b32507ef4e0f286e09f0177fa2a27630a385c437e62e31b0a240d0fec4acaa8c

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
Size

672KB
MD5

3887d448a6aaa12788e14c52bc38093b
SHA1

6c896bb568bc5a97bf3506c0ee30bf4bc78d6017
SHA256

b32507ef4e0f286e09f0177fa2a27630a385c437e62e31b0a240d0fec4acaa8c
SHA512

97c72f1fbffdb8c4cc54b5589365ea0466ce9e2c3b700259dac4540c1fe78492e7a875ba309d78abd1db0be4d64c1ad593b27d329ab02dd837c2e21c0462f043
SSDEEP

12288:oeBNUbTVO86UCHruRdp+WA00SKCpVRwfmXSVUhbxk9e/pJu:oJIUCNd0nKwYOX+UhbW9eM

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 39 IoCs

pid	Process
476	Process not Found
2820	alg.exe
272	aspnet_state.exe
1412	mscorsvw.exe
3028	mscorsvw.exe
2424	mscorsvw.exe
2608	mscorsvw.exe
2104	mscorsvw.exe
2484	mscorsvw.exe
1404	mscorsvw.exe
2856	mscorsvw.exe
1888	mscorsvw.exe
804	mscorsvw.exe
352	mscorsvw.exe
984	mscorsvw.exe
1360	mscorsvw.exe
1980	mscorsvw.exe
920	mscorsvw.exe
2732	mscorsvw.exe
1704	mscorsvw.exe
2736	mscorsvw.exe
1864	mscorsvw.exe
1488	mscorsvw.exe
2392	mscorsvw.exe
1476	mscorsvw.exe
1396	mscorsvw.exe
1988	mscorsvw.exe
1004	mscorsvw.exe
948	mscorsvw.exe
3068	mscorsvw.exe
1636	mscorsvw.exe
984	mscorsvw.exe
1192	mscorsvw.exe
2464	mscorsvw.exe
1896	mscorsvw.exe
2468	mscorsvw.exe
2928	mscorsvw.exe
2364	mscorsvw.exe
1388	mscorsvw.exe

