Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 05:50
Static task
static1
Behavioral task
behavioral1
Sample
6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe
Resource
win7-20240611-en
General
-
Target
6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe
-
Size
577KB
-
MD5
6354a48b6b69bd8900f1ef18dda9efa0
-
SHA1
b38705c6c3ad97ac92a3050c587ad4c119805c4e
-
SHA256
4d8970ebce7302217173d7699a7809d27c3f6e7030d203dcfdcf6266d51981fd
-
SHA512
65290bdccc81f6c70d783e7c6a566b0e6497f4261d19be62449eeb9f30b0ce2cd9cf6462f24df71fcf5878569c6f9e8ab13a6f11e54a3b7474cf6680b57fdd78
-
SSDEEP
12288:DJlARaGdf1IrOrNhyRfLz707YH7lk9wl225CnPkKb5rdRYd:DvoKFLgYHJWwl24C15rDY
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 460 1964 alg.exe 2744 aspnet_state.exe 2480 mscorsvw.exe 1096 mscorsvw.exe 1868 mscorsvw.exe 2168 mscorsvw.exe 324 ehRecvr.exe 1348 ehsched.exe 2660 elevation_service.exe 1052 IEEtwCollector.exe 928 GROOVE.EXE 2324 maintenanceservice.exe 2564 msdtc.exe 2444 msiexec.exe 1720 OSE.EXE 1672 OSPPSVC.EXE 2024 perfhost.exe 2580 locator.exe 2084 snmptrap.exe 1104 vds.exe 2820 vssvc.exe 2800 wbengine.exe 2876 WmiApSrv.exe 2788 wmpnetwk.exe 2296 SearchIndexer.exe 1100 mscorsvw.exe 2408 mscorsvw.exe 1180 mscorsvw.exe 1688 mscorsvw.exe 3024 mscorsvw.exe 2208 mscorsvw.exe 2760 mscorsvw.exe 1612 mscorsvw.exe 1644 mscorsvw.exe 1352 mscorsvw.exe 1176 mscorsvw.exe 2000 mscorsvw.exe 1576 mscorsvw.exe 1644 mscorsvw.exe 2456 mscorsvw.exe 1168 mscorsvw.exe 2640 mscorsvw.exe 480 mscorsvw.exe 2224 mscorsvw.exe 1644 mscorsvw.exe 1688 mscorsvw.exe 868 mscorsvw.exe 2092 mscorsvw.exe 2704 mscorsvw.exe 2768 mscorsvw.exe 2008 dllhost.exe 2052 mscorsvw.exe 2968 mscorsvw.exe 468 mscorsvw.exe 2784 mscorsvw.exe 596 mscorsvw.exe 2900 mscorsvw.exe 1920 mscorsvw.exe 680 mscorsvw.exe 2912 mscorsvw.exe 2664 mscorsvw.exe 1932 mscorsvw.exe 1468 mscorsvw.exe -
Loads dropped DLL 59 IoCs
Processes:
msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 460 460 460 460 460 460 460 2444 msiexec.exe 460 460 460 460 460 756 460 596 mscorsvw.exe 596 mscorsvw.exe 1920 mscorsvw.exe 1920 mscorsvw.exe 2912 mscorsvw.exe 2912 mscorsvw.exe 1932 mscorsvw.exe 1932 mscorsvw.exe 2108 mscorsvw.exe 2108 mscorsvw.exe 2508 mscorsvw.exe 2508 mscorsvw.exe 2652 mscorsvw.exe 2652 mscorsvw.exe 2148 mscorsvw.exe 2148 mscorsvw.exe 2964 mscorsvw.exe 2964 mscorsvw.exe 276 mscorsvw.exe 276 mscorsvw.exe 2244 mscorsvw.exe 2244 mscorsvw.exe 2948 mscorsvw.exe 2948 mscorsvw.exe 2980 mscorsvw.exe 2980 mscorsvw.exe 1040 mscorsvw.exe 1040 mscorsvw.exe 480 mscorsvw.exe 480 mscorsvw.exe 596 mscorsvw.exe 596 mscorsvw.exe 2680 mscorsvw.exe 2680 mscorsvw.exe 912 mscorsvw.exe 912 mscorsvw.exe 1960 mscorsvw.exe 1960 mscorsvw.exe 1968 mscorsvw.exe 1968 mscorsvw.exe 2204 mscorsvw.exe 2204 mscorsvw.exe 1864 mscorsvw.exe 1864 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 23 IoCs
Processes:
mscorsvw.exemscorsvw.exeGROOVE.EXEmsdtc.exeaspnet_state.exe6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exeSearchProtocolHost.exedescription ioc process File opened for modification C:\Windows\system32\dllhost.exe mscorsvw.exe File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe mscorsvw.exe File opened for modification C:\Windows\System32\alg.exe 6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3ccf1d8d8ab55808.bin aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe mscorsvw.exe File opened for modification C:\Windows\system32\dllhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
Processes:
mscorsvw.exeaspnet_state.exemscorsvw.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\updater.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe mscorsvw.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe mscorsvw.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe mscorsvw.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{5889422B-4E7B-4F63-944F-9F172CF77CBB}\chrome_installer.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe mscorsvw.exe -
