expiro | 1e1a5f5ef9be5b76508a3209c28638d4101da25af4e0c5c432a01710b06e014e

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02/01/2025, 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
Size

567KB
MD5

6311bbc6a7405395ad2fa2bec933c526
SHA1

0e578d7d2aee45d6989064e991a42a5a8e02ec5f
SHA256

1e1a5f5ef9be5b76508a3209c28638d4101da25af4e0c5c432a01710b06e014e
SHA512

f47cb218247d5d8e727107db2a3e92e40a5ec0a66f5a3b09cdfe071f08a3b69aaa2feaa52bbc61d59ecc3330367e776181122941893ea547193bbb498bbd2104
SSDEEP

12288:sKRRaMMMMM2MMMMM/J7Z3PNBoX917k9b1jhho+uN4vmrRr9az6:sKRRaMMMMM2MMMMM/J9lBoX91YrjhhdE

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 6 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2848-0-0x0000000001000000-0x00000000011AA000-memory.dmp	family_expiro1
behavioral1/memory/2848-2-0x0000000001000000-0x00000000011AA000-memory.dmp	family_expiro1
behavioral1/memory/2564-46-0x0000000000400000-0x00000000005B2000-memory.dmp	family_expiro1
behavioral1/memory/2948-55-0x0000000010000000-0x00000000101A9000-memory.dmp	family_expiro1
behavioral1/memory/2564-92-0x0000000000400000-0x00000000005B2000-memory.dmp	family_expiro1
behavioral1/memory/2564-100-0x0000000000400000-0x00000000005B2000-memory.dmp	family_expiro1

Executes dropped EXE 64 IoCs

pid	Process
2948	mscorsvw.exe
472	Process not Found
2864	mscorsvw.exe
2564	mscorsvw.exe
2868	mscorsvw.exe
2608	elevation_service.exe
264	mscorsvw.exe
2416	mscorsvw.exe
1732	mscorsvw.exe
804	mscorsvw.exe
1952	mscorsvw.exe
2176	mscorsvw.exe
1764	mscorsvw.exe
1464	mscorsvw.exe
1716	mscorsvw.exe
2312	mscorsvw.exe
808	mscorsvw.exe
2272	mscorsvw.exe
840	mscorsvw.exe
2664	mscorsvw.exe
2884	mscorsvw.exe
2928	mscorsvw.exe
2536	mscorsvw.exe
556	mscorsvw.exe
1176	mscorsvw.exe
2200	mscorsvw.exe
1424	mscorsvw.exe
480	mscorsvw.exe
428	mscorsvw.exe
1136	mscorsvw.exe
1540	mscorsvw.exe
2340	mscorsvw.exe
1892	mscorsvw.exe
2472	mscorsvw.exe
2324	mscorsvw.exe
2696	mscorsvw.exe
1212	mscorsvw.exe
3024	mscorsvw.exe
3040	mscorsvw.exe
1956	mscorsvw.exe
2052	mscorsvw.exe
2832	mscorsvw.exe
776	mscorsvw.exe
1040	mscorsvw.exe
2444	mscorsvw.exe
2452	mscorsvw.exe
1192	mscorsvw.exe
1596	mscorsvw.exe
2640	mscorsvw.exe
2704	mscorsvw.exe
2552	mscorsvw.exe
2716	mscorsvw.exe
1824	mscorsvw.exe
2892	mscorsvw.exe
2616	mscorsvw.exe
1644	mscorsvw.exe
868	mscorsvw.exe
2536	mscorsvw.exe
1888	mscorsvw.exe
2124	mscorsvw.exe
2768	mscorsvw.exe
1104	mscorsvw.exe
832	mscorsvw.exe
2588	mscorsvw.exe