Loads dropped DLL 30 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
352	mscorsvw.exe
352	mscorsvw.exe
1360	mscorsvw.exe
1360	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
1704	mscorsvw.exe
1704	mscorsvw.exe
1864	mscorsvw.exe
1864	mscorsvw.exe
2392	mscorsvw.exe
2392	mscorsvw.exe
1396	mscorsvw.exe
1396	mscorsvw.exe
1004	mscorsvw.exe
1004	mscorsvw.exe
3068	mscorsvw.exe
3068	mscorsvw.exe
984	mscorsvw.exe
984	mscorsvw.exe
2464	mscorsvw.exe
2464	mscorsvw.exe
2468	mscorsvw.exe
2468	mscorsvw.exe
2364	mscorsvw.exe
2364	mscorsvw.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3063565911-2056067323-3330884624-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3063565911-2056067323-3330884624-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\H:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\I:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\J:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\W:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\Y:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\K:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\M:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\X:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\P:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\T:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\V:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\E:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\O:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\G:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\L:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\Q:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\U:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\R:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\S:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\N:	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\ipbdnnac.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File created	\??\c:\windows\system32\kcklhbck.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	\??\c:\windows\system32\loddndkf.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	\??\c:\windows\system32\glcajame.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	\??\c:\windows\system32\wbem\aqpdnfok.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\locator.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\system32\dhkchiil.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\alg.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	\??\c:\windows\system32\nnhcqdih.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	\??\c:\windows\system32\lfnkdloi.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File created	\??\c:\windows\system32\hmfdgipl.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	\??\c:\windows\syswow64\nkpnjalp.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	\??\c:\windows\system32\iefiolfa.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	\??\c:\windows\system32\ipnmknop.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File created	\??\c:\windows\system32\ofboelcd.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\vds.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File created	\??\c:\windows\system32\ahgbmdnn.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lhbjhkab.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\olemadei.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\clmaedbq.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nnbpngba.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\jfjkgccl.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\mnmjadqg.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\kihlpche.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pgildlkb.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\aqlecpjm.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hhfjjgab.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\obkakffi.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\miqfjfol.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\dendjgfp.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\ikmgphkl.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File created	C:\Program Files\7-Zip\hlepeenn.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bplnhfbp.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\jkgaipki.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ddnfppgh.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\hqokhdmp.tmp	alg.exe
File created	\??\c:\program files\windows media player\nidhmdia.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\pijgofaf.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\jmofaklb.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	C:\Program Files\7-Zip\mgecidfd.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\kgacdccg.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\occlljkq.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP29FD.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP338E.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCAE.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2424.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	\??\c:\windows\servicing\fccnoaoa.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\aqfliblf.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\hkamldcd.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File created	\??\c:\windows\ehome\llbbabmi.tmp	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe
2820	alg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2644	3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2820	alg.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2104	2608	mscorsvw.exe	36
PID 2608 wrote to memory of 2104	2608	mscorsvw.exe	36
PID 2608 wrote to memory of 2104	2608	mscorsvw.exe	36
PID 2608 wrote to memory of 2484	2608	mscorsvw.exe	38
PID 2608 wrote to memory of 2484	2608	mscorsvw.exe	38
PID 2608 wrote to memory of 2484	2608	mscorsvw.exe	38
PID 2608 wrote to memory of 1404	2608	mscorsvw.exe	40
PID 2608 wrote to memory of 1404	2608	mscorsvw.exe	40
PID 2608 wrote to memory of 1404	2608	mscorsvw.exe	40
PID 2608 wrote to memory of 2856	2608	mscorsvw.exe	41
PID 2608 wrote to memory of 2856	2608	mscorsvw.exe	41
PID 2608 wrote to memory of 2856	2608	mscorsvw.exe	41
PID 2608 wrote to memory of 1888	2608	mscorsvw.exe	42
PID 2608 wrote to memory of 1888	2608	mscorsvw.exe	42
PID 2608 wrote to memory of 1888	2608	mscorsvw.exe	42
PID 2608 wrote to memory of 804	2608	mscorsvw.exe	43
PID 2608 wrote to memory of 804	2608	mscorsvw.exe	43
PID 2608 wrote to memory of 804	2608	mscorsvw.exe	43
PID 2608 wrote to memory of 352	2608	mscorsvw.exe	44
PID 2608 wrote to memory of 352	2608	mscorsvw.exe	44
PID 2608 wrote to memory of 352	2608	mscorsvw.exe	44
PID 2608 wrote to memory of 984	2608	mscorsvw.exe	45
PID 2608 wrote to memory of 984	2608	mscorsvw.exe	45
PID 2608 wrote to memory of 984	2608	mscorsvw.exe	45
PID 2608 wrote to memory of 1360	2608	mscorsvw.exe	46
PID 2608 wrote to memory of 1360	2608	mscorsvw.exe	46
PID 2608 wrote to memory of 1360	2608	mscorsvw.exe	46
PID 2608 wrote to memory of 1980	2608	mscorsvw.exe	47
PID 2608 wrote to memory of 1980	2608	mscorsvw.exe	47
PID 2608 wrote to memory of 1980	2608	mscorsvw.exe	47
PID 2608 wrote to memory of 920	2608	mscorsvw.exe	48
PID 2608 wrote to memory of 920	2608	mscorsvw.exe	48
PID 2608 wrote to memory of 920	2608	mscorsvw.exe	48
PID 2608 wrote to memory of 2732	2608	mscorsvw.exe	49
PID 2608 wrote to memory of 2732	2608	mscorsvw.exe	49
PID 2608 wrote to memory of 2732	2608	mscorsvw.exe	49
PID 2608 wrote to memory of 1704	2608	mscorsvw.exe	50
PID 2608 wrote to memory of 1704	2608	mscorsvw.exe	50
PID 2608 wrote to memory of 1704	2608	mscorsvw.exe	50
PID 2608 wrote to memory of 2736	2608	mscorsvw.exe	51
PID 2608 wrote to memory of 2736	2608	mscorsvw.exe	51
PID 2608 wrote to memory of 2736	2608	mscorsvw.exe	51
PID 2608 wrote to memory of 1864	2608	mscorsvw.exe	52
PID 2608 wrote to memory of 1864	2608	mscorsvw.exe	52
PID 2608 wrote to memory of 1864	2608	mscorsvw.exe	52
PID 2608 wrote to memory of 1488	2608	mscorsvw.exe	53
PID 2608 wrote to memory of 1488	2608	mscorsvw.exe	53
PID 2608 wrote to memory of 1488	2608	mscorsvw.exe	53
PID 2608 wrote to memory of 2392	2608	mscorsvw.exe	54
PID 2608 wrote to memory of 2392	2608	mscorsvw.exe	54
PID 2608 wrote to memory of 2392	2608	mscorsvw.exe	54
PID 2608 wrote to memory of 1476	2608	mscorsvw.exe	55
PID 2608 wrote to memory of 1476	2608	mscorsvw.exe	55
PID 2608 wrote to memory of 1476	2608	mscorsvw.exe	55
PID 2608 wrote to memory of 1396	2608	mscorsvw.exe	56
PID 2608 wrote to memory of 1396	2608	mscorsvw.exe	56
PID 2608 wrote to memory of 1396	2608	mscorsvw.exe	56
PID 2608 wrote to memory of 1988	2608	mscorsvw.exe	57
PID 2608 wrote to memory of 1988	2608	mscorsvw.exe	57
PID 2608 wrote to memory of 1988	2608	mscorsvw.exe	57
PID 2608 wrote to memory of 1004	2608	mscorsvw.exe	58
PID 2608 wrote to memory of 1004	2608	mscorsvw.exe	58
PID 2608 wrote to memory of 1004	2608	mscorsvw.exe	58
PID 2608 wrote to memory of 948	2608	mscorsvw.exe	59

