expiro | 9296bd38edc3ee0edf035fddf3d749ca0e832455cadf71273405563da6f5a7f0

Analysis

max time kernel
149s
max time network
129s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
Size

880KB
MD5

60a35a694c0036f1069e44092d400ec7
SHA1

ab0277112625b9d8197b169ecf3877fc61d88d5f
SHA256

9296bd38edc3ee0edf035fddf3d749ca0e832455cadf71273405563da6f5a7f0
SHA512

fedfbf59cbb42a65342d05734e6f29797ab9276c4f4790ba7c3c6cadc09ddcf31a51a54d8d01bb7315e3981554e3ffbd70fc4bf4d094241d51b9ae3791424985
SSDEEP

12288:lKPRz7pW6NpUUIIeAldFzc+spaUm5A2SKluFFS8h:URzlW6n9eQd/smBiF

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2100-2-0x000000004AD00000-0x000000004AF07000-memory.dmp	family_expiro1
behavioral1/memory/2828-53-0x0000000010000000-0x00000000101B7000-memory.dmp	family_expiro1

Executes dropped EXE 64 IoCs

pid	Process
2828	mscorsvw.exe
476	Process not Found
2720	mscorsvw.exe
2864	mscorsvw.exe
1008	mscorsvw.exe
792	elevation_service.exe
1996	IEEtwCollector.exe
1076	mscorsvw.exe
1868	mscorsvw.exe
2596	mscorsvw.exe
2312	mscorsvw.exe
2012	mscorsvw.exe
2044	mscorsvw.exe
2564	mscorsvw.exe
1616	mscorsvw.exe
2640	mscorsvw.exe
1764	mscorsvw.exe
1524	mscorsvw.exe
2892	mscorsvw.exe
2984	mscorsvw.exe
1068	mscorsvw.exe
2728	mscorsvw.exe
2580	mscorsvw.exe
2724	mscorsvw.exe
2736	mscorsvw.exe
1428	mscorsvw.exe
1256	mscorsvw.exe
2464	mscorsvw.exe
844	mscorsvw.exe
1596	mscorsvw.exe
1776	mscorsvw.exe
1688	mscorsvw.exe
2528	mscorsvw.exe
904	mscorsvw.exe
2836	mscorsvw.exe
1856	mscorsvw.exe
948	mscorsvw.exe
1968	mscorsvw.exe
704	mscorsvw.exe
2336	mscorsvw.exe
2436	mscorsvw.exe
2060	mscorsvw.exe
2496	mscorsvw.exe
444	mscorsvw.exe
1696	mscorsvw.exe
2968	mscorsvw.exe
2576	mscorsvw.exe
2348	mscorsvw.exe
2532	mscorsvw.exe
2236	mscorsvw.exe
2760	mscorsvw.exe
2128	mscorsvw.exe
2900	mscorsvw.exe
2416	mscorsvw.exe
2680	mscorsvw.exe
880	mscorsvw.exe
1436	mscorsvw.exe
1488	mscorsvw.exe
1108	mscorsvw.exe
3048	mscorsvw.exe
1452	mscorsvw.exe
2060	mscorsvw.exe
2044	mscorsvw.exe
936	mscorsvw.exe