Drops file in Windows directory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exedescription ioc process File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7520.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF6C.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPED8A.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP30.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7DA0A192-51AF-4740-AFD0-7DC172BEF858}.crmlog dllhost.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeGROOVE.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exewmpnetwk.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchIndexer.exemscorsvw.exemscorsvw.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ehRec.exeaspnet_state.exepid process 2116 ehRec.exe 2744 aspnet_state.exe 2744 aspnet_state.exe 2744 aspnet_state.exe 2744 aspnet_state.exe 2744 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exeaspnet_state.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exedescription pid process Token: SeTakeOwnershipPrivilege 2224 6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe Token: SeTakeOwnershipPrivilege 2744 aspnet_state.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: 33 2076 EhTray.exe Token: SeIncBasePriorityPrivilege 2076 EhTray.exe Token: SeDebugPrivilege 2116 ehRec.exe Token: SeRestorePrivilege 2444 msiexec.exe Token: SeTakeOwnershipPrivilege 2444 msiexec.exe Token: SeSecurityPrivilege 2444 msiexec.exe Token: 33 2076 EhTray.exe Token: SeIncBasePriorityPrivilege 2076 EhTray.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeBackupPrivilege 2820 vssvc.exe Token: SeRestorePrivilege 2820 vssvc.exe Token: SeAuditPrivilege 2820 vssvc.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeBackupPrivilege 2800 wbengine.exe Token: SeRestorePrivilege 2800 wbengine.exe Token: SeSecurityPrivilege 2800 wbengine.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeManageVolumePrivilege 2296 SearchIndexer.exe Token: 33 2296 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2296 SearchIndexer.exe Token: 33 2788 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2788 wmpnetwk.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeDebugPrivilege 2744 aspnet_state.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeDebugPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe Token: SeShutdownPrivilege 2168 mscorsvw.exe Token: SeShutdownPrivilege 1868 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 2076 EhTray.exe 2076 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 2076 EhTray.exe 2076 EhTray.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid process 640 SearchProtocolHost.exe 640 SearchProtocolHost.exe 640 SearchProtocolHost.exe 640 SearchProtocolHost.exe 640 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 2676 SearchProtocolHost.exe 640 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exeSearchIndexer.exedescription pid process target process PID 1868 wrote to memory of 1100 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1100 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1100 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1100 1868 mscorsvw.exe mscorsvw.exe PID 2296 wrote to memory of 640 2296 SearchIndexer.exe SearchProtocolHost.exe PID 2296 wrote to memory of 640 2296 SearchIndexer.exe SearchProtocolHost.exe PID 2296 wrote to memory of 640 2296 SearchIndexer.exe SearchProtocolHost.exe PID 2296 wrote to memory of 1208 2296 SearchIndexer.exe SearchFilterHost.exe PID 2296 wrote to memory of 1208 2296 SearchIndexer.exe SearchFilterHost.exe PID 2296 wrote to memory of 1208 2296 SearchIndexer.exe SearchFilterHost.exe PID 1868 wrote to memory of 2408 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2408 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2408 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2408 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1180 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1180 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1180 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1180 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1688 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1688 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1688 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1688 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 3024 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 3024 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 3024 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 3024 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2208 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2208 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2208 