expiro | 8787dfcc098108ad52bb166b5864833d076ee0bffe6d24b28095d064970d92dd

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02/01/2025, 21:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
Size

584KB
MD5

68641faa6786e4429d6f3517860018f0
SHA1

8770001b28aa426b7b3f49e73c70f4159ef296c6
SHA256

8787dfcc098108ad52bb166b5864833d076ee0bffe6d24b28095d064970d92dd
SHA512

5bb7c5fe328340cb2b4cdbf00fbc6194b70331100b37aa53dcb8e0d57a5cd89d60f30aaf086aafcbc43725e689f43d9da37885c61aacd3a1af6f6a0e8f99fb4f
SSDEEP

12288:XzaDEFEc/v92S5iiF3Kmi6Fa/fVeLyzXS6tcZHz4qg:GAFEev9vzZKkF1LyuucZHz4qg

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2924-2-0x0000000001000000-0x0000000001251000-memory.dmp	family_expiro1
behavioral1/memory/2692-53-0x0000000010000000-0x0000000010258000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
2692	mscorsvw.exe
484	Process not Found
2700	mscorsvw.exe
768	mscorsvw.exe
1108	mscorsvw.exe
2020	elevation_service.exe
316	IEEtwCollector.exe
1516	mscorsvw.exe
984	mscorsvw.exe
2212	mscorsvw.exe
2536	mscorsvw.exe
1912	mscorsvw.exe
1288	mscorsvw.exe
1088	mscorsvw.exe
2548	mscorsvw.exe
1724	mscorsvw.exe
2800	mscorsvw.exe
1920	mscorsvw.exe
2780	mscorsvw.exe
2692	mscorsvw.exe
2896	mscorsvw.exe
2204	mscorsvw.exe
2776	mscorsvw.exe
1384	mscorsvw.exe
304	mscorsvw.exe
1836	mscorsvw.exe
2488	mscorsvw.exe
1944	mscorsvw.exe
952	mscorsvw.exe
1428	mscorsvw.exe
2892	mscorsvw.exe
884	mscorsvw.exe
1612	mscorsvw.exe
1508	mscorsvw.exe
1764	mscorsvw.exe
2516	mscorsvw.exe
2676	mscorsvw.exe
2108	mscorsvw.exe
2880	mscorsvw.exe
1820	mscorsvw.exe
2180	mscorsvw.exe
2460	mscorsvw.exe
2488	mscorsvw.exe
2232	mscorsvw.exe
1572	mscorsvw.exe
1732	mscorsvw.exe
2784	mscorsvw.exe
1712	mscorsvw.exe
1752	mscorsvw.exe
2712	mscorsvw.exe
2744	mscorsvw.exe
2676	mscorsvw.exe
2772	mscorsvw.exe
2024	mscorsvw.exe
1536	mscorsvw.exe
1852	mscorsvw.exe
2140	mscorsvw.exe
1800	mscorsvw.exe
1032	mscorsvw.exe
1820	mscorsvw.exe
1272	mscorsvw.exe
3040	mscorsvw.exe
2284	mscorsvw.exe
1588	mscorsvw.exe