Loads dropped DLL 43 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
1764	mscorsvw.exe
1764	mscorsvw.exe
1716	mscorsvw.exe
1716	mscorsvw.exe
808	mscorsvw.exe
808	mscorsvw.exe
840	mscorsvw.exe
840	mscorsvw.exe
2884	mscorsvw.exe
2884	mscorsvw.exe
2536	mscorsvw.exe
2536	mscorsvw.exe
1176	mscorsvw.exe
1176	mscorsvw.exe
1424	mscorsvw.exe
1424	mscorsvw.exe
428	mscorsvw.exe
428	mscorsvw.exe
1540	mscorsvw.exe
1540	mscorsvw.exe
1892	mscorsvw.exe
1892	mscorsvw.exe
2324	mscorsvw.exe
2324	mscorsvw.exe
1212	mscorsvw.exe
1212	mscorsvw.exe
3040	mscorsvw.exe
3040	mscorsvw.exe
2052	mscorsvw.exe
2052	mscorsvw.exe
776	mscorsvw.exe
776	mscorsvw.exe
2640	mscorsvw.exe
2640	mscorsvw.exe
2704	mscorsvw.exe
2704	mscorsvw.exe
2716	mscorsvw.exe
2716	mscorsvw.exe
3012	mscorsvw.exe
3012	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2703099537-420551529-3771253338-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2703099537-420551529-3771253338-1000\EnableNotifications = "0"	mscorsvw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2703099537-420551529-3771253338-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2703099537-420551529-3771253338-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\E:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\L:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\N:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\J:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\R:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\G:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\H:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\X:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\K:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\M:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\T:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\V:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\W:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\P:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\I:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\Q:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\S:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\Y:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\Z:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\O:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\U:	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ui0detect.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	\??\c:\windows\system32\alg.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\vssvc.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File created	\??\c:\windows\system32\msdtc.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	\??\c:\windows\system32\wbengine.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	\??\c:\windows\system32\fxssvc.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	C:\Program Files\7-Zip\7zFM.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	C:\Program Files\DVD Maker\DVDMaker.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBA79.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAE78.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\ehsched.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBFF5.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDA39.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.vir	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFC2A.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB0B9.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB57A.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA6BB.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAC08.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2848	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2848	JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 264	2868	mscorsvw.exe	36
PID 2868 wrote to memory of 264	2868	mscorsvw.exe	36
PID 2868 wrote to memory of 264	2868	mscorsvw.exe	36
PID 2868 wrote to memory of 2416	2868	mscorsvw.exe	38
PID 2868 wrote to memory of 2416	2868	mscorsvw.exe	38
PID 2868 wrote to memory of 2416	2868	mscorsvw.exe	38
PID 2868 wrote to memory of 1732	2868	mscorsvw.exe	40
PID 2868 wrote to memory of 1732	2868	mscorsvw.exe	40
PID 2868 wrote to memory of 1732	2868	mscorsvw.exe	40
PID 2868 wrote to memory of 804	2868	mscorsvw.exe	41
PID 2868 wrote to memory of 804	2868	mscorsvw.exe	41
PID 2868 wrote to memory of 804	2868	mscorsvw.exe	41
PID 2868 wrote to memory of 1952	2868	mscorsvw.exe	42
PID 2868 wrote to memory of 1952	2868	mscorsvw.exe	42
PID 2868 wrote to memory of 1952	2868	mscorsvw.exe	42
PID 2868 wrote to memory of 2176	2868	mscorsvw.exe	43
PID 2868 wrote to memory of 2176	2868	mscorsvw.exe	43
PID 2868 wrote to memory of 2176	2868	mscorsvw.exe	43
PID 2868 wrote to memory of 1764	2868	mscorsvw.exe	44
PID 2868 wrote to memory of 1764	2868	mscorsvw.exe	44
PID 2868 wrote to memory of 1764	2868	mscorsvw.exe	44
PID 2868 wrote to memory of 1464	2868	mscorsvw.exe	45
PID 2868 wrote to memory of 1464	2868	mscorsvw.exe	45
PID 2868 wrote to memory of 1464	2868	mscorsvw.exe	45
PID 2868 wrote to memory of 1716	2868	mscorsvw.exe	46
PID 2868 wrote to memory of 1716	2868	mscorsvw.exe	46
PID 2868 wrote to memory of 1716	2868	mscorsvw.exe	46
PID 2868 wrote to memory of 2312	2868	mscorsvw.exe	47
PID 2868 wrote to memory of 2312	2868	mscorsvw.exe	47
PID 2868 wrote to memory of 2312	2868	mscorsvw.exe	47
PID 2868 wrote to memory of 808	2868	mscorsvw.exe	48
PID 2868 wrote to memory of 808	2868	mscorsvw.exe	48
PID 2868 wrote to memory of 808	2868	mscorsvw.exe	48
PID 2868 wrote to memory of 2272	2868	mscorsvw.exe	49
PID 2868 wrote to memory of 2272	2868	mscorsvw.exe	49
PID 2868 wrote to memory of 2272	2868	mscorsvw.exe	49
PID 2868 wrote to memory of 840	2868	mscorsvw.exe	50
PID 2868 wrote to memory of 840	2868	mscorsvw.exe	50
PID 2868 wrote to memory of 840	2868	mscorsvw.exe	50
PID 2868 wrote to memory of 2664	2868	mscorsvw.exe	51
PID 2868 wrote to memory of 2664	2868	mscorsvw.exe	51
PID 2868 wrote to memory of 2664	2868	mscorsvw.exe	51
PID 2868 wrote to memory of 2884	2868	mscorsvw.exe	52
PID 2868 wrote to memory of 2884	2868	mscorsvw.exe	52
PID 2868 wrote to memory of 2884	2868	mscorsvw.exe	52
PID 2868 wrote to memory of 2928	2868	mscorsvw.exe	53
PID 2868 wrote to memory of 2928	2868	mscorsvw.exe	53
PID 2868 wrote to memory of 2928	2868	mscorsvw.exe	53
PID 2868 wrote to memory of 2536	2868	mscorsvw.exe	54
PID 2868 wrote to memory of 2536	2868	mscorsvw.exe	54
PID 2868 wrote to memory of 2536	2868	mscorsvw.exe	54
PID 2868 wrote to memory of 556	2868	mscorsvw.exe	55
PID 2868 wrote to memory of 556	2868	mscorsvw.exe	55
PID 2868 wrote to memory of 556	2868	mscorsvw.exe	55
PID 2868 wrote to memory of 1176	2868	mscorsvw.exe	56
PID 2868 wrote to memory of 1176	2868	mscorsvw.exe	56
PID 2868 wrote to memory of 1176	2868	mscorsvw.exe	56
PID 2868 wrote to memory of 2200	2868	mscorsvw.exe	57
PID 2868 wrote to memory of 2200	2868	mscorsvw.exe	57
PID 2868 wrote to memory of 2200	2868	mscorsvw.exe	57
PID 2868 wrote to memory of 1424	2868	mscorsvw.exe	58
PID 2868 wrote to memory of 1424	2868	mscorsvw.exe	58
PID 2868 wrote to memory of 1424	2868	mscorsvw.exe	58
PID 2868 wrote to memory of 480	2868	mscorsvw.exe	59