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2208 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2760 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2760 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2760 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2760 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1612 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1612 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1612 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1612 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1644 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1644 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1644 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1644 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1352 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1352 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1352 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1352 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1176 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1176 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1176 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1176 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2000 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2000 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2000 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 2000 1868 mscorsvw.exe mscorsvw.exe PID 2296 wrote to memory of 2676 2296 SearchIndexer.exe SearchProtocolHost.exe PID 2296 wrote to memory of 2676 2296 SearchIndexer.exe SearchProtocolHost.exe PID 2296 wrote to memory of 2676 2296 SearchIndexer.exe SearchProtocolHost.exe PID 1868 wrote to memory of 1576 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1576 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1576 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1576 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1644 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1644 1868 mscorsvw.exe mscorsvw.exe PID 1868 wrote to memory of 1644 1868 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1964
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2480
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1096
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d4 -NGENProcess 248 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 250 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 248 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d4 -NGENProcess 258 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 248 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 27c -NGENProcess 264 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 25c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 280 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 288 -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 254 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:480 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 25c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 254 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 25c -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:868 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a8 -NGENProcess 1c4 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 25c -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 1c4 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 25c -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:596 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 1c4 -NGENProcess 25c -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1920 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d8 -NGENProcess 2d4 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e8 -NGENProcess 25c -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 25c -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2f0 -NGENProcess 2d4 -Pipe 1c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d4 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"2⤵PID:1972
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2508 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e8 -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:340
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
PID:2652 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f0 -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"2⤵PID:2140