Loads dropped DLL 54 IoCs

pid	Process
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
1088	mscorsvw.exe
1088	mscorsvw.exe
1724	mscorsvw.exe
1724	mscorsvw.exe
1920	mscorsvw.exe
1920	mscorsvw.exe
2692	mscorsvw.exe
2692	mscorsvw.exe
2204	mscorsvw.exe
2204	mscorsvw.exe
1384	mscorsvw.exe
1384	mscorsvw.exe
1836	mscorsvw.exe
1836	mscorsvw.exe
1944	mscorsvw.exe
1944	mscorsvw.exe
1428	mscorsvw.exe
1428	mscorsvw.exe
884	mscorsvw.exe
884	mscorsvw.exe
1508	mscorsvw.exe
1508	mscorsvw.exe
2516	mscorsvw.exe
2516	mscorsvw.exe
2108	mscorsvw.exe
2108	mscorsvw.exe
1820	mscorsvw.exe
1820	mscorsvw.exe
2460	mscorsvw.exe
2460	mscorsvw.exe
2232	mscorsvw.exe
2232	mscorsvw.exe
2712	mscorsvw.exe
2712	mscorsvw.exe
2744	mscorsvw.exe
2744	mscorsvw.exe
2772	mscorsvw.exe
2772	mscorsvw.exe
2684	mscorsvw.exe
2684	mscorsvw.exe
2688	mscorsvw.exe
2688	mscorsvw.exe
2404	mscorsvw.exe
2404	mscorsvw.exe
868	mscorsvw.exe
868	mscorsvw.exe
2532	mscorsvw.exe
2532	mscorsvw.exe
604	mscorsvw.exe
604	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1163522206-1469769407-485553996-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1163522206-1469769407-485553996-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\H:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\N:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\R:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\M:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\P:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\T:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\S:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\Y:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\E:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\U:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\J:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\L:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\O:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\I:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\K:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\Q:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\W:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\X:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\G:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\V:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened (read-only)	\??\Z:	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\windows\system32\wbem\iedgfpok.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\windows\system32\nibhhlpj.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\windows\SysWOW64\lcbfghek.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\windows\system32\ekkbcigf.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\windows\system32\mlbcngal.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File created	\??\c:\windows\system32\cboqljil.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\cahgopie.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\windows\SysWOW64\eqickedq.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File created	\??\c:\windows\system32\hianhngj.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\windows\system32\mjlhgnkn.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\bgkbjkdo.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\windows\system32\oifkijcn.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\windows\system32\nmfjnmhq.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\windows\SysWOW64\goefgcej.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File created	\??\c:\windows\system32\dppdcfha.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\windows\SysWOW64\lgddmfdc.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\knqknjlo.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Program Files\7-Zip\nklemblo.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Program Files\Internet Explorer\onnmbqjl.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\feqkbkgm.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Program Files\Internet Explorer\ggdnkmba.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\program files\windows media player\qlpmgbih.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hpbanfjo.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\gakpqfhp.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\onakajab.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\llopmkim.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Program Files\Google\Chrome\Application\bhlnifll.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\cgakfigd.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\eqiodbdg.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\program files (x86)\microsoft office\office14\jcoglhko.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\gmdghpng.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Program Files\Internet Explorer\aglddoil.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kefbfhkg.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gkjggimm.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\ebgjokgn.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4A68.tmp\ehiActivScp.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP189F.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP35FE.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2388.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP699C.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1FB1.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\hhjhfldl.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1B4E.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1D31.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP118E.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\gofqaoep.tmp	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2E12.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2924	JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1516	1108	mscorsvw.exe	36
PID 1108 wrote to memory of 1516	1108	mscorsvw.exe	36
PID 1108 wrote to memory of 1516	1108	mscorsvw.exe	36
PID 1108 wrote to memory of 984	1108	mscorsvw.exe	37
PID 1108 wrote to memory of 984	1108	mscorsvw.exe	37
PID 1108 wrote to memory of 984	1108	mscorsvw.exe	37
PID 1108 wrote to memory of 2212	1108	mscorsvw.exe	40
PID 1108 wrote to memory of 2212	1108	mscorsvw.exe	40
PID 1108 wrote to memory of 2212	1108	mscorsvw.exe	40
PID 1108 wrote to memory of 2536	1108	mscorsvw.exe	41
PID 1108 wrote to memory of 2536	1108	mscorsvw.exe	41
PID 1108 wrote to memory of 2536	1108	mscorsvw.exe	41
PID 1108 wrote to memory of 1912	1108	mscorsvw.exe	42
PID 1108 wrote to memory of 1912	1108	mscorsvw.exe	42
PID 1108 wrote to memory of 1912	1108	mscorsvw.exe	42
PID 1108 wrote to memory of 1288	1108	mscorsvw.exe	43
PID 1108 wrote to memory of 1288	1108	mscorsvw.exe	43
PID 1108 wrote to memory of 1288	1108	mscorsvw.exe	43
PID 1108 wrote to memory of 1088	1108	mscorsvw.exe	44
PID 1108 wrote to memory of 1088	1108	mscorsvw.exe	44
PID 1108 wrote to memory of 1088	1108	mscorsvw.exe	44
PID 1108 wrote to memory of 2548	1108	mscorsvw.exe	45
PID 1108 wrote to memory of 2548	1108	mscorsvw.exe	45
PID 1108 wrote to memory of 2548	1108	mscorsvw.exe	45
PID 1108 wrote to memory of 1724	1108	mscorsvw.exe	46
PID 1108 wrote to memory of 1724	1108	mscorsvw.exe	46
PID 1108 wrote to memory of 1724	1108	mscorsvw.exe	46
PID 1108 wrote to memory of 2800	1108	mscorsvw.exe	47
PID 1108 wrote to memory of 2800	1108	mscorsvw.exe	47
PID 1108 wrote to memory of 2800	1108	mscorsvw.exe	47
PID 1108 wrote to memory of 1920	1108	mscorsvw.exe	48
PID 1108 wrote to memory of 1920	1108	mscorsvw.exe	48
PID 1108 wrote to memory of 1920	1108	mscorsvw.exe	48
PID 1108 wrote to memory of 2780	1108	mscorsvw.exe	49
PID 1108 wrote to memory of 2780	1108	mscorsvw.exe	49
PID 1108 wrote to memory of 2780	1108	mscorsvw.exe	49
PID 1108 wrote to memory of 2692	1108	mscorsvw.exe	50
PID 1108 wrote to memory of 2692	1108	mscorsvw.exe	50
PID 1108 wrote to memory of 2692	1108	mscorsvw.exe	50
PID 1108 wrote to memory of 2896	1108	mscorsvw.exe	51
PID 1108 wrote to memory of 2896	1108	mscorsvw.exe	51
PID 1108 wrote to memory of 2896	1108	mscorsvw.exe	51
PID 1108 wrote to memory of 2204	1108	mscorsvw.exe	52
PID 1108 wrote to memory of 2204	1108	mscorsvw.exe	52
PID 1108 wrote to memory of 2204	1108	mscorsvw.exe	52
PID 1108 wrote to memory of 2776	1108	mscorsvw.exe	53
PID 1108 wrote to memory of 2776	1108	mscorsvw.exe	53
PID 1108 wrote to memory of 2776	1108	mscorsvw.exe	53
PID 1108 wrote to memory of 1384	1108	mscorsvw.exe	54
PID 1108 wrote to memory of 1384	1108	mscorsvw.exe	54
PID 1108 wrote to memory of 1384	1108	mscorsvw.exe	54
PID 1108 wrote to memory of 304	1108	mscorsvw.exe	55
PID 1108 wrote to memory of 304	1108	mscorsvw.exe	55
PID 1108 wrote to memory of 304	1108	mscorsvw.exe	55
PID 1108 wrote to memory of 1836	1108	mscorsvw.exe	56
PID 1108 wrote to memory of 1836	1108	mscorsvw.exe	56
PID 1108 wrote to memory of 1836	1108	mscorsvw.exe	56
PID 1108 wrote to memory of 2488	1108	mscorsvw.exe	57
PID 1108 wrote to memory of 2488	1108	mscorsvw.exe	57
PID 1108 wrote to memory of 2488	1108	mscorsvw.exe	57
PID 1108 wrote to memory of 1944	1108	mscorsvw.exe	58
PID 1108 wrote to memory of 1944	1108	mscorsvw.exe	58
PID 1108 wrote to memory of 1944	1108	mscorsvw.exe	58
PID 1108 wrote to memory of 952	1108	mscorsvw.exe	59