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3887d448a6aaa12788e14c52bc38093b_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1412

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 16c -NGENProcess 170 -Pipe 17c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 16c -NGENProcess 170 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 15c -NGENProcess 1e0 -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 15c -InterruptEvent 230 -NGENProcess 210 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 234 -NGENProcess 208 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 238 -NGENProcess 1e0 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 210 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e0 -NGENProcess 210 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 248 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 23c -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 250 -NGENProcess 210 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 24c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 224 -NGENProcess 254 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 254 -NGENProcess 250 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 224 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 250 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 224 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 224 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 278 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 250 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 280 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 268 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 270 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 278 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 280 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
534KB

MD5
17217540cb72ca25eb73a6c7a3b532c0

SHA1
43e0908be0a798618ae62f76e82652a84dc38ed6

SHA256
e0b71e1af0b278078ade3ce0ee88a3e73c48dec5504a28f661d1e69b84ff389a

SHA512
5d4526d8c1ad875affb3a97ec9a86d3e53db69f93b368ce174c4b5540e0a82793331ab30de7c2f1f29c460d949ddd76576bc561647bbd612a6bb3ab42ea814bb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.4MB

MD5
ef3c4ade50b5b49b2ae0a3e99c72f5e7

SHA1
b94862affa77fabbd59eee8dbc7e0e00daad08ea

SHA256
5d3019004ec7e9a117195860815918422b9f962fcc625145f18d4fb6cf1ac7ff

SHA512
e90cd30a816b4ae344eabcbb3810ccf5ad031af77e37488661526e515420362f8048c19428b0864ea00902398c77fe45e893bcc4c24c2f96961968cc317c49f4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
371be9299687885c28af4cd1b2703133

SHA1
dcf20ac65ee835664ecf38d4ffe5de3c5ca6ed94

SHA256
c9fdb6e89249156a93de9d60451ceb6102d6b610c04cfafd481d6ae9edab0355

SHA512
1988bff8cb520f8d330c1216d4a1f5873560e97b63ae760ec1598c42191f203277d03e5dc9414deb8d5636de99d4681a5ace36767a13de15f7b083cb3a54d20e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
506KB

MD5
22c9ec46b099c67fc6c4e829aef6f96e

SHA1
87b2bb1bcff16c5ea3a568bde15c1d5dc57a3e78

SHA256
716f4eaca5e0c527c44813b7dd9c6c576b06f7be9ed2c8e77100565d4dd0a806

SHA512
b4f50f1738205a4c550dffc5bb9a3a112629bf76b09eeb369afba26c5bf859ab97c187e12790d91b85021cb9a2ce290dc6c262cbc3c1411ef09289149709d43f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
527e468bb7ed1cb6a7d98359249fafc2

SHA1
be8ec3eca64d3dccb197254b6657e621ff7c76fa

SHA256
b0aa692d1d3c1fea236cb7cb0ac566a47d4b50950df58861e712115bc80d3474

SHA512
53f64a9800d887758c6292b50c2683540cde51ede8922c20b1cdb0ae4c2bd9b04508086b66366286c3c4df1ba72815c704e96e183418d260b247dceeacd9692f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
453KB

MD5
2bd7d8fe7ade7b065e355a2558b16687

SHA1
b1af4d63504cd04046b41a2446bf02f6a99a1ed1

SHA256
d6567115bc68095c53fa7c5fc44358ae7298a84e479074d8eaaccc32a0138c16

SHA512
cca46438888c86e2cde7c0839dbd1c97341b73b1da23b375d9167a59754c297552567b8f1d779c95aee0c5a1479984d1978f85aef6ea30cb29080c6de02c9cdd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a54f86abeb84b8e2af1c4bc6541c8ff2