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 310 -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2f8 -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"2⤵PID:1052
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 318 -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2964 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 300 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"2⤵PID:1532
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 320 -NGENProcess 308 -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:276 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 308 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:2688
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2cc -NGENProcess 324 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2244 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 324 -NGENProcess 320 -Pipe 2bc -Comment "NGen Worker Process"2⤵PID:2476
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 330 -NGENProcess 318 -Pipe 300 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2948 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 318 -NGENProcess 2cc -Pipe 32c -Comment "NGen Worker Process"2⤵PID:2752
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 338 -NGENProcess 320 -Pipe 308 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 330 -NGENProcess 340 -Pipe 318 -Comment "NGen Worker Process"2⤵PID:1812
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 2a8 -NGENProcess 320 -Pipe 324 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 320 -NGENProcess 33c -Pipe 338 -Comment "NGen Worker Process"2⤵PID:2780
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 340 -NGENProcess 328 -Pipe 33c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:480 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 328 -NGENProcess 348 -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:2604
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 358 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:596 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 340 -NGENProcess 360 -Pipe 328 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2176 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 2a8 -NGENProcess 330 -Pipe 344 -Comment "NGen Worker Process"2⤵PID:1624
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 364 -NGENProcess 358 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:960
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 360 -Pipe 350 -Comment "NGen Worker Process"2⤵PID:2412
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 330 -Pipe 354 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 330 -NGENProcess 364 -Pipe 358 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 35c -NGENProcess 364 -Pipe 360 -Comment "NGen Worker Process"2⤵PID:1920
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 378 -NGENProcess 370 -Pipe 2a8 -Comment "NGen Worker Process"2⤵PID:596
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 374 -Pipe 368 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 364 -Pipe 36c -Comment "NGen Worker Process"2⤵PID:2208
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 370 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:1904
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 374 -Pipe 330 -Comment "NGen Worker Process"2⤵PID:2092
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 364 -Pipe 35c -Comment "NGen Worker Process"2⤵PID:1648
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 370 -Pipe 378 -Comment "NGen Worker Process"2⤵PID:2680
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 374 -Pipe 37c -Comment "NGen Worker Process"2⤵PID:912
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 364 -Pipe 380 -Comment "NGen Worker Process"2⤵PID:276
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 370 -Pipe 384 -Comment "NGen Worker Process"2⤵PID:596
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 374 -Pipe 388 -Comment "NGen Worker Process"2⤵PID:2964
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 364 -Pipe 38c -Comment "NGen Worker Process"2⤵PID:1448
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 370 -Pipe 390 -Comment "NGen Worker Process"2⤵PID:1696
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 374 -Pipe 394 -Comment "NGen Worker Process"2⤵PID:2456