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2692

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 164 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 224 -NGENProcess 220 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 154 -InterruptEvent 17c -NGENProcess 1e4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 25c -NGENProcess 228 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 17c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 220 -NGENProcess 228 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 268 -NGENProcess 154 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 13c -NGENProcess 154 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 228 -NGENProcess 26c -Pipe 13c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 1e4 -NGENProcess 26c -Pipe 188 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 27c -NGENProcess f8 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent f8 -NGENProcess 228 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent f8 -InterruptEvent 284 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 228 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 228 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent f8 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent f8 -InterruptEvent 27c -NGENProcess 28c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 284 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess f8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess f8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 28c -NGENProcess 2b4 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 26c -NGENProcess f8 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent f8 -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent f8 -NGENProcess 26c -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent f8 -InterruptEvent 26c -NGENProcess 294 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2c4 -NGENProcess 154 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 154 -NGENProcess f8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 154 -InterruptEvent 2cc -NGENProcess 294 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 294 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2d4 -NGENProcess f8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2cc -NGENProcess 2d8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 154 -NGENProcess f8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2dc -NGENProcess 2d4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2ec -NGENProcess 25c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 25c -NGENProcess 29c -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c4 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 154 -NGENProcess 29c -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 154 -InterruptEvent 2fc -NGENProcess 25c -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2dc -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 29c -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 29c -NGENProcess 2fc -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2fc -NGENProcess 2cc -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 314 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 308 -NGENProcess 29c -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 2cc -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2c4 -NGENProcess 318 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 320 -NGENProcess 154 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 29c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2c4 -NGENProcess 328 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 308 -NGENProcess 29c -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 330 -NGENProcess 324 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 31c -Pipe 154 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 29c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 324 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 31c -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 338 -NGENProcess 344 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 330 -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 34c -NGENProcess 340 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 334 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 344 -NGENProcess 31c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 354 -NGENProcess 338 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 334 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 344 -NGENProcess 35c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 34c -NGENProcess 334 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 358 -NGENProcess 344 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 368 -NGENProcess 31c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 35c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 35c -NGENProcess 358 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 374 -NGENProcess 31c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 370 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 358 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 360 -NGENProcess 31c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 330 -NGENProcess 37c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 388 -NGENProcess 374 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 358 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 374 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 358 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 37c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 388 -NGENProcess 374 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3a0 -NGENProcess 390 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a8 -NGENProcess 37c -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 358 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 390 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 37c -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 358 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3b8 -NGENProcess 3b4 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3a8 -NGENProcess 358 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3c4 -NGENProcess 3b0 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3ac -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 358 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3a0 -NGENProcess 3b0 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3bc -NGENProcess 3a8 -Pipe f8 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3ac -NGENProcess 3c4 -Pipe 17c -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3a0 -NGENProcess 3bc -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3d8 -NGENProcess 3cc -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3a8 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3bc -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3d8 -NGENProcess 3e4 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3cc -NGENProcess 398 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 398 -NGENProcess 3bc -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3e8 -NGENProcess 3f0 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3f0 -NGENProcess 3e0 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f8 -NGENProcess 398 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 398 -NGENProcess 3e8 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 404 -NGENProcess 3e0 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3a0 -NGENProcess 3f8 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:1428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3c4 -NGENProcess 404 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3a8 -NGENProcess 3a0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 410 -NGENProcess 408 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 3f8 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 3a0 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 424 -NGENProcess 408 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 404 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 21c -NGENProcess 3a0 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 424 -NGENProcess 3e0 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  PID:544

