483d4
SHA1624879dc3caa3ef8b265dedff484c01e08c7c138
SHA2563e934b476977ec8b6929453c434d152d5f42c09d6fa7172d4268bfb74cdb543f
SHA5122891e95d742564496587d9251ec1c4717c8ff4be3188cfbc7490529d082c815c2e5cbcad952beba8193b88350e9820cc77092bb6bf44612c5f9a488ef679ce68
-
Filesize
1.0MB
MD56d1f02d51ffe1f9dc50620f70e2ee75a
SHA1adc6585c0a50c7666d095a6da7f0ae1cc5f3be9a
SHA2568e961c8bc043d91443894ffc2f5f11debd5fe42862f513d37ce044138cccb859
SHA51233db200e62172929043f6d892e581d146dfcd56083a8b905f366e9de3b548939fc9b186760521ccf5d489ebe8c89f66b286abefc84583c679aabcdaf7f9b09b1
-
Filesize
706KB
MD53d72e29832be3ad2b0a1c21af9dbf6f8
SHA14c97fe844eccb74549e029a61c0cde8e342c2fdb
SHA256409db648c8c04c406ca43e5dac87e78f310c43a8d3d04cc4e0a586136a5c9f49
SHA512823fd551aad107dd8a3f64eecb9cf47eab080900e92710929661eaf2f36ae3340b52ff4186973050d47cea6aaf94e569da7ca6db68bb75fecfe72f5fc884f0d8
-
Filesize
30.1MB
MD51815f22e26b35bb1f00c1dbb6655bf56
SHA1d47046d6516e1db6d25dcac8393c3fb43a63680b
SHA256471414918035be9c80c90a621bd05a90cf677b24e22561692bc955860897d8af
SHA512923b9407056dfd70d9ebc34799f40b4d6de867cabee5f7b7de5fb5f10bd063dbee77861385741fc5f70d2068f249e288c7aef41c0cf8fc08676712139a16166f
-
Filesize
781KB
MD53bb773cee74423f4fd6142da30a4019d
SHA123f5e57fba5c8ab0be848a78e1fab20a735f7754
SHA256c183ce128441ced9c06cabc8618cab6e154e01b3de7bf2721f1cc4a92045e72f
SHA5128b9b6dca6729c654cf3d1df84442507c16d506a4c69a036dcce61f25b23e6f48c638c4d06cab5d697481567220a665b7696f6755178645bc260c9d1ecb3fc291
-
Filesize
1.1MB
MD5448ff519c89ca46a4d60d2cb86c8e4fe
SHA121d97804186ba93f4ef990bd490d43f4f0a67a4e
SHA256ef38c5ab39842c34d014334afaf07ffa48b19e368b84101549b525dcc61cda0c
SHA512a713c6f3c0f982fcf312ab0a60e10c49556619fd2a02f46f62d75016c5f6741f0d511b9f3e778dcd7c27e73226522b0772a0195246f722aaf7d2aabdfb7e4b8e
-
Filesize
1.5MB
MD5bd7c5530ce225205462cc72e7056bdca
SHA18de2e010010d1ed683b8b4dcf404208714feefe4
SHA256797ca0c7226899d997f32f1f4263445357e95027208097f3d45156de445fab8a
SHA512c78fe74cf790b1e761c1f918ba260639c0da1ece14e5492b0791851940a69fbec64dad2c157299c27dafbee0b12cc8630653a3648fa3aeb83a56fd6118ca3c0d
-
Filesize
1.2MB
MD5a44dcfa3d57d6add747653e03293ef1f
SHA17beb14cae6110b0d7dce916482da15271134e6fc
SHA2562e28d8ae5faf6add43951e80296e5efac76d81eb06dda8b666e17300818bf6fc
SHA5126fcad5fed824117af90bd371cfee8b352cdf13978012011e4d87f32493a43aa70f284937c7fb1dd126f960062a635675728843343c79dcee5a401bd17c4157fe
-
Filesize
582KB
MD50b557a3416c3f08f1d1235493a3876e4
SHA110e0e77fb4f251887468f6acaea9c00ab1f068a2
SHA2568bee0daf5f77d69a3476084acf5dd516439120633e3b5ea208acd0ff75406390
SHA5120991f47a659e6bf818a2997c6b84261df130d9f2797dd7f9d5bcea44a33de01befd1d9bf2f2f05e84e97de7fc5d189e72aa8ac4c642a77eeb7de82ef410d16c1
-
Filesize
5.2MB
MD54e70de74440a4f9e99269736c2fbbe8e
SHA12a9d9a4f1b12a9b66675e70ac7407711ba304de1
SHA25614a745922e576746fa8cceb7020f43a4b4cbad0fb6e74c95ff2ab7fee92e4ce4
SHA51220080ce4604148279de4de3de2a09d127bedeb87632e8de47348336734af33d2eb6ceed4d9e43d413d370db30661699e7c716f7210f6498ab0582bceb4e7200a
-
Filesize
2.1MB
MD5f981492ea5f2b43acefb5a0c68ca0242
SHA1584a6160ecfd0d74a5359b8d88219bea778c2815
SHA256224c88f123869d313006a9798e1289936840b192ab643e3b3e4edfcf13ff5563
SHA512114741f5c936c470554d63f169c183ce86286ee6f0c28156d63a86f195d496834bc224cbd7fa7e416f5418d1ce0e86e004b65198f9236657f0b579583d45b72f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD52ead4076eb183f60cc2edff7eeaf3e78