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 364 -Pipe 398 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2156 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 370 -Pipe 39c -Comment "NGen Worker Process"2⤵PID:764
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 374 -Pipe 3a0 -Comment "NGen Worker Process"2⤵PID:2760
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 364 -Pipe 3a4 -Comment "NGen Worker Process"2⤵PID:1744
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 370 -Pipe 3a8 -Comment "NGen Worker Process"2⤵PID:1612
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 374 -Pipe 3ac -Comment "NGen Worker Process"2⤵PID:468
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 364 -Pipe 3b0 -Comment "NGen Worker Process"2⤵PID:2956
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 370 -Pipe 3b4 -Comment "NGen Worker Process"2⤵PID:2644
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 374 -Pipe 3b8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1440 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 364 -Pipe 3bc -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:560 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 370 -Pipe 3c0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 374 -Pipe 3c4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 374 -NGENProcess 3dc -Pipe 3e0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3e4 -NGENProcess 370 -Pipe 3cc -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2648 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3c8 -Pipe 3d0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3dc -Pipe 3d4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 370 -Pipe 364 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3c8 -Pipe 3d0 -Comment "NGen Worker Process"2⤵PID:2228
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3dc -Pipe 374 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 370 -Pipe 3e4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:596 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3c8 -Pipe 3e8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1960 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3c8 -NGENProcess 3f8 -Pipe 3dc -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2412 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 40c -NGENProcess 370 -Pipe 3f0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1968 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3f4 -NGENProcess 404 -Pipe 40c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 418 -NGENProcess 3ec -Pipe 414 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2204 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 3ec -NGENProcess 410 -Pipe 3f8 -Comment "NGen Worker Process"2⤵PID:2996
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 420 -NGENProcess 404 -Pipe 3c8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 41c -Pipe 408 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 41c -NGENProcess 3ec -Pipe 410 -Comment "NGen Worker Process"2⤵PID:2872
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1c0 -NGENProcess 1b4 -Pipe 278 -Comment "NGen Worker Process"2⤵PID:888
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 348 -NGENProcess 3f4 -Pipe 424 -Comment "NGen Worker Process"2⤵PID:1068
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 41c -NGENProcess 248 -Pipe 42c -Comment "NGen Worker Process"2⤵PID:908
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 3ec -NGENProcess 1b4 -Pipe 244 -Comment "NGen Worker Process"2⤵PID:1692
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 428 -NGENProcess 3f4 -Pipe 1c8 -Comment "NGen Worker Process"2⤵PID:2372
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 420 -NGENProcess 248 -Pipe 26c -Comment "NGen Worker Process"2⤵PID:2508
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 3fc -NGENProcess 1b4 -Pipe 1c0 -Comment "NGen Worker Process"2⤵PID:680
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 418 -NGENProcess 3f4 -Pipe 348 -Comment "NGen Worker Process"2⤵PID:520
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 430 -NGENProcess 248 -Pipe 41c -Comment "NGen Worker Process"2⤵PID:1364
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 1b4 -Pipe 3ec -Comment "NGen Worker Process"2⤵PID:2604
