Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 04:01
Static task
static1
Behavioral task
behavioral1
Sample
5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exe
Resource
win7-20240611-en
General
-
Target
5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exe
-
Size
1.6MB
-
MD5
5ccd41e6c4f24150636951644fd70dc0
-
SHA1
5fc8cffecc5abd0f6d3deaabb4e17f388f2d4dcc
-
SHA256
3db84d17be48e8e2416e457f1636a8fa8c9734242072cbf964dc2137db604939
-
SHA512
024b4bf6d93afb26727dbacd143202df3c183c2ab86a6fc96198888ec41f9f95cceba542aa7bc51347ba6c57976f0a9e6c5137821aed93916df09f2f92455b65
-
SSDEEP
24576:/5lB2hkhfvCpf2fTf/NxPq4yqF9p9OTG6WiqUtcQX:/l2hEvC4fTf/2/Q9boLy
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeehsched.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeIEEtwCollector.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 464 2700 alg.exe 2528 aspnet_state.exe 2524 mscorsvw.exe 1912 mscorsvw.exe 1668 mscorsvw.exe 928 mscorsvw.exe 3012 dllhost.exe 1532 ehRecvr.exe 2372 ehsched.exe 1188 GROOVE.EXE 1664 maintenanceservice.exe 2992 OSE.EXE 2780 OSPPSVC.EXE 1468 mscorsvw.exe 1376 mscorsvw.exe 2868 mscorsvw.exe 2504 mscorsvw.exe 1156 mscorsvw.exe 2204 mscorsvw.exe 2920 mscorsvw.exe 520 mscorsvw.exe 2400 mscorsvw.exe 1468 mscorsvw.exe 2036 mscorsvw.exe 1984 mscorsvw.exe 604 mscorsvw.exe 2188 mscorsvw.exe 1700 mscorsvw.exe 2164 mscorsvw.exe 580 mscorsvw.exe 2368 mscorsvw.exe 1916 mscorsvw.exe 2392 mscorsvw.exe 1468 mscorsvw.exe 2380 mscorsvw.exe 684 mscorsvw.exe 1448 mscorsvw.exe 544 mscorsvw.exe 2560 IEEtwCollector.exe 1528 msdtc.exe 2836 msiexec.exe 1632 perfhost.exe 2380 locator.exe 704 snmptrap.exe 1144 vds.exe 272 vssvc.exe 1764 wbengine.exe 1636 WmiApSrv.exe 2612 wmpnetwk.exe 3008 SearchIndexer.exe 2100 mscorsvw.exe 624 mscorsvw.exe 288 mscorsvw.exe 2888 mscorsvw.exe 1716 mscorsvw.exe 2964 mscorsvw.exe 1424 mscorsvw.exe 768 mscorsvw.exe 460 mscorsvw.exe 896 mscorsvw.exe 1080 mscorsvw.exe 2340 mscorsvw.exe 2656 mscorsvw.exe -
Loads dropped DLL 51 IoCs
Processes:
msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 464 464 464 464 464 464 464 464 2836 msiexec.exe 464 464 464 464 464 748 1716 mscorsvw.exe 1716 mscorsvw.exe 1424 mscorsvw.exe 1424 mscorsvw.exe 460 mscorsvw.exe 460 mscorsvw.exe 1080 mscorsvw.exe 1080 mscorsvw.exe 2656 mscorsvw.exe 2656 mscorsvw.exe 2840 mscorsvw.exe 2840 mscorsvw.exe 1700 mscorsvw.exe 1700 mscorsvw.exe 3060 mscorsvw.exe 3060 mscorsvw.exe 1448 mscorsvw.exe 1448 mscorsvw.exe 1996 mscorsvw.exe 1996 mscorsvw.exe 684 mscorsvw.exe 684 mscorsvw.exe 1736 mscorsvw.exe 1736 mscorsvw.exe 2340 mscorsvw.exe 2340 mscorsvw.exe 1756 mscorsvw.exe 1756 mscorsvw.exe 624 mscorsvw.exe 624 mscorsvw.exe 2968 mscorsvw.exe 2968 mscorsvw.exe 1920 mscorsvw.exe 1920 mscorsvw.exe 2620 mscorsvw.exe 2620 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 19 IoCs
Processes:
alg.exeGROOVE.EXEaspnet_state.exe5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe 5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe 5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7d5822b8ab55808.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
Processes:
aspnet_state.exealg.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{5889422B-4E7B-4F63-944F-9F172CF77CBB}\chrome_installer.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe alg.exe -
Drops file in Windows directory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exedescription ioc process File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2A7560DA-314B-4012-B5B3-04EDC22A4A50}.crmlog dllhost.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP363D.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP140D.tmp\Microsoft.Office.Tools.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2A7560DA-314B-4012-B5B3-04EDC22A4A50}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehRec.exemscorsvw.exeSearchFilterHost.exemscorsvw.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86} SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ehRec.exeaspnet_state.exepid process 1640 ehRec.exe 2528 aspnet_state.exe 2528 aspnet_state.exe 2528 aspnet_state.exe 2528 aspnet_state.exe 2528 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 2944 5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: 33 2100 EhTray.exe Token: SeIncBasePriorityPrivilege 2100 EhTray.exe Token: SeDebugPrivilege 1640 ehRec.