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:316

Network

DNS

crl.microsoft.com

mscorsvw.exe

Remote address:

8.8.8.8:53

Request

crl.microsoft.com

IN A

Response

crl.microsoft.com

IN CNAME

crl.www.ms.akadns.net

crl.www.ms.akadns.net

IN CNAME

a1363.dscg.akamai.net

a1363.dscg.akamai.net

IN A

2.18.190.73

a1363.dscg.akamai.net

IN A

2.18.190.80
GET

http://crl.microsoft.com/pki/crl/products/CSPCA.crl

mscorsvw.exe

Remote address:

2.18.190.73:80

Request

GET /pki/crl/products/CSPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 28 Feb 2009 02:01:22 GMT
If-None-Match: "0c55744899c91:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 506
Content-Type: application/octet-stream
Content-MD5: om3LuUjaBeyK+XiF29FJsA==
Last-Modified: Thu, 02 Aug 2018 21:09:09 GMT
ETag: 0x8D5F8BC3066B2E2
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 204fabfc-201e-003c-10a3-966e77000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Thu, 02 Jan 2025 21:44:28 GMT
Connection: keep-alive

2.18.190.73:80

http://crl.microsoft.com/pki/crl/products/CSPCA.crl

http

mscorsvw.exe

509 B
2.1kB
6
4

HTTP Request

GET http://crl.microsoft.com/pki/crl/products/CSPCA.crl

HTTP Response

200

8.8.8.8:53

crl.microsoft.com

dns

mscorsvw.exe

63 B
162 B
1
1

DNS Request

crl.microsoft.com

DNS Response

2.18.190.73

2.18.190.80

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

Filesize
694KB

MD5
ab85d3ce78515380225c07c9fa05ef52

SHA1
3b9f0f6d60069d07facc06ea94607687f1ff716d

SHA256
b33f570109dd0a86cb2bc48bbf060184ac8652d486c1e6255554d7132beb0bed

SHA512
ca22e2a48ecee92036e7ac1b2521e1a9288a0a48b5176cc1e5a1dce156c25d70f7f13e7d507db141fd6cfdf6a108ef6ae834f0721504daabd38f4cf5b6fe28b5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
56108ec5629250a167a4e8b24d4a4c98

SHA1
aac0b7b1d217be916da457a9526714e6d68b2957

SHA256
2ced86bb60292613ed5c87d1a47dd7f6d27d1acd075463c3b72f2af0ec4555cf

SHA512
d5066e73224d97b958c32062c27396bbed2a24909061e1da6b52e2b283013c9a528e52d43e999ead9645765b03d970c137f4bd20111e4413067dd2735dffd525

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp

Filesize
4.8MB

MD5
64e8b60921acc5757c7aba5e3e12d254

SHA1
5f02fb1d6f5a115c8ef1658ab6bd2fbd2031a908

SHA256
1e2e7cf06391277b824495cdc40d3cdb7c7d71643f31b9a42a0a6260e5ca914e

SHA512
076645849f173bc0fad9b64992d4f2342240b7f101b6e56021b9632436c449e7490cc5499b521883a91c33169a788854ecb9eb765cecdf6ad23f41048e1d0779

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
041d33ede7bd58825846f5fc6cfe850f

SHA1
58d7171e545959f251bf0ed44ee8dc6079ef3a40

SHA256
25888168b24c4cf1d2964f434d8ac6dedd504cdd8db67838ad97ce50dff7da85

SHA512
06ac54414e2812dbd33974357fc16e6c49065af6763a32fb32a0e75735622727121531b2b74bc7346882e459fde4890f206002f779faddef779c0d3bd28cfd5e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b3ce4b61946c2f757c101db16547a4cd

SHA1
01c6379aa304ca0cb69975681bf583ac9fd8f959

SHA256
7b2673fab8c4787c1949f75568e3b2a8de8c3833d98e9013492181207e9ee039

SHA512
c5ee5aa3a452bbf2bbe12fec0808570d15b16261ba1b1da251a52bdd53237f1bf7dc4cd18020f03a009ad8a82314d74bb99d9c2059ed1a4ed3b60058ca619ee7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
4KB

MD5
37fb54903558215d91d0146b0f849a2c

SHA1
e08b44754629366ebb84daa5ce61c9eb0b51396d

SHA256
c4f99cc2e2b052b04065cc50a2c2575497108e5ecde2606c3442f618f5aa3a3b

SHA512
edfc88df1f0f3d042115d9a55c981c80071ebc93993db616fc8341afede3d531ec1ab6e6e9439d901a2429f6cdc3b4207e8062a425de3ce07d41f38a3c5e5262

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
23b512bb3d4d8d95b7cf2e02e795cbff

SHA1
aeaefd8efb1d94ee1752bd3766f0e87a4d4bc11e

SHA256
578f5eb162a604a0273451af492d894427d8af546a09793621d4ae7890377edb

SHA512
7dc04d573c43f007258436208f694e28c44321261db1c34a66f5c3c537a5dc05ebb4c1457b851db8f85fcbb9d0175dc319f9ccfd7f9bc9c6917487909519f1c9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
c76c0f7203b5e85a876dc6e81691bd39