Loads dropped DLL 44 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2564	mscorsvw.exe
2564	mscorsvw.exe
2640	mscorsvw.exe
2640	mscorsvw.exe
1524	mscorsvw.exe
1524	mscorsvw.exe
2984	mscorsvw.exe
2984	mscorsvw.exe
2728	mscorsvw.exe
2728	mscorsvw.exe
2724	mscorsvw.exe
2724	mscorsvw.exe
1428	mscorsvw.exe
1428	mscorsvw.exe
2464	mscorsvw.exe
2464	mscorsvw.exe
1596	mscorsvw.exe
1596	mscorsvw.exe
1688	mscorsvw.exe
1688	mscorsvw.exe
904	mscorsvw.exe
904	mscorsvw.exe
1856	mscorsvw.exe
1856	mscorsvw.exe
1968	mscorsvw.exe
1968	mscorsvw.exe
2336	mscorsvw.exe
2336	mscorsvw.exe
2060	mscorsvw.exe
2060	mscorsvw.exe
444	mscorsvw.exe
444	mscorsvw.exe
2236	mscorsvw.exe
2236	mscorsvw.exe
2760	mscorsvw.exe
2760	mscorsvw.exe
2900	mscorsvw.exe
2900	mscorsvw.exe
2192	mscorsvw.exe
2192	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2039016743-699959520-214465309-1000\EnableNotifications = "0"	mscorsvw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2039016743-699959520-214465309-1000	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\R:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\T:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\Y:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\H:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\O:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\U:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\E:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\G:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\J:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\K:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\N:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\P:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\L:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\M:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\Z:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\Q:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\V:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\W:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\X:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\I:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened (read-only)	\??\S:	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\windows\system32\alg.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\windows\system32\ieetwcollector.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\msdtc.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\windows\system32\wbengine.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\windows\system32\fxssvc.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\windows\system32\snmptrap.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\windows\system32\msiexec.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\windows\system32\vds.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ui0detect.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\windows\system32\vssvc.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.vir	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Program Files\7-Zip\7z.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Program Files\7-Zip\7zFM.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4894.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP79B2.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7BF3.tmp\ehiActivScp.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5F11.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP454A.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP59A5.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP647D.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.vir	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2100	JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe
Token: SeShutdownPrivilege	1008	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1076	1008	mscorsvw.exe	38
PID 1008 wrote to memory of 1076	1008	mscorsvw.exe	38
PID 1008 wrote to memory of 1076	1008	mscorsvw.exe	38
PID 1008 wrote to memory of 1868	1008	mscorsvw.exe	39
PID 1008 wrote to memory of 1868	1008	mscorsvw.exe	39
PID 1008 wrote to memory of 1868	1008	mscorsvw.exe	39
PID 1008 wrote to memory of 2596	1008	mscorsvw.exe	41
PID 1008 wrote to memory of 2596	1008	mscorsvw.exe	41
PID 1008 wrote to memory of 2596	1008	mscorsvw.exe	41
PID 1008 wrote to memory of 2312	1008	mscorsvw.exe	42
PID 1008 wrote to memory of 2312	1008	mscorsvw.exe	42
PID 1008 wrote to memory of 2312	1008	mscorsvw.exe	42
PID 1008 wrote to memory of 2012	1008	mscorsvw.exe	43
PID 1008 wrote to memory of 2012	1008	mscorsvw.exe	43
PID 1008 wrote to memory of 2012	1008	mscorsvw.exe	43
PID 1008 wrote to memory of 2044	1008	mscorsvw.exe	44
PID 1008 wrote to memory of 2044	1008	mscorsvw.exe	44
PID 1008 wrote to memory of 2044	1008	mscorsvw.exe	44
PID 1008 wrote to memory of 2564	1008	mscorsvw.exe	45
PID 1008 wrote to memory of 2564	1008	mscorsvw.exe	45
PID 1008 wrote to memory of 2564	1008	mscorsvw.exe	45
PID 1008 wrote to memory of 1616	1008	mscorsvw.exe	46
PID 1008 wrote to memory of 1616	1008	mscorsvw.exe	46
PID 1008 wrote to memory of 1616	1008	mscorsvw.exe	46
PID 1008 wrote to memory of 2640	1008	mscorsvw.exe	47
PID 1008 wrote to memory of 2640	1008	mscorsvw.exe	47
PID 1008 wrote to memory of 2640	1008	mscorsvw.exe	47
PID 1008 wrote to memory of 1764	1008	mscorsvw.exe	48
PID 1008 wrote to memory of 1764	1008	mscorsvw.exe	48
PID 1008 wrote to memory of 1764	1008	mscorsvw.exe	48
PID 1008 wrote to memory of 1524	1008	mscorsvw.exe	49
PID 1008 wrote to memory of 1524	1008	mscorsvw.exe	49
PID 1008 wrote to memory of 1524	1008	mscorsvw.exe	49
PID 1008 wrote to memory of 2892	1008	mscorsvw.exe	50
PID 1008 wrote to memory of 2892	1008	mscorsvw.exe	50
PID 1008 wrote to memory of 2892	1008	mscorsvw.exe	50
PID 1008 wrote to memory of 2984	1008	mscorsvw.exe	51
PID 1008 wrote to memory of 2984	1008	mscorsvw.exe	51
PID 1008 wrote to memory of 2984	1008	mscorsvw.exe	51
PID 1008 wrote to memory of 1068	1008	mscorsvw.exe	52
PID 1008 wrote to memory of 1068	1008	mscorsvw.exe	52
PID 1008 wrote to memory of 1068	1008	mscorsvw.exe	52
PID 1008 wrote to memory of 2728	1008	mscorsvw.exe	53
PID 1008 wrote to memory of 2728	1008	mscorsvw.exe	53
PID 1008 wrote to memory of 2728	1008	mscorsvw.exe	53
PID 1008 wrote to memory of 2580	1008	mscorsvw.exe	54
PID 1008 wrote to memory of 2580	1008	mscorsvw.exe	54
PID 1008 wrote to memory of 2580	1008	mscorsvw.exe	54
PID 1008 wrote to memory of 2724	1008	mscorsvw.exe	55
PID 1008 wrote to memory of 2724	1008	mscorsvw.exe	55
PID 1008 wrote to memory of 2724	1008	mscorsvw.exe	55
PID 1008 wrote to memory of 2736	1008	mscorsvw.exe	56
PID 1008 wrote to memory of 2736	1008	mscorsvw.exe	56
PID 1008 wrote to memory of 2736	1008	mscorsvw.exe	56
PID 1008 wrote to memory of 1428	1008	mscorsvw.exe	57
PID 1008 wrote to memory of 1428	1008	mscorsvw.exe	57
PID 1008 wrote to memory of 1428	1008	mscorsvw.exe	57
PID 1008 wrote to memory of 1256	1008	mscorsvw.exe	58
PID 1008 wrote to memory of 1256	1008	mscorsvw.exe	58
PID 1008 wrote to memory of 1256	1008	mscorsvw.exe	58
PID 1008 wrote to memory of 2464	1008	mscorsvw.exe	59
PID 1008 wrote to memory of 2464	1008	mscorsvw.exe	59
PID 1008 wrote to memory of 2464	1008	mscorsvw.exe	59
PID 1008 wrote to memory of 844	1008	mscorsvw.exe	60