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: 33 2100 EhTray.exe Token: SeIncBasePriorityPrivilege 2100 EhTray.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeDebugPrivilege 2700 alg.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeTakeOwnershipPrivilege 2528 aspnet_state.exe Token: SeRestorePrivilege 2836 msiexec.exe Token: SeTakeOwnershipPrivilege 2836 msiexec.exe Token: SeSecurityPrivilege 2836 msiexec.exe Token: SeBackupPrivilege 272 vssvc.exe Token: SeRestorePrivilege 272 vssvc.exe Token: SeAuditPrivilege 272 vssvc.exe Token: SeBackupPrivilege 1764 wbengine.exe Token: SeRestorePrivilege 1764 wbengine.exe Token: SeSecurityPrivilege 1764 wbengine.exe Token: SeDebugPrivilege 2528 aspnet_state.exe Token: 33 2612 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2612 wmpnetwk.exe Token: SeManageVolumePrivilege 3008 SearchIndexer.exe Token: 33 3008 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3008 SearchIndexer.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe Token: SeShutdownPrivilege 1668 mscorsvw.exe Token: SeShutdownPrivilege 928 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 2100 EhTray.exe 2100 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 2100 EhTray.exe 2100 EhTray.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
SearchProtocolHost.exepid process 948 SearchProtocolHost.exe 948 SearchProtocolHost.exe 948 SearchProtocolHost.exe 948 SearchProtocolHost.exe 948 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exedescription pid process target process PID 1668 wrote to memory of 1468 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1468 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1468 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1468 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1376 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1376 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1376 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1376 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2868 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2868 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2868 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2868 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2504 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2504 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2504 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2504 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1156 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1156 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1156 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1156 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2204 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2204 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2204 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2204 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2920 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2920 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2920 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2920 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 520 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 520 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 520 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 520 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2400 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2400 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2400 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2400 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1468 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1468 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1468 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1468 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2036 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2036 