SHA1
57b2b12330ae8ee79b44939e52878fc434eae45e

SHA256
e1d706e4a5d3df84fa56bac774054cfbe57d37cd4847e098bb3cd0ccdcbf3dc4

SHA512
cc85fe37de86f195aeb1475e7496bed3060cfe541831331b6172a5ea0303e4e85ab763edf6f905aa743e0fac800694d6532aab58192ecc0e9d1053a2007a60b7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
06f38d2ce140cac470353532c18b9dd2

SHA1
a5514163cbe59e49698e5c4344af7654247d78d7

SHA256
7dc9007ee3507c9d05edd3118a8b8452960213a83326b965386a2aa35b8658ef

SHA512
970129a5eb0ca4412a84b7da4fa90e07e85b42ab44c198f3436c9395f70fdb05eb139c6fd0eafcb344c04ee118bdceaab6987a32cb2e338a1304dbce520a5fe2

Download Submit
C:\Windows\Temp\Cab9109.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar9224.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\0ba5a36116c376c33e48ebd02e6deb6a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
3a24425497c27fc5d06e19ae92d6c2e6

SHA1
45f0ff813f72091a834442bb25862491bc16a717

SHA256
bbe0e2a3ba9fda922c00d627d3ebaa4c20a318eb4796f2ff9143e0b7c7b9f97f

SHA512
dd40003d1a2b00c1141f3646c38e23e19c54686b511848616686ca92a416213f04b8dd59843034134d1a680f6c77ec55c3fd979c2a9e8438955f88fd67c7f3db

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\7208694996caf187cf97a3b9bc639515\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
07b49e97b6142a0e6ab9ed77febf979b

SHA1
3e287b8eacb939b268aaf30f9230007a7fc9eb77

SHA256
a92fb972ba3a6db61c4f770cb950b60c2acd24c9553f0bfbddb32ee0a7a2fc09

SHA512
0f4b10acf8f714fa7d13c846dd9b64cd7d5a06892025d52e29659aa818713c893947a5be1040002478e66e1d04644a6d0d02ebadf03e9f8134f5e32fcb78bcc1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\8fba792717f048bbf085ad6c5d61d781\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
fb11e72e31d6a00427cb1634a6a2a9f7

SHA1
3cf08955affae35d3336d5f41dcfdbcfc8f6bb2b

SHA256
ad9ebc12b8573abf1d4dd0c33afc4c031ca180cc809f41c95f02df7d31cc1614

SHA512
e0328db0f406e24e1984e006da324eadad103c8c5b158039f0b4fef0018bf3a1d78dedb66ad8e80132b5dbedc53b64618fa4378c6e3dd77ff83c2f4afe746434

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\c29f52f99f6e2abb2c9138c45f7edb35\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
7d64d180674b169871a1f32468616b5b

SHA1
ede48105d9885c74cd2147385abe9c110ddd68e2

SHA256
bc406c2e0242592c8d1df4c385b8cd9fe784eb985d37c74f886bf05d801359ba

SHA512
fb369409dc1622098870a8141c80c291bbbf46fa14bf071a0aaee250503c6bee6505b44bf71c93303468b3cbe58131ec1e47ffc40b715e07371e21af2440a6a6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
694KB

MD5
ef5df63b0e3ec579a32e9519e72de967

SHA1
5514283793cbd31564ba6d1504617c342e11f11c

SHA256
42bcf8b1b279eb13145e08291d205a45f979ebd2838333a686d04860e8e8c144

SHA512
979a33b29fd8337b210b562c0f2b2e4dd3aca5526235b920987a49424472bb97a55402eb1d9b9765dbcf39db9bade8b1c49a066e6a2e82e38eb2aa3105a31008

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
699d86215da599b87f2a6528342ccc2d

SHA1
e04548d8b531408456d173f4a949dc4734e75b5b

SHA256
5eb1187b3c9be67762d5329a09be27b8a374647272dbe8b0ed2d7a6c4c9de513

SHA512
304a37486c98dc636ab4a25d5e8ace710e1a52202d14a3862b532338e412db40c57f449a40a7c19b6d55ce32a08b80874553ce30bb6271f46ca0d371d12c6a27

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
773KB

MD5
5df5e825f6b11a46e604090ac1baf6a0

SHA1
799beed0072819f8258e48e47e9c58c4eef2907b

SHA256
889a3abf51b93c7a9bd53cd8a6bc04c8ffa44968149b24c603718ebdc36240cf

SHA512
3372a3e187f409e8f749801aa60b9d9b910f3556ad2ce10d995eb4c804a9d631aff95a9ea5d18d826261208df34b64bcfe3b6e3197522e3357726f5cc97fbc50

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
6832f416bf6c358506edb79d94369dcf