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 194 -NGENProcess 19c -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 238 -NGENProcess 244 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 1f0 -NGENProcess 1bc -Pipe 190 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 260 -NGENProcess 234 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1bc -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1e8 -NGENProcess 234 -Pipe 198 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 234 -NGENProcess 264 -Pipe f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 278 -NGENProcess 1e8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 234 -NGENProcess 1f0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 274 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 27c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 1f0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1f0 -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 290 -NGENProcess 27c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 27c -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 274 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a8 -NGENProcess 280 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2d8 -NGENProcess 264 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 264 -NGENProcess 2b8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2e0 -NGENProcess 280 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 280 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2e8 -NGENProcess 2b8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2b8 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f4 -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 300 -NGENProcess 2d8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 31c -NGENProcess 2d8 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2d8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 318 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 30c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2d8 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 30c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 2f4 -NGENProcess 2d8 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 340 -NGENProcess 330 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2d8 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 330 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 30c -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2d8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 330 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2d8 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 330 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 30c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2d8 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 330 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 330 -NGENProcess 368 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 378 -NGENProcess 2d8 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 374 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 368 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 2d8 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 374 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 368 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 2d8 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 374 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 368 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 2d8 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 374 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 368 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 2d8 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 374 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 368 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 2d8 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3a0 -NGENProcess 374 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3b8 -NGENProcess 3a8 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 2cc -NGENProcess 2d8 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 3bc -NGENProcess 1bc -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3a8 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 2d8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 1bc -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3a8 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 1bc -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3a8 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 2d8 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 1bc -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3a8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3a8 -NGENProcess 3dc -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ec -NGENProcess 1bc -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2324

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:792

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
640KB

MD5
23a50704e407c8e57d4f81a49a5b2cf0

SHA1
256d293eec90cc14aca189e00f34c2e04742d68d

SHA256
87938b6e4309a8891eef652f70cdddd8b36f27244b80314d9600af7415a821e7

SHA512
9c7fd97c2257907089553054b0c9cc68577fd12e4c29f08ee8357aade5e60f1871165e5063767ba4726756335c9e8884d0ede56ced1ff34a59321a8904f5653e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
9f416e71e1fb98c79d6a3af6a9df8a63

SHA1
e083d305e10882139c064c8efecf52d629fce86c

SHA256
8a8677490122c7e0d07eb05f474ac39756aa65b23575afc145849b7d6c79a146

SHA512
31c4c765f91c2cc3ee376bb1f6ace6a05ea7da320722e02fd8777d54bfd7a3215e253bbf7e90921baf788a51449f2ae8f478a363f4e1d565ab0981cbd66a6be8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir