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2036 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2036 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1984 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1984 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1984 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1984 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 604 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 604 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 604 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 604 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2188 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2188 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2188 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2188 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1700 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1700 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1700 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 1700 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2164 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2164 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2164 1668 mscorsvw.exe mscorsvw.exe PID 1668 wrote to memory of 2164 1668 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5ccd41e6c4f24150636951644fd70dc0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2524
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1912
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1376
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 244 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 1f4 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1dc -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1156
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2204
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 1dc -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 25c -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2400
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d8 -NGENProcess 1f4 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 264 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1d8 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 280 -NGENProcess 270 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 264 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2164
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 28c -NGENProcess 280 -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 25c -NGENProcess 298 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 268 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2392
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 298 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 280 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 24c -NGENProcess 28c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 23c -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:288
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 2a0 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1ec -NGENProcess 28c -Pipe 21c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 2a0 -NGENProcess 28c -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1d4 -NGENProcess 220 -Pipe 1c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 220 -NGENProcess 1ec -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 270 -NGENProcess 28c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 1d4 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2b0 -NGENProcess 1ec -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1ec -NGENProcess 270 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2340
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 280 -NGENProcess 1d4 -Pipe 220 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1d4 -NGENProcess 2b0 -Pipe 2ac -Comment "NGen Worker Process"2⤵PID:768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 298 -NGENProcess 270 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2840
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 270 -NGENProcess 280 -Pipe 268 -Comment "NGen Worker Process"2⤵PID:1156