SHA1
c3964834f45dfd28aa2a639c619b1e94adbd03cb

SHA256
e6deceee5bbc0859fc4277b04fd319fd86c65d0eb43cd5025c729b9bcbe77bfa

SHA512
546dd221ce30f35631a12140a90880ed88d2ee4fb79954117e85bf831fa35b81e323326600e0b1d9fc1152810356df28f111f1e1c28768aff50e426a02c6e19e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
484KB

MD5
bdf38b2ef538bb09ac81e06db491efdd

SHA1
8fb2998f7095e4c68079508849236dfec4b43e14

SHA256
cabbc188b0049736f6114dede52543258c0fd7dfa1adfe9943554a671faec5f5

SHA512
563ae06c2c0dd2a836fd8b1d571885b56087726b3b43060f4cf809930a34524385760506af66a87353461c6b5f06b487d67fd0c8db09127114bd2671790dad47

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a03314fe6cc9c50284df124398be12e7\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
4657a348c8429c95ebd17ede18860265

SHA1
29a8837e81684680c92c7ecea01734dd812a8482

SHA256
5672884307fa4ab77beb9e27f6e5f53920bb0450bf2389a9c608d2a3af7a5462

SHA512
bc64a6cf23f623142bacd04ec23b84a192c86746f5a2c194d603cd44b3769c189bb8cab84a79567fe5b3d8a0377451d2e6102dd984ec09b346aaa3498725af9e

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
534KB

MD5
660b26d44f8bdff5b79a36364f919161

SHA1
f3264c99c524ad749570a646e59e2f3047912b15

SHA256
556a56bfe92437cb29b156ba17a96d7a06c49d19de78111711df50f49a01f8ac

SHA512
2f1e51861bfb3bf455c53584122a4c25049a1981763dcc35222121525c3fd7b1d1db7718416836433fe182042e66001e04c84c860f71f8b685983330e8742c23

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.9MB

MD5
c1fef0cfdf49eb3faa04dea88dac4b54

SHA1
a4f4867edd3877a4f32f47d24b70504b16306c6c

SHA256
d9ecfe031707bc6b144d38882a6f1478113f5b50f4fde701d22ddaa604e874b5

SHA512
a487b572cdedeb05449a4fd660ab8da86fb320ccec28f0634cd967d470d26f3bfe71f0c809f6778f7d2c1e41db9b03e03d063fa4a0f31479b4c32626d0091749

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
613KB

MD5
f8e6fd929b336cb7135fbe2eba642bdd

SHA1
7bb0d26798d3634eb84df2044c5729a84052342a

SHA256
bb5b4d5f6266d1d5ae1dc1aa3eb5b7588e363aa03685d1de7c79e29a535d4c42

SHA512
e17695c701d587a499dac29e5801cba9836a257d97e7df74af4f36c405d7dc2a07ffe3cdfbbf65ae07ff5239e40971b5ed618982f295184f97eb3533b19ab2b7

Download Submit
\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.0MB

MD5
c57be3bde9c3552ac6a12861613a9f7f

SHA1
a2dade0212be444eefdd1c46e38d03d100a75547

SHA256
61d8c63067e057643c4851128562b9465a5c3038a43c70066af15894f099ee0c

SHA512
9ad45f4549aa7123b048102f3b471455fa96f65299c2cb62107f3bfa5090963a238851688b898da961339d787d064d7a34b112ce3410d3f4f65cffe7eac03988

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
234bfce38de2a1f5ae249e938ad8f28f

SHA1
37b768cf0660ad3538a3e7ea5a81511a37afc7b6

SHA256
33bd70e5f00e457b898853514d6741e5db8f2535b3191ba78c5843699de676f1

SHA512
df6727b953d047c216eae00404d6364239088de7e240c648f21607d908e6fe247b11ee143791532fbfd8e3f312c73c111a076438d1255220a5e9be20a5b75b44

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
431KB

MD5
54f8ccaffb800d55f891073643386bd0

SHA1
ff5f33d655257ccd0f6cb5fa188c73626b8ac732

SHA256
fa268077bd5eeb96babc0d2a8169b1a36be3045d933e8ee7e5a2e300f9952a59

SHA512
29f58e63b19259b9b7c0f40a623478161bd81d2551414ff0decf1e70c5811f2c6853b948c8b0c666c07114d3de9dff613d578d2a444e099fe7f91a6cb8f10c8c