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 3f4 -Pipe 428 -Comment "NGen Worker Process"2⤵PID:1440
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 248 -Pipe 420 -Comment "NGen Worker Process"2⤵PID:1068
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 1b4 -Pipe 3fc -Comment "NGen Worker Process"2⤵PID:1712
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 3f4 -Pipe 418 -Comment "NGen Worker Process"2⤵PID:2568
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 248 -Pipe 430 -Comment "NGen Worker Process"2⤵PID:3008
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2168 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2768
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
PID:324
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1348
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2076
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2660
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1052
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:928
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2324
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2564
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1720
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:1672
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2024
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2580
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2084
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1104
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2876
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:640 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:1208
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2676
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD59cbf8a04cc5f63fbe29d6b89ba31b148
SHA15daf08cca5c35624243d506310c6fdfca2dff3fd
SHA2566343cf113b57aa208575124324cc9f33ed9b7fa842b1d301b2329525b16631c4
SHA512cd74561f2c2fd10b9b9755a26ff610cb914ec8dd5da7e7c27d73bf718a040a1aca6eaa574b4cbd24df8eb0de6503d90dc095eab9ea60e3be2eb43fb84d6d96f2
-
Filesize
30.1MB
MD50d79b580ccbbc42d829c51b627b1608e
SHA13dc45aa17223f7c8466d048b98b9f48c12ea082c
SHA256ff137ab68de36a80743d123e47d80050d5ca9973cf57b399195f284bb1cc1d73
SHA512919d3d4f8ebd67408ed4bca017be335ebdd0fa6e86e64297d12f0e9f959baf80ccef22d76e32dd50c0f32c2fc678fe7aaf23c6d3e86666fdfae09d96d6f940f7
-
Filesize
781KB
MD5c0b251cb79f54e5e94a9bfb339112f93
SHA1d121d1139be59a8eab29267c6e98bb424c1408f7
SHA256f27de32abc12d35ab6280cd7fb9eeb6a61134d01c56de987bc1a74a347f05345
SHA5123f16beb81e1e72eed48c9538300ef706ae08f1677a23c480c5d684010efdbdf6ed9bbf14f2515fc08c97cb45cf32a5b893da249adff4c017962c322a1b02f304
-
Filesize
5.2MB
MD5d2854395ace50326878ed0289b394acb
SHA16d75dd69aa5679bcfd3d7fd30beaa4e70fd6ed47
SHA256b60e66959b786d311a223451e6bc471e56bf32d994948d3eab727932b6ef7299
SHA512dcc5850096e4b0ddc7c2aa88c695924ccd42a546f74672128f4ef6bcf1b8b807748c007c5afc210b0011fd4f3bc76852f748432e6287d63f33f323dd306868ff
-
Filesize
2.1MB
MD59eb21adb36342883b98b51a23d62d600
SHA1642d5d7a9f902348a5ea775c6844fdf42939b34d
SHA2569634b8d0329e70b155a3113fee55c833995f12e7cf5c1e5fb51092db0d979e8d
SHA51242535a5e92a276c82853a7db02dac41b87c9926fe1fca3f8bc19476a2bb35adf281ead5aa5321d314f7bbdb7a11e70b1b6401fd19f418444108883ee29b5cd6e
-
Filesize
2.0MB
MD537024a98501d61600aa968e1e0eeffbe
SHA1c30143f2851966585ec38055d0b897812c07526d
SHA256b70de9d29c5efef010b9d5a7951d496e4089d4cdc097ef5dd1278b6970396795
SHA512a562bfd7025969d8b59456306ed59767c7cc31abcfa62309cf51342a3d7d06854e4eecf2b3f67af3ec59f7254f5d10933f5e71d797fb3ecf6a8de079297f39a9
-
Filesize
1024KB
MD5ab30b8d1be6326c627e9c490dc4ee924
SHA1d2438b9b324b64add3f66cc42f8cc25e477872b9
SHA256035472cd0d68820d556937d91e5c32b4f277113ac965b2a55838cc97638056ab
SHA512b863a4e2426bd3f7996fb31613f0ca423647af6c366c0c64c256d2584f2960a6ea500ec0f39e9f82aa556c6bd5a3d4618df48d69f14b541c1ed0e07297f312c5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
648KB
MD5d56849737fbc2dec2c78468d29acbe06
SHA101038221a793b6990d34d75df0080b2ea8305ecc
SHA256bcc58e03790519e4d1bd9180fbd75004a96108fea5e193e2a4c63f8037abe95f
SHA512f13f3740a6411223ea60166a8f685eb6bcc2d1cac60c224b0cc630d42e28f3d5c4df512a066b61e1bb6d1b54d50aa4a473629540513e122f37108307500ac831
-
Filesize
872KB
MD5e089220190329bb9c1823dd3fb08eeac
SHA1a52bcc9ba8e628d4eb6432a17d8d45c9d2ae8ddf
SHA256f3416dab2b678f5ae357a0ecaa7195af7bf6038fd80daf20f9ba1e6433492cf3