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d8 -NGENProcess 2b0 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 280 -NGENProcess 2b0 -Pipe 238 -Comment "NGen Worker Process"2⤵PID:1252
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2c0 -NGENProcess 23c -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 23c -NGENProcess 2b8 -Pipe 298 -Comment "NGen Worker Process"2⤵PID:1472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"2⤵PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:1532
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵PID:2384
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"2⤵PID:1380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2340
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"2⤵PID:2456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"2⤵PID:2408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"2⤵PID:288
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e8 -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"2⤵PID:2148
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 304 -Pipe 1d8 -Comment "NGen Worker Process"2⤵PID:2196
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"2⤵PID:896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2f0 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2f0 -NGENProcess 30c -Pipe 304 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 30c -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:336
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 320 -NGENProcess 318 -Pipe 308 -Comment "NGen Worker Process"2⤵PID:1472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 31c -Pipe 310 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1264
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 300 -Pipe 314 -Comment "NGen Worker Process"2⤵PID:2304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 318 -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:1068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 31c -Pipe 2f0 -Comment "NGen Worker Process"2⤵PID:2060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 300 -Pipe 30c -Comment "NGen Worker Process"2⤵PID:1044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"2⤵PID:2672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 31c -Pipe 324 -Comment "NGen Worker Process"2⤵PID:2196
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 300 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:2468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 31c -Pipe 330 -Comment "NGen Worker Process"2⤵PID:1604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 300 -Pipe 334 -Comment "NGen Worker Process"2⤵PID:996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 318 -Pipe 338 -Comment "NGen Worker Process"2⤵PID:2340
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 31c -Pipe 33c -Comment "NGen Worker Process"2⤵PID:2028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 300 -Pipe 340 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2384
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 29c -NGENProcess 350 -Pipe 318 -Comment "NGen Worker Process"2⤵PID:360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1d4 -NGENProcess 358 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:1340
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 348 -NGENProcess 344 -Pipe 300 -Comment "NGen Worker Process"2⤵PID:964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 360 -NGENProcess 350 -Pipe 210 -Comment "NGen Worker Process"2⤵PID:924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 358 -Pipe 35c -Comment "NGen Worker Process"2⤵PID:1724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 344 -Pipe 354 -Comment "NGen Worker Process"2⤵PID:2036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 350 -Pipe 29c -Comment "NGen Worker Process"2⤵PID:2428
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 358 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1252
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 350 -Pipe 360 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2540