Download Submit
\Windows\System32\alg.exe

Filesize
472KB

MD5
05df950ebbedf14f0e44ee3aa8a85ab8

SHA1
05ea6f54975dc7716931a292f59f179c478b061e

SHA256
a285bed12a68a0bf8f6957a9891519f18b0853af74df1a351cbb04a8f5b97910

SHA512
c12982f62311404b73283224bb3590e5d32c67a947e8ae646c7894a0653449adf43630e76803e4451e95ab3ccd87ab47fc1dcf053602e37b237b56a6b7b87be6

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1390.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP16EA.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1A06.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2166.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2424.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP273F.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP29FD.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP619.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCAE.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
memory/272-28-0x000000013FB40000-0x000000013FC06000-memory.dmp

Filesize
792KB

Download
memory/272-54-0x000000013FBB2000-0x000000013FC06000-memory.dmp

Filesize
336KB

Download
memory/272-63-0x000000013FB40000-0x000000013FC06000-memory.dmp

Filesize
792KB

Download
memory/272-27-0x000000013FBB2000-0x000000013FC06000-memory.dmp

Filesize
336KB

Download
memory/352-274-0x0000000000410000-0x0000000000458000-memory.dmp

Filesize
288KB

Download
memory/352-280-0x00000000021D0000-0x00000000021DE000-memory.dmp

Filesize
56KB

Download
memory/352-279-0x00000000021D0000-0x00000000021DE000-memory.dmp

Filesize
56KB

Download
memory/352-275-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/352-273-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/352-272-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/804-265-0x0000000002430000-0x0000000002446000-memory.dmp

Filesize
88KB

Download
memory/804-264-0x00000000023E0000-0x0000000002428000-memory.dmp

Filesize
288KB

Download
memory/804-263-0x00000000008E0000-0x00000000008EC000-memory.dmp

Filesize
48KB

Download
memory/804-262-0x00000000008D0000-0x00000000008DE000-memory.dmp

Filesize
56KB

Download
memory/920-336-0x0000000000A10000-0x0000000000A58000-memory.dmp

Filesize
288KB

Download
memory/920-338-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/920-343-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/920-332-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/920-342-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/920-337-0x0000000000460000-0x000000000047A000-memory.dmp

Filesize
104KB

Download
memory/920-335-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/920-334-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/920-333-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/948-442-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/984-293-0x00000000006C0000-0x00000000006D8000-memory.dmp

Filesize
96KB

Download
memory/984-295-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/984-297-0x0000000000860000-0x000000000087E000-memory.dmp

Filesize
120KB

Download
memory/984-296-0x0000000000830000-0x000000000084A000-memory.dmp

Filesize
104KB

Download
memory/984-466-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/984-465-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/984-463-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/1004-432-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/1004-428-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/1004-433-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/1192-478-0x0000000002460000-0x000000000246E000-memory.dmp

Filesize
56KB

Download
memory/1360-314-0x0000000002850000-0x0000000002868000-memory.dmp

Filesize
96KB

Download
memory/1360-313-0x0000000002850000-0x0000000002868000-memory.dmp

Filesize
96KB

Download
memory/1360-306-0x00000000008F0000-0x000000000090E000-memory.dmp

Filesize
120KB

Download
memory/1360-300-0x00000000007E0000-0x00000000007F8000-memory.dmp

Filesize
96KB

Download
memory/1360-301-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/1360-302-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download
memory/1360-303-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/1360-304-0x0000000000880000-0x00000000008C8000-memory.dmp

Filesize
288KB

Download
memory/1360-305-0x00000000008D0000-0x00000000008EA000-memory.dmp

Filesize
104KB

Download
memory/1396-412-0x00000000006E0000-0x00000000006F6000-memory.dmp

Filesize
88KB

Download
memory/1396-416-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/1412-42-0x0000000010074000-0x00000000100A4000-memory.dmp

Filesize
192KB

Download
memory/1412-34-0x0000000010074000-0x00000000100A4000-memory.dmp

Filesize
192KB

Download
memory/1412-35-0x0000000010000000-0x00000000100A4000-memory.dmp

Filesize
656KB

Download
memory/1412-43-0x0000000010000000-0x00000000100A4000-memory.dmp

Filesize
656KB

Download
memory/1488-395-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/1636-457-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download
memory/1704-356-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/1704-362-0x0000000002230000-0x000000000223C000-memory.dmp