Filesize
4.8MB

MD5
6d30802cb8dd628905c3c12acdc2d9e1

SHA1
6246a4f2a4dfc50f732fe8da606aef1726df3b75

SHA256
577eaecc9df149725ba1dd4e89171839ff624f85cd8b5b1a45de9d65c9f6854b

SHA512
3120ae36e18af172413177b98b8c946562d6ad016f6cecdf10092370c8afe52189a24e94208f8371a84fc380da283a1d90a5df1c31dba76bcc2a3bfd6f6b64bf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4cad6c8d624123626b223d2baa6639a3

SHA1
900f3f93a68094d1da7fcab01acd1ef942fa6fa1

SHA256
3a771dddc79c78919a5ef695d34a06f42442fae1a57dc90b106c74faf64ab8d3

SHA512
942b9c3b92890bf46ca35890ee2d3e168ae6c6a4f89c14ba43f015037a158f8a9b0ed9d3c58951409e58287c8aabab11917e354e5d8be444935915011bd48d35

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.2MB

MD5
24d4b4affdcc834c1937d352da5c7186

SHA1
f382883cbf1dab7c044bf2f3b4a43ca61cbe6c70

SHA256
8fb7817ab67868fc64c0697d68015c820790f86e354bcfa4c86d7bcb51ddbee4

SHA512
b875f0a8a5b098210ce0a8e92238e8cbc2af7ca97d9a06449247de4cdd90782f1d8c1567594d56c3ed3e854ad8a4eb072d7cc799f157b265c566430ecd921cff

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
47de5c1a80defc9fe4d04f34ff68eb5f

SHA1
ed3cd1f7dc0e60f366e66b9dfc8996e9abaf2367

SHA256
ab6d9defedebc72e433bcc3e375a4a62363d893aaa0057d1d3e660908233bf56

SHA512
f6fe9b302cd2596a911b3699b9fda6c0b3b4902f5cc7b11f812ece7e274cf133f35478be1d3e269e3bab0bc1aeafa113f8dc87246d13c914fc2c64e7b975ad27

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
610KB

MD5
47e31b57b75945e1221d6c9e666001ee

SHA1
4eb63edf4234122a06b877c5334237674d76d3dd

SHA256
c226f11e7a98d7581692ec65b61a5cd41abe6b6e69d7b3cd0be873e9fccc67fe

SHA512
a547b520e0b4d1a150b30775f9242d7ed7c7c7554ffd982ac731ed50b31b604cf8bf08807187cdfa2b2f11303fb93549b8a5bf57f59e06459c515ce998d702ee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
b9547e946dc655bbc1bfc81a75cb22cd

SHA1
3e5b19646820d9e66e2505b7af31a8dd39d0ed42

SHA256
e4e8becf9d58baff9f99c8dd31e4750e59e0e270be2de5ddfee9efdd6ab1f990

SHA512
d12791d65e868f62ec0fc4b7a1515f8449294896bed58b750d7b6f00b8ae4ceec200d55b1c440646a6fba94a8f31948f205f7f1da849885d120e32784df5f080

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
559KB

MD5
c119f3205d5887d7e445b834df705af4

SHA1
1c078eb432ea5ff0100f9e8cb60282d0d26281f5

SHA256
adaac154c9fee36e13e15699691fc7da61a3e60c675b342d51c4ca873281dba1

SHA512
74c139235f93d1666098b7a21378260e733e0cd990b9ed9854c2527bb24d38ea602f678dcc0bea362b010e51804e373167d0f8944db2fee07cf4beefe2534abc

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
78f664cdb7660e7c7b0d0776385147b0

SHA1
d91fac3a73360641eff5e9f400a1fdbd580ab2df

SHA256
9ad7e3178800f5ab3683207c2eac57064f9ea7abe1b6f5d8964fcce769506d21

SHA512
e39b19dbf478fe66f32b183795c951f36b76eb21327f94bb1401f35c70db54a42b80b98f89ed8305e0b29515b7310025e1203f56434c0bfed07ee93e9b57cc03