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 358 -Pipe 364 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 358 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 384 -NGENProcess 378 -Pipe 36c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"2⤵PID:1756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"2⤵PID:3000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 378 -Pipe 344 -Comment "NGen Worker Process"2⤵PID:1264
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 350 -Comment "NGen Worker Process"2⤵PID:1544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 37c -Pipe 358 -Comment "NGen Worker Process"2⤵PID:2448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 378 -Pipe 384 -Comment "NGen Worker Process"2⤵PID:1320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 368 -Pipe 388 -Comment "NGen Worker Process"2⤵PID:1128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 398 -NGENProcess 3a4 -Pipe 39c -Comment "NGen Worker Process"2⤵PID:2568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 390 -NGENProcess 368 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 368 -NGENProcess 38c -Pipe 3a0 -Comment "NGen Worker Process"2⤵PID:288
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 38c -NGENProcess 398 -Pipe 3b0 -Comment "NGen Worker Process"2⤵PID:460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 398 -NGENProcess 378 -Pipe 3ac -Comment "NGen Worker Process"2⤵PID:2468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3b4 -NGENProcess 390 -Pipe 394 -Comment "NGen Worker Process"2⤵PID:3064
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:928 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1448
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:544
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3012
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1532
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2372
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2100
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1188
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1664
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2992
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:2780
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2560
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1528
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1632
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2380
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:704
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1144
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:272
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1636
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:948
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 6002⤵
- Modifies data under HKEY_USERS
PID:2508
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD55efd9cd984d3e737d975a71acb56f018
SHA10e2c17a006ee58041fe8459fcac764061f0241da
SHA256f0ae5d14c129b60b3db7877f082d2440e379d27634e1d148ad5935e9bef5affa
SHA512749bfadf9918ae42d8e80e3f92dda2e6bcfcafac13b170f50f4e0d3675ae216a2cfbbb2f8a38d8125a137cf54adacd2e6726d2269b3eeb36f592e8fb31266771
-
Filesize
30.1MB
MD58823624b8872db4f893a86f523afc867
SHA16b70a3f3e4b450589047faae5ced20583bb831c9
SHA25676ed056197862d12b2f8a7a6e38ef9e86f13c694f1858ac364dcebae7ae78438
SHA512a4fd9f0f093e90d9a7f16ef9ad09d35286958f25ea3f47659e808d91946d1cfb409ab3ea472dbbb1d3fb24f611e22a5278ac7f07eb4de4be2b89b3c6cd9c5e31
-
Filesize
1.4MB
MD511c8f578631282ad628bb254ea1e6727
SHA164330717c57dec54adcd704e29de980c1d7ad65c
SHA256bf4dbec90546aa752cc0ae57d53a90e5f1e5d06329d1927a66be5200cbb5a5df
SHA5126c3a0437c3353cc9516b8ee79e3b6d1a16e2ec1d5874134c025ddf1e3aa5f32efa7988dd96a996babf00dd99b9810c3c2df48765db6b253fb0e6124479ae4627
-
Filesize
5.2MB
MD5f47702fcad61e2fb098f3d1f7cec99ce
SHA1d440a8ab431596160e763f5ad8795b1d3963776c
SHA25683dd41357ea113afe3f40db48b292646d53e9350cd4e96d968749486e395b342
SHA512e8f5020795bec29d97bb316f6cf6da823feaa51664b26ed38bca37be60bcfff4fd28967262f92b67bede8674c7cdc1446b35495b34e1224c912dcf662bcb91b1
-
Filesize
2.1MB
MD5a26dec569d2a034398406a598848720d
SHA1541712812517fa9df34cbd7469029bedb7fb7842