SHA512caad6978ea4d63fada248e102a61523d5a3f3c26f8d18bd7400f8f883271e3e681f4474cffb81ce007f9e0a1f6a234363bceb331dc3083927b267397ce738fa7
-
Filesize
678KB
MD5fd51f7cd525b3b40ff8eeab8368ffdbe
SHA17c003bcdf381ba2df47c548785a41403f19237ca
SHA256c27fa31a15a64ec0c17aa91d10db14cfcdfe05be3d51d955d7e8b107a4c82463
SHA51292c5f760c035cd59f4f125e3894fdb16b8a9b6caaad26ff5b54619703efd36d66914018863a4b3d9c4deb1beec8bc93858c564e53f58183fb8ee9684bc0b28d7
-
Filesize
625KB
MD5eceb520113a229009f617d4ec97cb2e0
SHA1d2efe60fbc057d94a62c46ece7f04ecf8b7e0fc4
SHA2569bea1d7d25777e1c9230079582f95a6dbc59b5b9a720a7b55c71e79da858664e
SHA512c5d64139e24ce31a36543f080888b7d80b81d02104159536813e36c636edb2120303b88ffe99d21d8d1c096cde6a979f9154634c1084b22f7ecb635ec16e466a
-
Filesize
1003KB
MD536719b6495c7090536585b0cae7ddedb
SHA10549e9e5a9804baf9bce177cc2eb8ffaeefbd99f
SHA25605a908a1a78053d04bc0d6ed0035bf7b1460bbd02a56d979011529ba66bc9f84
SHA512d3e6e43751bc9a945f598720f6f194f0b56cae14d59647d12a8e30578af0564ea8c0a1bfffc5bfc9ec3b0d2435bb02b28cf677e0a8866fbeef8d44a86be817c8
-
Filesize
656KB
MD574201b509f6b02c67ce3fbff6459b2c8
SHA1422fe99006f8fe207331e9428b8b4e97e0f5d0df
SHA25653480ef5bad9dfc2e9da77d03519fd652cb96db038c8b61541e747bf86732077
SHA5129c790debbd109f2074345b22cd0c49cecb6fda20dced1ebf84d78791051e4c8f8fd1a8295ad094e1e962fcfa9d04c6ca5988ab0db89e940e7b39f0896e05e166
-
Filesize
8KB
MD59311f1f72b6602b4753c24f44262c50b
SHA131c39d5e5131339adbdbb57cedcc0cdeb0309916
SHA25603b155e1e34289f22556b2197b9c7530fc72960cc303cd9fdf0e9f1086bb48b8
SHA512b24619eddbd18df9b56e107da8e9c4eca25d72f9b2ea646e4711a3a98956f3ff004e2983b5048c9bf017a95aea60ca38c1537368c1894544f1f31edf064ab8b1
-
Filesize
587KB
MD55c78f0867ea625d8cc1bac80d8c6bbb6
SHA1653d9d59fe9a9d5538a83ab2cf392b11b4f4d469
SHA25659b16d34772569a94c502c7d913c3e8b2faa5bb48373d480d31ebff83a85122a
SHA5125a8127983dc397720988f0a31d4df1ad1f77ef817894c2e82471da424168eb67277bf6a09ff8cd6d0fc3b3bc4dbf09b9f713e1d5b204e0f55daadc7266044297
-
Filesize
577KB
MD5f4ece6549a97cca2a0b1a6f2694f571f
SHA1ed0712abb887372e43ad16d858e24cb7d11ee370
SHA256ffa3f0acf34b3c7356ad1fbd3e3ca0dff63277942eac24f6459931a7ca31132b
SHA512d103bb76b6bc503ddd855ddff843d18a6bca3f52c4171df214a3abcf1735e1f749893f7a2124247eee8b72bac147ebd4d60667965ecd7204ed040cf2b0e11c4d
-
Filesize
1.1MB
MD5e096dfaec31a11d9c081014db84080fb
SHA14d3d2a6a99318b287b17b2f269835692b95ead02
SHA2565d073b04b88d8ce722d3af2da285b1ebab2828d2fa690839314dab60ee6e7918
SHA51208635cdcf9d3c8f1a4ee9146835bfaa3cb48201d479471da2aa1df508c185c14d2e0ab6b569e4667992d8c34b557524855426b3c11de8a9bde9f4f46027cc092
-
Filesize
2.1MB
MD5a5dabc9eb843f5464f8531a1db60e42f
SHA1d10a2a8dbcd36a25cb5d564fc70875f585f58a40
SHA25608150a7465c553107bf56eb2ea71bbbfbbabdd901c71bb567ddd769a0d42d8aa
SHA51235d44f0023ef7e667f21dd8d14c8ec7af7b14b089f63cf99947ec77af50efebf08e62ff25914e488551778bd65f6b850081b415d95d00f369e783db84ac339ac
-
Filesize
674KB
MD56f3f11b7b18b137f6387f110516c93d6
SHA104622aba2db77f799a199ae8b57873fff9b93ded
SHA2563fabe8bc7126361ef2c4206ce41cdef2bc742ee56af60d27629c468f9345008f
SHA5123b8d54a32edaae33d8cb580c2ca8491b94d5d01f070eb9e51452c967b9047901ad799622c1132a1da19e39e80d501db6daa39bd4d624a429f01a79ad8eaf11c0
-
Filesize
705KB
MD59a0682039998bb2f08b2b158e50e98d9
SHA1379e49e4d66c71e359bb94a1766a441f1f1e62b7
SHA2567db661852cea938a3961703a47c5ca98ea33a3de927739acad306b0a36d2cd4e
SHA51296d9cecdacc589d692ec0ed9033a782018553179a2ce8fac943b0b9461047f04f42abc4ea4739f91138f84a8eaaf6b813faebdd5314944d7347ed2988edd7496
-
Filesize
581KB
MD5f6f670554b94ca9abf87eb602ede7787
SHA1a12249f0d1c1a1a1673bbb5560c4ea0bf1ede2a8
SHA25649e8ed1fa0ed864b2e55ee8b5df1af8fb7aacbc2aeabda72bd972661033018cb
SHA512e12cda0e235867bb064fc2ebb59d28e84d85de6b90adcb8ff6640ad9ef41f9769999226a0ea7b3f2e25c9908e03bec9205c7bb4964de8ad5a629173c0a900b0d
-
Filesize
1.1MB
MD5709d90a018d4dc8a95d3ef3f93353288
SHA1920809dae1167fac67ff836ffb355319e5d1f122
SHA256ef61e2f444cc97b0bbd2d91cfd59506d817611525d903e84b53212fa92a17dc7
SHA51234efebb2a00aaff795b9e8b631516a3f70db2d050722ce6626eb56510511f3aec52efa0b94967edffaa18a41d7278d6ce7a706eb75773e64e86f7e445d5235e2
-
Filesize
765KB
MD5ef6ea765bcbeaaeb076c339ab3bb9f6d
SHA18423d055d4337ef4739ddde4b22a1037798e1e3a
SHA25603f29ee82072c790a110dcb4dbe1df8f335820369ccc3fd570bc4afe16bea42f
SHA512da4a2cda3b97f60374911349844f3065c248c74e59d4e04f7edcd461532064e60b4dca7c328fe74c0c85d21622cbf0d96c7f0131d232b2ad4600b803c077300e