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
590KB

MD5
b13c3c8ac0c80f2cdb58bd4c352a53ae

SHA1
6d158e005466222c075aabf3b520c4cbc2827210

SHA256
533b7ca56fbe80e786a84aa3322e542ec6684510f1b3e0044c332d6892c2eefe

SHA512
7fc82f078dd4d7425fd43eb579f83c8280ad134e3dd4a34e403035d57dbfd9dc27b32d8ce5555c08cf6627d65f99c0c1c2ba75d2b671cf2dcfb468473d8f1179

Download Submit
C:\Windows\Temp\CabC320.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarC4A8.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\be79563b653539165df3291a8935f71d\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
3db84075475ed3094f943f4f72485095

SHA1
835214266c933b3d997aaba15f33423a9398f8a0

SHA256
a27febcf684351f16232ef1b0fa2d89e3d0f76b2485ecac216e0b6b37565f580

SHA512
2e52cce5a335189c623aa0004b1b1c85913c6b5813ff0c6f56881533a62dd2ce35c64cddb9f6c34da90e2cdc8cfb812ef7b0737e4d9ef18d7f074bd2b4f59ee2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\be830abb66e9592c389b3710a45f28ab\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
1342005a168cdfbd1a16217f6c154fc7

SHA1
e590ff452cc86f1234edd651b18098e957fcfdc3

SHA256
ee34cd5798656bff6735b27d8809d480af1b910c7afa4aa6c3a7dbd60c78c6cd

SHA512
135c75715c6a4fe3bf4423d76f858ef7ba394822b8371e3d982d5b2eb86656780fe19f15d66231863c04c8064873c659744abbdba923573bc3b19e66285df22e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d335ad9453e112fe1ded8405940d512a\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
52ba24ab1d607aeec42ec3aed6b8ca67

SHA1
b2697792e48eea9e5ff0cefdc686d2fb9bfbf7bd

SHA256
a46ee2d4d1f77468c3aa060e42d75afbeab4edd8af9fc7542d0594c1644bcb05

SHA512
3893e37cda8f7fb2b5c0a61a4013eae01d8e00b3e6f94ba92ff34b0aeaf98d5257173b211534953f9af40139b4e478e775d9ad11e68fc6964fd48b4373c158d5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e4129a5615b1947cfb068f0d22bc98da\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
c75d0cd515cec7ae8e6de28e7ad3df07

SHA1
ca90592bf0036390c3b047385089601552960ea1

SHA256
154bbbd55f8e326424c29544cbc8e2aa9f010703aa507fdcc9b6470ff1a6c84f

SHA512
eb1c23024d4e578f39852642c4c1efee06ac921351b661393b24f165883c64fd2fe2df3e5e231069b3f71aa1880d4b342bb1696c829adb77bbb6f54f3dcf8e52

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
640KB

MD5
676ddb5666556a335e57b7bd43745362

SHA1
79d2cd38fcf96fec008bfc540b9903c46ee14fd3

SHA256
3069dc828b0da1bcd8e488008ad9418e0656bf1bc95b65eb89cb4e9dbac36ebd

SHA512
c9cf281d290fb9bebb9665700a630070eb6938265b2049dfbf91ca683c6dc4a8bb4e65d5cee886f74a89f1f1ce5d379ad3343072a4f4fcf31a309f1a8a312867

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.vir

Filesize
30.0MB

MD5
5c80e0886b2adfc1e1977727dd38fe27

SHA1
1108c4c79d7d0bfff447b4455cbcd29481767eb2

SHA256
577fe9c5d596c29bfa753385bcb7947166a2ee75c9c1fc589ec7919f83662726

SHA512
98488fa182af3d1ae1be3b220ec069bcda1ad116a78ca591aa48899e2d584951c189e42820c75ba7d17563d78987de82d5cdb1f3c01c14d916405c7965a77be2

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
715KB

MD5
9b7569d24abbf1eae7e9e86263e29f19

SHA1
3ecd4e1a5e8a27df452d2ac7fb77d6d432e8f44e

SHA256
e0adb0adf4afa236d76b59d863a9959ec80cd311815f91bfa47e3f6daae00446

SHA512
9d7ff6eb7ce032f40013fb7df8e68b6fed0f90a9d4459557f313aa386941315075fd69217a0852042a2ffbe1daebab0bb791d8380842c710fc4918b6f29193e4