SHA17652de9c8765c33452dfb4e3b37774dbd55461a6
SHA25677439eddd0ddc3cb41aa02609570cba986d97bdb63c8a3aa6043ca1de6db8f07
SHA512c2a1f12501cc9cc23b0680fb5408b7864255ff4cd08cb3d7b91a635bba7640f6ba821f232405517e4bec1ffed36c85d4b78476d6a24d3b6d70ff465c82cb98db
-
Filesize
678KB
MD5dfc62a648077594c151d0d0797bb2797
SHA163878bbc5d47cd17eda613c6a2bbab7879d1ca4f
SHA2564f0df9078e737f8820df0c080d2a41d1fdb1dbc84669520a2a45319b6ff55976
SHA512d9e01fc6fd9dee4bf74ef0ae0c31e1c623331e066c8083111033f5c511cfa1bb5eb173ae765d2cd7e48e5ebe22d081d9a1a5c31f5b39f01afe6ebd263cc24c22
-
Filesize
625KB
MD5608ab0372d6668ea8592aa25c1d20043
SHA170c42c2975d7bbeb92bd3ab3d6ec04032f44a292
SHA25638931da1daba586a6b73febf6db45520d4750efc4dcde863cb85a6b3de40c4c2
SHA5128562827c1e7d4d6adebd0ee893002e05bc0b8bd4582fb46d64b2c76995c5020036c9839df2c89cd7bc178be1d4d4fc0f607f364b0249ab60840718bd23070ab6
-
Filesize
1003KB
MD521f1690ac5662b3f7eda433afa0826cc
SHA12496833d8b86878b972e96825a4fa85be2b3a223
SHA256bc1e87877e832c40448e63e2082bb176b7cabe89acea9c2c16cacca84818895b
SHA512519c12cf9f3d12ad06e6c1beddd95b8cd148f9ee1b9d6fca2ea038666530a868fba72ada572cbe5f09d4e7f2f2cf6f52c0a6bd4ae0a073b5df02304f21334085
-
Filesize
656KB
MD5bf97ed6658d1691bc575f8a516154455
SHA19255abe394b0201d90c4a3c4a87a8937bfe1dd3f
SHA256d9c9d80fa8d2a8e2fa1823eb2309532da88a981bcb138fa69a0bfbdcff5c6648
SHA512d039a9998b0d18e3361177df19a48eee118c39a7b7b215070d126e88400c4e03eb04949c7e03e91e8bd21884d61fc82d54702fb4e3103fe3ffef56f27652ef8f
-
Filesize
8KB
MD5a39bb85ac8e5fe859d181d3d92ce1bf8
SHA10bcb9a4aad01872223f145a85bea7920f9fc41be
SHA256cea07b1aa1c0304638e15b77be37725f0e09d5aec883af3c094ec6b2ae544c43
SHA512f19c286a5393f0c9d0657258dc0f073a1e323460194249dcc6ef3d7a0f02fb37643aaf3a275eac0a10cc6f6e5f8ea1671c5eb2839da72a170fae97ec658d7cd7
-
Filesize
644KB
MD55ec855ece301c7d18f0d49ba81952753
SHA10140371c59fa7d708d5a838010a7111a23bbda23
SHA256a1815abbd5e5221f152a10a9d79cff317cf812b1cb810ffebf5c3d340225013f
SHA5129a9acc4a990ca0905ffb8730208de9aadcc698a6278795663cb9f3bc139bb2886530a64c6447fa7d6dce370ae3faab4901f52279b54262b8fc547fc69271c0fb
-
Filesize
577KB
MD573cc8dd716f08949ed8ae842af92ed96
SHA1ac529bc59e3551c5deb8a896f002e49a62639408
SHA256655f42f6f1cde03c9702949deb67e6f1b3684c1502e6e8fe7789d592cceeb0c1
SHA5123907c430c61a8dec9ee4194e5d749aebd5f9fc5e180b54e684b3f50c652493f5335152a07627323c49038f8de5534a963ed73b17f625fe975e51be54eb141bb3
-
Filesize
674KB
MD50567ac909e031c4e1e0e88a7711fac4b
SHA1bedbdfe732102750f739167cdba9e813642cbe28
SHA2565f31d79250d7e7b275a372cbfbc2b7749588664bb559febc9b9c5ae26e949bb4
SHA5128e7d5a9df74195e13a2fc51e5f9c021f6b0985a285f5cc862c89b2aa8b11efd2cc5f1979fb40610d56ecb29248a8a508d39e31a2e2ae56f21e3b7029ec3be7f0
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize834KB
MD5c76656b09bb7df6bd2ac1a6177a0027c
SHA10c296994a249e8649b19be84dce27c9ddafef3e0
SHA256a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0
SHA5128390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize797KB
MD5aeb0b6e6c5d32d1ada231285ff2ae881
SHA11f04a1c059503896336406aed1dc93340e90b742
SHA2564c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize163KB
MD5e88828b5a35063aa16c68ffb8322215d