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize834KB
MD5c76656b09bb7df6bd2ac1a6177a0027c
SHA10c296994a249e8649b19be84dce27c9ddafef3e0
SHA256a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0
SHA5128390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize797KB
MD5aeb0b6e6c5d32d1ada231285ff2ae881
SHA11f04a1c059503896336406aed1dc93340e90b742
SHA2564c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize163KB
MD5e88828b5a35063aa16c68ffb8322215d
SHA18225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA25699facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize1.3MB
MD5006498313e139299a5383f0892c954b9
SHA17b3aa10930da9f29272154e2674b86876957ce3a
SHA256489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA5126a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00cf0faa3d37faa0ea2d240c1ca307ef\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD575c84340d765d73eac1c743a31b6571a
SHA152aeef700a52b8e687316f42816eb9c0599354df
SHA256b72a1f7da8b3c3dc95c2252319f6f3e71c81ed8bd59a5b31bd2861e14c364459
SHA5129a9cdbc3a103e733150fae265c594dd7378ca402521387e466732f2431472a6a0e6cb4dfe02fe9f5b975a1739c685471ad2a4dddcdf6f12c4b5be469832fd5f1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\54ba26779e6f2075f91293f4f81c2fff\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD5ad8c0e759df25e0049d44e5aba4f3321
SHA14e1e19b1b5602937057170bf390db0091899af69
SHA2564c31b7d8501b8914425568b1c3a228aeafa35b6cd6bfcd9cf55dfa511a71ede7
SHA512f23471c6371f3828002e2ff168013cc01d7744299bd14c7d2117bc39261a9d10cf3bbbe87af08874990a2e20998ec7e3208bf16659ef9e895147e854509f88c4
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\69acb16cc73769680dffbef8e30b4d73\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD503e2800d7f8315f5ef82f66e2fd67bcc
SHA153f89b6351172fe9b457d9f04932962b89539ab1
SHA2566dc9e5351ea88a7fc44be231fb6ed39fda808323856034d925744c8a535212dd
SHA512abf0c2d87ff8a933996a650391415df7d6b70c2e6b3d1cbbf91cf8390e015b355e36e21e7b09c63140de1cebb487d30f60bf07cf67759c436fce1d4b59188f12
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\adb1e39890761b501247ebf09d24010f\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD588d299d0d6cd0e8f8797ec2886a8142e
SHA166e106eeefb386b0c6a636dd2db78772d9b320fe
SHA2563220912b448bb0f2bcbe6888bb85af652d424adc68e48099d22764169de54db4
SHA512ef448bc640ce5e9d9ee72108e0b727c970df65cf44da6e093ca5e8814032116ad57f0953770c11714b23d8bbd0230e3d31e8896386e75b7db18eff43a0f754ca
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
603KB
MD5380bb1c4363707318932910e566d4e23
SHA118ea20490735b77a2970fec8f6597f91cd4ccaf9
SHA256b11ab1155f34bf6b61d1d4b4bf3283c8a440cb64ea6c8d375c5e9c284944e914
SHA512c3ef523d26c0e49b20f1e06a01f698f92f11d0ab3206159d8ca92c0b988c13860818ec30e3c9a8d69e05f59c5f89b140718060fbcbc3a51f097b024b6bdfdf28
-
Filesize
644KB
MD5487c048e2bed3244036e458ed1e55c32
SHA12cd2b9ae9ca69225ec572d740788aeb22d67b2ff
SHA256328accbae4269367eae206161d889be126b3975a3fd29643ed4e22a97d64cc15
SHA5123534f08dfb32211d1e33c05de37d5223ddd0e0a5c1c3c0b5a9a4e87efeffe3ad959f8567c33d73695cb5ab0ae6d3ac56eb6344319b385162e42f0daee59f6f22
-
Filesize
691KB
MD526c11ed8985344cd42d082c654168b91
SHA10b7ebc28f1c0cb8fc92f34b498f9746e86b42a85
SHA256adaeb2a3cf85fe3bb70544f745ca4ab2d491196babf3a184c1f72b020511e263
SHA512a4bb3fe74753941725f190eb2e0b98f9e7412ff5de2f5330ca5804a902df7569704ae4987492b79dc8e527261c454d39a8f42c92dc88d148e202c4cbcbc38586
-
Filesize
2.0MB
MD547d4011890d00eef388d0e1438c9b617
SHA123b439839b32cc68c9f6975cb19ba682d134eb7d
SHA25615ea2be2ac3f20b3dc8119935089d9e216350043d095c76a63cafca8e7f97f2c
SHA51222474076dad19f5dab48bcb49999efaf800e9429e6fa6ad5cf7b9a245f0eb0f927c6b53410ec29c4e589cbd67a56c6f06df1d9d9947841efff12b3f48582bf12
-
Filesize
1.2MB
MD564b1b9f5a698423661d507a385d78f70
SHA128dd4da4c731055b99d9e404b320dea50901905e
SHA256f19f165d57effc93b6f69a99e6770b30fe22b5dc3ac0d490e457f470dc23e8cd
SHA5128b56dcd2604c8effe3f556dd3df2fd573487941459906982f5d3ac3061f459ed8964664a442a6956cef4ad004b18498d6fe8582cdfd6c3ded39bced15e532f85
-
Filesize
691KB
MD56403228f1b37cdc7092a044da6dd5b8c
SHA142ec302cf65709d61b04f08466296d83250b6db1
SHA25649ba7d27eb1464d42027cc9873677dcccdfb45cd84965b19b9709f3545b06672
SHA5123c0327986ce1a83929d15e37babfc2e2eedfd6b20fefc82af856f5e55914f75511ed1314e1e37485263068f463fd9bab2a433f963bd7769ecd05f63d27685969