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
624KB

MD5
0cc42d580d179b95387ca455ac8acd29

SHA1
759d5f5275cb8ed14bfee216c5d2ddb90b00944a

SHA256
822fd911c460311ff584238030709352dca36640d2ce2caad391d71970911551

SHA512
f6a17daeba2fc6482970626559130ff2be297b6454f84e5cb5e8673237066d8f6ee4811e675d847f6c7c07af6d9f6ac9637f34d06efe3993885d2512084b680b

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
536KB

MD5
1a013f920029af1ec6c99cc42c971448

SHA1
c1e63944e9c4d5e8017f948417194df79d4b478e

SHA256
c104a7ded3d3ec3955f498cbcd4658a72cd783dae2784edd124d2f1a73fc4dfa

SHA512
7c4ff3b3bcfc791c522e6f2e19ec85af462cda7fe80f729eb398ba31dabd357103ec83c6daf80d4d438b10f708a4bf225de821c9edfbd33b64c66c8eb7f3b5c4

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
577KB

MD5
091fd290d2cecfd1f9aa6f3597955351

SHA1
bc1ca09786bde09314f9ae6c8d8929bf0aeff494

SHA256
c544c1569541edc28e16b3a03f13069b0eed73495a2e09d9e0ffbde9060d453f

SHA512
8c79132ead29656726ca3f600d39fde433b15a2b0ea404b37d2b283262ea411f162c7b3d0dedfdee62372ebc95b24ac3902fc1818fd7a49bfa6d7a96fae2657f

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.1MB

MD5
edb12c52bc42bd00fef70e4f82b030b3

SHA1
cef579c07e1b0218897d816aff6e30369a69e54b

SHA256
a8c75b255efba8ee6c059692774029736ceed7f208a860c311c10bd629f2c718

SHA512
6f9698e78c99174fa44c07c1682af7ee637ae1448f8bc8d461112efd44b34bf8f7f4c4eef36e83514b7900063e6b43f8e93925e5b4fd1ac766896b84742ac7c6

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
582KB

MD5
2b962f5e162eb250b25dc9ec2499ddcf

SHA1
5a5fec2d42f24ac050650d42fff09d193fc38d77

SHA256
1e61c784597dc5596c5f05f3be51a9cb06dceaf5a80fb6721490d6ed0dee240c

SHA512
e0a1fb7d0352fdd8ed3377c5b1e8101c68f1f11764f7da778fc6a2a5cb5d89fda726435a1dd9cf26293a4eefe36b827d26ed7a65109c3b69c0fae746276f585b

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
609KB

MD5
026d55bc39e523722c88945ee0549896

SHA1
f6edaf97047abb127dfa97021815926f23061d77

SHA256
73a887940109edf8227b30bcec11e067574abe862ce86e19669b8bfca35fb33a

SHA512
76ae403979d4429b191c3e715581518b2cb3146b98e5f40f16d177d24104faf9e16fef104edd679709d931360921c842e65ccf0c203d8c3f4597ce8d7f63a1c6

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3DAC.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4164.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP454A.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4894.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4C2D.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4F49.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5274.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP54F3.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
memory/792-82-0x0000000140000000-0x0000000140371000-memory.dmp

Filesize
3.4MB

Download
memory/792-101-0x0000000140000000-0x0000000140371000-memory.dmp

Filesize
3.4MB

Download
memory/1008-91-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1008-57-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/1008-56-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1068-412-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1068-408-0x00000000006B0000-0x00000000006CA000-memory.dmp

Filesize
104KB

Download
memory/1068-409-0x00000000007F0000-0x0000000000806000-memory.dmp

Filesize
88KB

Download
memory/1068-403-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1076-163-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1076-100-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1524-365-0x0000000002FF0000-0x0000000003038000-memory.dmp

Filesize
288KB

Download
memory/1524-362-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/1524-363-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/1524-372-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/1524-364-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/1524-371-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/1524-366-0x0000000003040000-0x000000000305A000-memory.dmp

Filesize
104KB

Download
memory/1524-380-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1524-367-0x0000000003060000-0x0000000003070000-memory.dmp

Filesize
64KB

Download
memory/1616-327-0x00000000032D0000-0x00000000032EA000-memory.dmp

Filesize
104KB

Download
memory/1616-328-0x00000000032F0000-0x000000000330E000-memory.dmp

Filesize
120KB

Download
memory/1616-330-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1616-326-0x0000000000810000-0x000000000081E000-memory.dmp