SHA2565b39bb82b0fb649e97442f20dfc23d172e709ef896cf47b6aeaf4295789a0496
SHA5120e0cfc73691554f77e75d0c5958f8919eff73985054c318322f07df2bb1dc2f2538b91143f6b9be8b2eb98aac2e42b0f56c60167b7a7b0ce7274977899c2b134
-
Filesize
1024KB
MD5de7b36392d5f99d57e5f868609ec7fe5
SHA12e8ee670c73ebf968e3f7546bf0be9af30739744
SHA256d1ba5d2f1f9d3700a0c3a0590dc6726780841c6f0f2e83eb53352da5cd8de2bb
SHA5127705a854f55882c94ec519de855aac3f4c5d8a089fc35e2ffdc60a09b7d3e97317add1c849b0271410812eb686cf9c36dce98c25a535d0a5de4d7928d39970a5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD56e8c987f4a0a07735c0d54fe33829e93
SHA1c57787d491e716d2c11a2171db447562a5180d70
SHA256084a92bfad2307ebbe248411a2146a1c827438378e8e7d3d22e3f422fb37936a
SHA5129deaa5c378b85e8c0be3f3880cfe6ee0c1221f156d2f11ec3ded25e8c0a0ce014b324ada01092a0223a31b8b8543c4494c5dada09625f842a0a122797384343f
-
Filesize
1.3MB
MD5f1a17f87fa69a39f1d880082e053d533
SHA18b67d0d0adbc4ad9f5435f648c28b0b21063ed8f
SHA256321b718eafec201847a7d7646cb2b7ff829eea3a0f27986a82fa214c43afe7a7
SHA512900fd37ece8a0eb680314021af0eb98fccd0f0803bd161d1ecc2f6761887778ac862170e5aed0f10497ee3750cd3ac511db671d4c445df307f0ba92e118ee2ca
-
Filesize
1.2MB
MD506484b60a99b7f3b01f27bffedfc36c5
SHA1bc87b2a30c3984e5a9399dfc87e36362c52c9171
SHA2560daf69659bab8320d717b60841db7f7c4a9c9ef94a6a4af1c20cafa143b999eb
SHA51241bdc35b2881427115a842dba2ca7440e60ba64deb61eae9a13ab3bacda97fb3cb1c4cabb210383d0947d71bd5be7857c09fbe1d1d7be234e5af10f3074fb425
-
Filesize
1003KB
MD5bb8cd066aad64440ada2f0351e2039b5
SHA1bf4663ebfdf606abc14a72dd60f213c9d22d94b2
SHA25667e5b25627a99a6ce3071551612b8cd2c7bfbcfe1e47137487685b81a2bb8a5d
SHA5126c9dbd040d00ee3b15254dc511a9b86d118e95936fb1cc7c604cc45797bcc73ec2b7f7f39bdb7d40cff6e70a07a4af2598b5f517b4395ee5dea0892d93de3861
-
Filesize
1.3MB
MD5ca2ec0da200168603def902d99408643
SHA187690115773fb5784bf031f5e9bdba7ffb29fa87
SHA25627f3b7981fb42a948f1305000de3540a80129586d18eed650a617d23383fd44e
SHA51245fc0d387e17de15c886c822df71cb54142a3ed822db85944616850cef70c2b15ecae59a12a6e3a91c5ba9b244884fe033dd57f79f7775bc40a063b9d84647df
-
Filesize
8KB
MD514c4eb3f19eaf7403b434ff096e549e5
SHA19cd450be75ddab6e9b1d9cf725a0e101027ea8d0
SHA256eba40c03ad05dc50c5d8081c44e7265acceb4a8f8f2c1f6d5fc57d5a9030bd2f
SHA512b8ee6483e971d27e29621d5e61aa86aafd7387135bfb401685925b488291a03c52f34ea08b6efe1da01b6c6a955bab5156ed84d49291e7a5b6bf2cfe0a8c7ce2
-
Filesize
1.2MB
MD5eee9d1c722b262655de5d83268beb051
SHA1a5bf1aa2b7f0964688a4cf0cd714f7984bbd2981
SHA256584adcfd3b21b48709267e537298696ef289b30d82d62a50f3888e20002fa379
SHA512d90bf29189b7da66a38a91ca488e1e3e45d50069ea7a152dc527fd31283bc73c2596e20e6a56ba18c0f480437d2959790f43366becb3ceee3efc98ae79c8c9a6
-
Filesize
1.2MB
MD5e53920e18b2d46d90c920e13b8f05910
SHA1ddb668eadf6f9e749613959dc9b46fc88b33d584
SHA256861605b44adb3d6828b81d10d0acac55c1233cb1f02e5ae86a2372ac0634a606
SHA512fcf1000b53da98b7a789aecc4f16714f4da58fb2b09db58d5362f3fe2c1d32ea9a985a72e74ca12a048d26cb2228047194b1f6fb53b56b12cf222c1cc0654c61
-
Filesize
1.2MB
MD5e82cbaf379c4f0abdf95465d313e2a0e
SHA1a630c87b0dd227e161d35d82b093d98bd89c17d7
SHA256fd662b515027be925e6eb5bf3252da592a98f767d652163355736c0fc8f44e67
SHA51295b5e3f3c28078090505fb5d0e7903ef5f8777df0a57b3a3d58d69d5f258da5cd90087b71e5e85628117d970d9283b67bc0434bcfe67fd3add90dce4114c9a9b
-
Filesize
1.3MB
MD5175cea384d5b7f4fdfff746dff508fcd
SHA105be841de5cb400a9bb3d45d24cc1b284488057e
SHA256b053d4b9dff6385d6314015f8597ae0554aa4f979c45a7692e709e9657c04773
SHA512f1423a96ca26625e2c9735ad2786b7d6a21e404a9d94fee3ec0c1ef6973eb60e0658489284ad74e60ee539a65e7c422a4874e9d0664b9a0e40f6d055c24e7391
-
Filesize
1.3MB
MD52e0c0c91026a7a9ad298be72507c255f
SHA1be81d8e58c36e86a6e6176a263ea3c9e54c917a1
SHA256b9fce883f71b97cb057174f2a04dbe074a4dbea8c395e99303e3cad03010c189
SHA512cae0f13f827540b5eaff999257f0f797c8cd4f773334777ec73b5c1269733fba801be68381e5cde6050c01b6ce07e2bb383868ac097d4545c3123da4e8732c56
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize797KB
MD5aeb0b6e6c5d32d1ada231285ff2ae881
SHA11f04a1c059503896336406aed1dc93340e90b742
SHA2564c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize163KB
MD5e88828b5a35063aa16c68ffb8322215d