SHA1
250dc659cd24f6c49ac2f3287cb404548c42f957

SHA256
37c0a43978696ee59b25a0a8ea217e6dc0483ca5df30fb877a7cc9b4ebe2d62a

SHA512
f201bbd3ae2dc7487bc2ca1684dfa33fb63ac4f2ed4d311851c6ddea372d1ff14b274c27144d3996ccf364758e5eea53a09ebc099d7f016ed3dd46e989da2548

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
9726af030f366991b995c4068fb67dc6

SHA1
6dda5a6926e5019de5ee882a4f58786075ee37fe

SHA256
b590429af5593b9b0e22f777a2eff231a6a9c7344116b80f7471f535a151e395

SHA512
615320dacdd42eba75d84a63177ee512c16cbaac25cd33573710d9ddc8a1790787a7f0bef06a941503eacb5eadc0c46c7370c27806f5f3bcaf4afdf79b4b5371

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
679KB

MD5
a51fb1b38cbce793a2f16d2c4b783069

SHA1
fba9ee78565638fb707116107012610082528af7

SHA256
fffc6a9a53c877dfe12612459c4d9713dff48babc976ec34531e6677dbca59e2

SHA512
d51fee712a1c50766144c7fd7ef96a9e055b9d0db96c2240510cc0525f420506310eb03067f764229dd74e6103e339a120e3cd7cd1ae8da137fc7921ff37b308

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
591KB

MD5
541035dee6471b8d164e606aec6dfdcc

SHA1
b6ab8265f995a94f35e305fc428d41ca7ca83def

SHA256
61148508130726df74d981f160bf1c795d3437926b59bd8af827f1d8c84d11c3

SHA512
c21dd49f193735b83cf73e3d51d74b58ff76c73bf67bf7128826a8e3a3979bc115f9a2358ea4192481fb26173c60f0d587db9515e708889871386861fe86b173

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
632KB

MD5
eacd7ccd12f0206c6ef14b8c6d8491d5

SHA1
76baa18bc7e8271ebf08fdd6318a96f245b1a42c

SHA256
7bdfc494544ef5319486c4416dc2e3bbfa9b2a241110baeffe7f89ffb5a2da99

SHA512
73851714535903ffe435957a6c93d1e00c01e24616e8551098f89c1b9f3deccb5cbc9a51880ef2e777a00b9d6b0cbf599772a9f35d51e67ae2fad97fefb52017

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
06d6824091dbbd91b9a24413160a64de

SHA1
16a184980717c437cb561b75c88153948851ee59

SHA256
e1e3613c93ecd24e8c3f62b3adb4cd49de9233508273140aebc5eecb4101c608

SHA512
c2ae05cec8b4f0fd62f5f99ba9c137f861d1521c47375fc9a2bef0b3ebd4965e8edad446f5dd5b589a424f21e2e491a9d53676b41166a8703f2bec234268b927

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
693KB

MD5
07019e6b63c17c3818ef588943b9acbe

SHA1
3a1b46ad85257b9205c24fa771beec73efeafefd

SHA256
f54dea591930f775af231af4d42d2117da666d06611e3a5880d46ae7bbdfdf17

SHA512
b5ce7498bee865a591ac9c52532f8840a00a4fcfdc3ef929ff83aa0ebc1866e0158aac7ffb4e8514e3ea3b074285c9b98ce79ced36fa4cde9b33f745598d5623

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
683KB

MD5
ca7b617a78108c859ab7c59692450008

SHA1
623686a67acdcfa4b57b4d50dd6f8b4cb2764885

SHA256
c5c4500eec1fb64de51db0d7f7379872b6a0731236b4e93141b6cf9a04dbe722

SHA512
a80dcaa2273f3cef14a2431dd8ab5c2fd969f9ddc2445ffef4c0fa055167c3bcdf902028dd3aec8a7d20476dca44ce8e6bef0a2102df0803302419d8085276d4

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
569KB

MD5
209c98b710f229ee7e93520806124eb5

SHA1
d9e69b09d281f3c22e847bff5e117d6331877407

SHA256
cb032a17e2d39e3b2e26dce2248df652710aa379644580454e519aa824a35924

SHA512
9226d5bc2cb3c74b221b2f51c1f2516dcca6a491ccb7930c994e306e482be9e0acbfceecca6a617a23a0d851d1897b2ab02c4eb082e52b2619ecbc64aa3378c7

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
595KB

MD5
77fc37f7d284d6b64a0e81bc2b0aaf56

SHA1
d94440881b8bf3d76ed9c5db0ecc692293db8589

SHA256
907690b7a575369e8eeed1ef8c304f0801c065150bb18c1dd150fcd6937f2898

SHA512
1b095881607c9569cffa8cccdbbd07645d55fc76926d4199e9a1681c4e61bf862eb6bf4ef55fe3d5543f1a1d9d3c56eb7c30a934e7cd524c619748b8e7be7b92

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
2c615be9aeaed3696d826e53d099eb73