Filesize
56KB

Download
memory/1616-324-0x00000000007B0000-0x00000000007C8000-memory.dmp

Filesize
96KB

Download
memory/1764-360-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1764-358-0x000000001C510000-0x000000001C520000-memory.dmp

Filesize
64KB

Download
memory/1764-356-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/1764-355-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1868-161-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1868-164-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1996-90-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1996-155-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1996-223-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2012-297-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2012-293-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2044-298-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2044-296-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2044-301-0x00000000009B0000-0x00000000009C6000-memory.dmp

Filesize
88KB

Download
memory/2044-299-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2044-300-0x000000001C490000-0x000000001C4D8000-memory.dmp

Filesize
288KB

Download
memory/2044-309-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2100-0-0x000000004AD00000-0x000000004AF07000-memory.dmp

Filesize
2.0MB

Download
memory/2100-2-0x000000004AD00000-0x000000004AF07000-memory.dmp

Filesize
2.0MB

Download
memory/2100-1-0x000000004AD07000-0x000000004AD08000-memory.dmp

Filesize
4KB

Download
memory/2312-294-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2564-305-0x00000000007B0000-0x00000000007BE000-memory.dmp

Filesize
56KB

Download
memory/2564-308-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/2564-323-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2564-303-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2564-313-0x00000000030A0000-0x00000000030AE000-memory.dmp

Filesize
56KB

Download
memory/2564-314-0x00000000030A0000-0x00000000030AE000-memory.dmp

Filesize
56KB

Download
memory/2564-306-0x0000000000800000-0x000000000080C000-memory.dmp

Filesize
48KB

Download
memory/2564-307-0x0000000000810000-0x0000000000858000-memory.dmp

Filesize
288KB

Download
memory/2580-430-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2580-433-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2580-429-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2596-291-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2640-333-0x0000000002F70000-0x0000000002F7C000-memory.dmp

Filesize
48KB

Download
memory/2640-335-0x000000001C4A0000-0x000000001C4B6000-memory.dmp

Filesize
88KB

Download
memory/2640-345-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/2640-344-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/2640-336-0x000000001C510000-0x000000001C52A000-memory.dmp

Filesize
104KB

Download
memory/2640-354-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2640-332-0x0000000002F30000-0x0000000002F48000-memory.dmp

Filesize
96KB

Download
memory/2640-337-0x000000001CA00000-0x000000001CA1E000-memory.dmp

Filesize
120KB

Download
memory/2640-334-0x000000001C490000-0x000000001C49E000-memory.dmp

Filesize
56KB

Download
memory/2720-36-0x0000000010000000-0x00000000101E1000-memory.dmp

Filesize
1.9MB

Download
memory/2720-87-0x0000000010000000-0x00000000101E1000-memory.dmp

Filesize
1.9MB

Download
memory/2720-81-0x0000000010000000-0x00000000101E1000-memory.dmp

Filesize
1.9MB

Download
memory/2720-35-0x0000000010000000-0x00000000101E1000-memory.dmp

Filesize
1.9MB

Download
memory/2724-435-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/2724-447-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2724-432-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2724-439-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download
memory/2728-414-0x00000000006C0000-0x00000000006DA000-memory.dmp

Filesize
104KB

Download
memory/2728-411-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2728-415-0x00000000006E0000-0x00000000006F6000-memory.dmp

Filesize
88KB

Download
memory/2728-420-0x000000001CCF0000-0x000000001CD0A000-memory.dmp

Filesize
104KB

Download
memory/2728-428-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2728-419-0x000000001CCF0000-0x000000001CD0A000-memory.dmp

Filesize
104KB

Download
memory/2736-448-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2828-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2828-21-0x0000000010000000-0x00000000101B7000-memory.dmp

Filesize
1.7MB

Download
memory/2828-53-0x0000000010000000-0x00000000101B7000-memory.dmp

Filesize
1.7MB

Download
memory/2864-46-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2892-382-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/2892-385-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2892-381-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2892-383-0x0000000003050000-0x0000000003064000-memory.dmp

Filesize
80KB

Download
memory/2984-389-0x00000000031E0000-0x00000000031F4000-memory.dmp

Filesize
80KB

Download
memory/2984-387-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2984-388-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

Filesize
48KB

Download
memory/2984-394-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/2984-402-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2984-393-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download