Filesize
48KB

Download
memory/1704-363-0x0000000002230000-0x000000000223C000-memory.dmp

Filesize
48KB

Download
memory/1704-357-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/1704-358-0x00000000007E0000-0x00000000007F4000-memory.dmp

Filesize
80KB

Download
memory/1864-377-0x00000000005E0000-0x00000000005F6000-memory.dmp

Filesize
88KB

Download
memory/1864-376-0x00000000003C0000-0x00000000003DA000-memory.dmp

Filesize
104KB

Download
memory/1864-381-0x0000000002560000-0x000000000257A000-memory.dmp

Filesize
104KB

Download
memory/1864-382-0x0000000002560000-0x000000000257A000-memory.dmp

Filesize
104KB

Download
memory/1896-493-0x0000000000770000-0x00000000007B8000-memory.dmp

Filesize
288KB

Download
memory/1896-491-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/1896-492-0x0000000000740000-0x000000000076E000-memory.dmp

Filesize
184KB

Download
memory/1980-323-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/1980-325-0x0000000002170000-0x0000000002180000-memory.dmp

Filesize
64KB

Download
memory/1988-425-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/2392-398-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/2392-402-0x0000000002120000-0x000000000212E000-memory.dmp

Filesize
56KB

Download
memory/2464-483-0x00000000022C0000-0x00000000022CE000-memory.dmp

Filesize
56KB

Download
memory/2464-480-0x0000000000840000-0x000000000084E000-memory.dmp

Filesize
56KB

Download
memory/2464-482-0x00000000022C0000-0x00000000022CE000-memory.dmp

Filesize
56KB

Download
memory/2468-500-0x0000000000A80000-0x0000000000A8E000-memory.dmp

Filesize
56KB

Download
memory/2468-499-0x0000000000A80000-0x0000000000A8E000-memory.dmp

Filesize
56KB

Download
memory/2468-495-0x00000000001B0000-0x00000000001BE000-memory.dmp

Filesize
56KB

Download
memory/2468-496-0x00000000003F0000-0x000000000041E000-memory.dmp

Filesize
184KB

Download
memory/2468-497-0x0000000000420000-0x0000000000468000-memory.dmp

Filesize
288KB

Download
memory/2644-0-0x000000013F1DB000-0x000000013F230000-memory.dmp

Filesize
340KB

Download
memory/2644-1-0x000000013F130000-0x000000013F230000-memory.dmp

Filesize
1024KB

Download
memory/2644-2-0x000000013F1DB000-0x000000013F230000-memory.dmp

Filesize
340KB

Download
memory/2644-5-0x000000013F130000-0x000000013F230000-memory.dmp

Filesize
1024KB

Download
memory/2644-4-0x000000013F130000-0x000000013F230000-memory.dmp

Filesize
1024KB

Download
memory/2732-353-0x0000000002380000-0x0000000002394000-memory.dmp

Filesize
80KB

Download
memory/2732-352-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/2736-372-0x00000000001C0000-0x00000000001DA000-memory.dmp

Filesize
104KB

Download
memory/2736-373-0x00000000001E0000-0x00000000001F6000-memory.dmp

Filesize
88KB

Download
memory/2820-48-0x00000000FF3A9000-0x00000000FF3FD000-memory.dmp

Filesize
336KB

Download
memory/2820-52-0x00000000FF330000-0x00000000FF3FD000-memory.dmp

Filesize
820KB

Download
memory/2820-64-0x00000000FF330000-0x00000000FF3FD000-memory.dmp

Filesize
820KB

Download
memory/2820-19-0x00000000FF3A9000-0x00000000FF3FD000-memory.dmp

Filesize
336KB

Download
memory/2820-20-0x00000000FF330000-0x00000000FF3FD000-memory.dmp

Filesize
820KB

Download
memory/2928-508-0x00000000004B0000-0x00000000004C8000-memory.dmp

Filesize
96KB

Download
memory/2928-509-0x00000000004D0000-0x00000000004E6000-memory.dmp

Filesize
88KB

Download
memory/3028-62-0x0000000010000000-0x00000000100D1000-memory.dmp

Filesize
836KB

Download
memory/3028-53-0x0000000010000000-0x00000000100D1000-memory.dmp

Filesize
836KB

Download
memory/3028-55-0x0000000010000000-0x00000000100D1000-memory.dmp

Filesize
836KB

Download
memory/3068-448-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/3068-449-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download