SHA1
5d6e46ce5303e173b6209bd043a58d445cc1b8dd

SHA256
366ac6c766e7bf158293fffa960a851bdc16b0812a3a4f4925d54b519098bf76

SHA512
4a831e1127ef9c75ad05efa3c692a7cafe20e28d7143c3dafe32d59f703f939c4bd7a0cce5e8c8fb1d24ed35e81e3162bfeac8225591b50d08f199f1b3ec9809

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
5404b49dfd7b92ffb1b40f0a022d69ad

SHA1
e3f0292b2fe313ceabfb5014681aa2d2c438de52

SHA256
8e346e8abfb92ffd82f4e8c00c1a07f65cdab2677067fc594c9a25a25780d15b

SHA512
de6e1048cf2a7a05b835bcff732c119014f70575a0953f72918d42a49e9cceae398382ab4732ff3eb7c9f14e583d42bf32bf7ef5de1aa27121502549e3b2a3c1

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
753KB

MD5
8071b2f31bc803955c193ba5c54e79b9

SHA1
0260e9e8d7a1ad4e15a6a356c10dfc82415da596

SHA256
bf6a7c97d5b7f07dbe33c6924b0b6655706e596a0c221fe5f730af0b01e95eb6

SHA512
707a4fd067b3f13fd6cca5a334e68f9a8c40434c1488ed9cc774e0f7b2c920626a8e258c5d99f402b1bb7a56758f41a38d5fe22cce23b99a44505cd0ca23bb71

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
78944c20cdc1183150a5ddc2986c8244

SHA1
5e1b91ff9591821de87e1745a53161dae9700492

SHA256
0c1198b855c918134a182029be26697d213cba458a951f9f4b4c032cb562b65e

SHA512
f4b375146fde50804e021a1f3b381d2e50fd5fce7a8d7f4c736274f2062c030520a098b6f075a6aa56931611cb24a4f3b92404c7bfa59a340c7dfa3e84d22736

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
164b5594cd9430a2035724e882ad33e5

SHA1
36ceae1a31c97b45b2cc3c48d45a6d246ecca88e

SHA256
0828cb81b89a6bb4bd5fab149350b5336649126a4fbba2905788454281f0178d

SHA512
164d0203034b256a9be2f7574f1b3597c544e1b40c1f9752d256439770e1d6e3896aaa0284c6a5e677bbac240ddebe62ac96068b573f29cdcb0633b3241eecad

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
cf5cb898ae0c0743504a74be350b0a89

SHA1
a0248807f183659cf3cd0aae9f326c0eb26ee622

SHA256
755de4a5da34e042e908cf5ba2b4cd72bc7d2eda6a6fd6e15e56bcbfb26b31c7

SHA512
1d8e8fb34ef8e74671ffbd99cd7a144de504168cba93e4572a84e5c4a08b45dee5df907a54eb550f290f58f1bc1a57a68562bb079a5353225565d743e3723095

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
c3759e7d2c08161b0621949c77d46da6

SHA1
e09b1be14065e88608a884c7c9386a41556fb156

SHA256
7c9c3419cc4ade353e157f435236e7f4f3c7a2241d6ba07171528923bb4ecb3e

SHA512
49242030269ef58ca006493e41d3745ff55e6ca0f1d54c296dcbde49173fed7f6e04dec3aeb86c96fa8b997238e69f66ee02fda5ca0402650e253a0f28a57cd1

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
666KB

MD5
d3e11d44430da15c8b2e44e8e5578464

SHA1
73d6bc44b6df3e260fab1e13614b21722dca1822

SHA256
25c5b00c9e17c937cc05b9e1932cecd17200510df276be33496de339e5a5b683

SHA512
488c46746ddf8f0600c1ebbd1bbca9a1883b0980afdd42e701271dc11778f8b18677e583ec29673a946c9172c33bd817ae6c0c29eab11dbf7bfaf365e5f7c01a

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP118E.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP14E8.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP189F.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1B4E.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1D31.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1FB1.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
memory/304-486-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/316-93-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/316-106-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/316-241-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/768-46-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/984-185-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/984-192-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1088-364-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1088-348-0x0000000002F90000-0x0000000002F9C000-memory.dmp

Filesize
48KB

Download
memory/1088-355-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1088-349-0x0000000002FA0000-0x0000000002FE8000-memory.dmp

Filesize
288KB

Download
memory/1088-350-0x000000001C4D0000-0x000000001C4E6000-memory.dmp

Filesize
88KB

Download
memory/1088-354-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1088-347-0x0000000000940000-0x000000000094E000-memory.dmp

Filesize
56KB

Download
memory/1108-57-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/1108-97-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1108-56-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1288-345-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1288-343-0x000000001C4C0000-0x000000001C4D6000-memory.dmp

Filesize
88KB

Download
memory/1288-342-0x000000001C470000-0x000000001C4B8000-memory.dmp

Filesize
288KB

Download
memory/1288-341-0x000000001C450000-0x000000001C45C000-memory.dmp

Filesize
48KB

Download
memory/1288-340-0x000000001C100000-0x000000001C10E000-memory.dmp

Filesize
56KB

Download
memory/1384-485-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1384-478-0x0000000003330000-0x000000000333E000-memory.dmp