SHA18225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA25699facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize1.3MB
MD5006498313e139299a5383f0892c954b9
SHA17b3aa10930da9f29272154e2674b86876957ce3a
SHA256489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA5126a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\658b12fcacec99c60ed06d08bb14cf64\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD5c0461fdd14953b8895566b597aa6168b
SHA191a55c9065c9305c1514c41ed73ca3ace7c82641
SHA2565d1d49ed00f5bfc311e0822eb9a0649f290739f22a5e8687cdd5064a36960304
SHA51206f9cd470b179f9a1df3d8553cb2caabf94dadf18d5a7eb409ac4b56012fe7d7627426460d732dbe3b79e68c1da91e014245e1d3e2f22ec16ad5171ed1586126
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d36d5faf337c14ca97417ad2d1b160d9\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD593d0775e417ce3677d7f01cee57f5140
SHA16c178349e4b6d3026732ed5186a1fe0860bc1e9b
SHA256aca40c4be1ac4db099f03389d34da9764f226ecbfab53dbf15ca43f04ad93bc5
SHA512267e573ebb93e1e2f0dae8777525e2975a259cc3f013e3e3815ebeaf688354401fbdc03775b12c0a7348595aa60d3ec3b9147079ebd6f383b832f2f66857e266
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD5f786ebe6116b55d4dc62a63dfede2ca6
SHA1ab82f3b24229cf9ad31484b3811cdb84d5e916e9
SHA2569805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12
SHA51280832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f447edd8ac0b3db392343df916a15544\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD594bda3a9527925c69c58b0f239555d47
SHA1440b0c77c2a365853cde699c663f41c8b415a6ec
SHA256e5aa0ed2b54d92181a52005dcd4e2dd43c0aed74defcb11306f3ba392ebe18ff
SHA51213b7b002ea83a3fc82a41f9617a66c35f51355440ad9114f05d17ca2fdf93f2fc04a9d74d91547b43a99cc1ea5690816725b8f5a066033f7cbe89ec8e44d8182
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
1.2MB
MD56d1468a97f87bc2132c1a8c237f93088
SHA1848186197bb1e5dd3dcc9a38f689e2e80a8ac7bc
SHA256046147de8c1511b31e8e08823e5deafe5e285a0ccf967c6ef96f32a82f6a8fb4
SHA5129c830003ad37eb882515403424110551f1baebadb32ccde4886d2982d1dc4595439236e516ce0a3a2ec6e86af35a7992c11246f6fe351840c36f5b94ac554bc3
-
Filesize
648KB
MD58fa8ca0544305ca447d457af758cb400
SHA1227a6a4a5ba2f94910eb65bf68600a0c3b1e535e
SHA256bd50b86b0a767af4fe192c9acef7490aa1b20e5720dfcbbb0d2b14ab975cbff1
SHA5129e1c5f8b47cd678eb97dedf1065f6685c281ec7155c23c646d6be4e39c73bce97fd6a536210ff5c91d0bc4b0e985b0c0539bc60de9c46b65943d705a9a619937
-
Filesize
603KB
MD527e19d4cd7b871ec25239476152ae11c
SHA15a0ae5d551fc5f984e40c66d5e17ad85eb8425aa
SHA256fed031a46c203660f8e1b2524f4a5f53d206e60d70d4c5404be6613d7c8a27c1
SHA5127e913f5848a0758fb0d24857cae09d9004a649ca7b5d93974c8dd212e22dda73e6cc8c9a00c46490797f10359e13b19abf59a136f5ae7828071d9822e5a25da4
-
Filesize
1.2MB
MD5c7135a46dbd89ab63c4dd4a456b7a816
SHA1486d757996bce75fdf71032cd85f1941c2a6f751
SHA256e2f41817a47f5be6d21c952ffdb171e246492519911f84fa7369da82a7239d4e
SHA512b77d71f81f2829656707cbbd5e68068cae2a4db0f7a21a72d4808f1d2275d834208a4ae6b359d443cae2e08a9394388ad2d53fc0582766633cceaddf07795b47
-
Filesize
691KB
MD54cc8b91100c95ee6ff7bb0456f20aa55
SHA1360bb223cc9ece19fa7e551a238c2e9e8539ba18
SHA256261003e02f4fc05e04c10564cc57f04e6d6ffdbfb63386d01e6a831a09b2298a
SHA51200df837a9251e550791a8764330cffdc5a311228c53888845bcb109618004d43897fefdac0adfcf4b069a2043df7aecd316ab23ca455ebcd875350ad9e32bd87