SHA18225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA25699facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize1.3MB
MD5006498313e139299a5383f0892c954b9
SHA17b3aa10930da9f29272154e2674b86876957ce3a
SHA256489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA5126a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\001a70478c64d27a3dba34db63daa4a0\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD5585f0383a2a3c5510cef5bc9905a19e1
SHA1c845898e666eef69ce61e0c6d343ece6af632904
SHA2567b6b134c22588f7cc01fb1d2cb779fbb8df31fa450beda021a75cbf69528c854
SHA5122e7212d9584b22372d99ad0aa4a6fae7742204cc6e1d8b644637ac522da20d894c8cdba6f694197e59c11b6e6e2cda19b39b376de0d80cae43ad7ca27dbba712
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9eea4e9be03ebabc33d28903201998b1\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD5b530240926bccef5c30bc7cb28f96c86
SHA1fd8fa90c633a6f64ba1bac2f927714bdd0e6f20d
SHA2566d31547ec559b7d55e8c2141a5d2c683ae11c75765f3e686f48efe3db3aaa37d
SHA512f3b6698d92c39508c3f057fe085a4a20046104d8bac59678c29274780562845b75e41e021966f0cbee47730256bea0ae00bc7f8430f4a97d60c433fae45860e7
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b399f8e4541b21c5a57bfbfc6486db2a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD51d9717a25f9edbcdeb6f96ae007a984b
SHA15b8a47d1e0dbc5e59a8e8536ff839e75db4f8176
SHA2564bd221dcdb8344268c012c6768b7ef56f45b49f1f8afe190689043fe492257d3
SHA512357ebd188206133b255902fccb8c8686993c34b17dc9573b684184b952618213d613115159b7532f023a6f7d3fe70c9dd3c3466f461495d41331c38f5a7acdc1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c1b9f09ea823c2b0b5fb67cfe4645645\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD5dfaf25a11cfbb87ff16ac888932d84ba
SHA11c738bc48376990d79c3be5e68e7f4a84537cb99
SHA256beb51115e5153a3e2bc0f3b982f2d607bf9aed4849f6e75ccd8192e28e93bdd3
SHA51284c9aad704d8e7a7a16bedd3d4e8d5c62b47504105ceafb27a9c5e229da749da6f2137dad511578e7cfef0c2dc08874a938dfa53d59e2790fa26c11bb8da7713
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
1.2MB
MD5f0c9f58ad679c22f64f797dc9c49a41b
SHA17b49ba4eeb81fb7d75322ef349be36080c0805a9
SHA2561a6be2e94fb985e50d137cfaf8508cb25db4a691d1c5e013782f1e2521d40009
SHA512e567fd56fde9e67a8be7f37f792f888de53ec4d2c6cd03bc9ed6fada24d12e827ecd772924680de60a18b77b56d4ad04b697d66d961291124908e281a36c6808
-
Filesize
1.2MB
MD586640233d3ea328d62277415df018745
SHA1e2bc06068fd7c4baf963402bcdcaea0d1558643f
SHA25612fddeabc9d19f4c1ab4a40fbbe788f8bb1c923a9103f3cf52f7223ed1bd275e
SHA512620b987d06dab398485dc7d114fbc7fd50b8565be6c3d3184fe9486dadb546c75d420de1d2bc13c1cf777a9bb00e28df6b1c69952d2430a1eafe02769b346b44
-
Filesize
1.3MB
MD5b6f98292e68256206fa9bf3009ea119a
SHA1e6d6ddc26067e817b9d08288ebe68b5a6fc85ebb
SHA25691d6c67277a32e2d137813d6f68c217b85fb0901cd8267db6782f63bc8f4c584
SHA512a26dab95eb7c2bdb47a1830cf580fb6034e0d8c01310b64c41ef208458abfd8d1142fb791b461b3ec718eca3f1b7db2a510d04d3cfc5686815d85b1ce3ebd492
-
Filesize
1.2MB
MD5ffe6225f00e929aec69dc96e09ea39b0
SHA147fea9282f7425ad92467a7368780af31da09dbd
SHA2561e2479ae158b1ca5fca10f3429b56e8a6a23966083b08fa36e3a06c2db7e2c8d
SHA51233f9e021c26e0bb20e4933e1068e4e1253b423ecd2284caa4c52a97a0d16dbd496e295ff0595d838ff4f90c9121f653fd0918bd8848758ca8de6a5799b83ce0e
-
Filesize
1.3MB
MD58155dc9b913f90d6895d1d95eeca7d4a
SHA1c3120c51f688c145b2c7c8f818c1266dc967de4a
SHA25642bf5c994e9d58943576cb68af9aaebf036c181738068bd662cc6a65cecd60fa
SHA512fed803475ec3db36e8db4593d519213f6b94f513f4356afafd898470b8da62e1019d0819ed623b3c7c1c80162d19d7da84851c2949afdd7f3600bac772c71839
-
Filesize
1.3MB
MD56303a11a9b02539c20487a1b27aad5e2
SHA13b9ac481b075709b90e04df884374fc4868eb2d9
SHA2567303b6c4fd07bbaffefb12391bc869f68926ede72d433892b2607e1db9e658d1
SHA512442f0729cd4957585fe32175281331f2b367d88f460d17d05b4aca54b7abcc5642f51da6873a576c13866d83c1ada4577d9984ab559f3628aa47ca192957c68b
-
Filesize
1.3MB
MD5e2ac8d8143779b55339a1bb59a07bdfe
SHA1066fd5bb3c8af17bffa4f91b2c96ab7f54b861de
SHA256bab06bd0c231b5c48561702ba453180672f0c463171d9974fa8b9a66cad7f904
SHA51203a27185da3461bafe54f635ea8169fe613c471db04ad690f7e4e426737d90a7df51829d8fc4f37fab52a13d104421d27d55bae7a588f6168604d1bb8bd61f72