Filesize
56KB

Download
memory/1384-474-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/1516-98-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1516-191-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1724-376-0x00000000008C0000-0x00000000008D6000-memory.dmp

Filesize
88KB

Download
memory/1724-378-0x00000000031C0000-0x00000000031DA000-memory.dmp

Filesize
104KB

Download
memory/1724-386-0x000000001D740000-0x000000001D758000-memory.dmp

Filesize
96KB

Download
memory/1724-379-0x000000001CA20000-0x000000001CA3E000-memory.dmp

Filesize
120KB

Download
memory/1724-387-0x000000001D740000-0x000000001D758000-memory.dmp

Filesize
96KB

Download
memory/1724-375-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/1724-377-0x00000000008E0000-0x0000000000928000-memory.dmp

Filesize
288KB

Download
memory/1724-374-0x00000000008A0000-0x00000000008AC000-memory.dmp

Filesize
48KB

Download
memory/1724-373-0x0000000000840000-0x0000000000858000-memory.dmp

Filesize
96KB

Download
memory/1724-395-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1836-489-0x000000001C520000-0x000000001C536000-memory.dmp

Filesize
88KB

Download
memory/1836-497-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1912-339-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1920-407-0x0000000003040000-0x000000000304E000-memory.dmp

Filesize
56KB

Download
memory/1920-404-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1920-405-0x0000000002FD0000-0x0000000002FE8000-memory.dmp

Filesize
96KB

Download
memory/1920-422-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1920-412-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/1920-406-0x0000000003030000-0x000000000303C000-memory.dmp

Filesize
48KB

Download
memory/1920-408-0x000000001C540000-0x000000001C550000-memory.dmp

Filesize
64KB

Download
memory/1920-413-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2020-85-0x0000000140000000-0x000000014041B000-memory.dmp

Filesize
4.1MB

Download
memory/2020-102-0x0000000140000000-0x000000014041B000-memory.dmp

Filesize
4.1MB

Download
memory/2204-452-0x00000000008E0000-0x00000000008F6000-memory.dmp

Filesize
88KB

Download
memory/2204-465-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2204-456-0x0000000003260000-0x000000000327A000-memory.dmp

Filesize
104KB

Download
memory/2204-457-0x0000000003260000-0x000000000327A000-memory.dmp

Filesize
104KB

Download
memory/2204-450-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2212-335-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2488-498-0x0000000003040000-0x000000000304A000-memory.dmp

Filesize
40KB

Download
memory/2488-499-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2536-337-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2548-369-0x000000001C540000-0x000000001C55E000-memory.dmp

Filesize
120KB

Download
memory/2548-371-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2548-365-0x00000000006C0000-0x00000000006D8000-memory.dmp

Filesize
96KB

Download
memory/2548-367-0x0000000000720000-0x000000000072E000-memory.dmp

Filesize
56KB

Download
memory/2548-368-0x0000000000980000-0x000000000099A000-memory.dmp

Filesize
104KB

Download
memory/2692-431-0x0000000002FD0000-0x0000000002FDE000-memory.dmp

Filesize
56KB

Download
memory/2692-430-0x0000000002FC0000-0x0000000002FCC000-memory.dmp

Filesize
48KB

Download
memory/2692-436-0x000000001C7E0000-0x000000001C7EC000-memory.dmp

Filesize
48KB

Download
memory/2692-437-0x000000001C7E0000-0x000000001C7EC000-memory.dmp

Filesize
48KB

Download
memory/2692-429-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2692-445-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2692-432-0x0000000003020000-0x0000000003034000-memory.dmp

Filesize
80KB

Download
memory/2692-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2692-21-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/2692-53-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/2700-79-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2700-36-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2700-35-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2776-466-0x00000000006A0000-0x00000000006AE000-memory.dmp

Filesize
56KB

Download
memory/2776-468-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2780-427-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2780-421-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2780-423-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/2780-425-0x00000000030D0000-0x00000000030E4000-memory.dmp

Filesize
80KB

Download
memory/2780-424-0x0000000002FD0000-0x0000000002FDE000-memory.dmp

Filesize
56KB

Download
memory/2800-397-0x00000000007F0000-0x000000000080A000-memory.dmp

Filesize
104KB

Download
memory/2800-399-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/2800-398-0x0000000003020000-0x0000000003036000-memory.dmp

Filesize
88KB

Download
memory/2800-400-0x0000000003060000-0x000000000306E000-memory.dmp

Filesize
56KB

Download
memory/2800-402-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2800-396-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/2896-449-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2896-446-0x00000000006A0000-0x00000000006BA000-memory.dmp

Filesize
104KB

Download
memory/2896-447-0x00000000006C0000-0x00000000006D6000-memory.dmp

Filesize
88KB

Download
memory/2924-0-0x0000000001000000-0x0000000001251000-memory.dmp

Filesize
2.3MB

Download
memory/2924-2-0x0000000001000000-0x0000000001251000-memory.dmp

Filesize
2.3MB

Download
memory/2924-1-0x0000000001003000-0x0000000001005000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.