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6311bbc6a7405395ad2fa2bec933c526.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 194 -NGENProcess 198 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 194 -NGENProcess 198 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 15c -InterruptEvent 20c -NGENProcess 1b8 -Pipe 150 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 260 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 1b0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1b8 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 258 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1b8 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 278 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 26c -Pipe 15c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 258 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 26c -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 290 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 264 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 298 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 20c -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 28c -NGENProcess 264 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 258 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 29c -NGENProcess 20c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a8 -NGENProcess 264 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 264 -NGENProcess 258 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2b0 -NGENProcess 20c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 20c -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 2b8 -NGENProcess 258 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 258 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2c8 -NGENProcess 2a8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2d0 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b0 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d8 -NGENProcess 2b8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2b8 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2fc -NGENProcess 2f8 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2d0 -NGENProcess 2f4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 308 -NGENProcess 2d8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2d8 -NGENProcess 2fc -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2fc -NGENProcess 304 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 314 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 30c -NGENProcess 2d8 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 318 -NGENProcess 2f0 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2d0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2d8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2f0 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2d0 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2d8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2f0 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2d0 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2d8 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2f0 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2d0 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2d8 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2f0 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2d0 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2d8 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2f0 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2d0 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2d8 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2f0 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2d0 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2d8 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2f0 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 2d0 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 2d0 -NGENProcess 368 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 378 -NGENProcess 2f0 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 374 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 368 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 2f0 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 374 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 368 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 378 -NGENProcess 2f0 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 390 -NGENProcess 380 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 20c -NGENProcess 368 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 394 -NGENProcess 388 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 380 -Pipe f4 -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 368 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 388 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 380 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 368 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  PID:1424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 388 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 380 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 368 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 388 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
648KB

MD5
48f77c34ec2b90d3c3fa55d676b859ad

SHA1
49bc76c6b69cf233d43daeac8123a12fe23dbfd0

SHA256
da2f9e731a90734dd9b6c2f4a8605f46650fd8c86cea803baa8702d7caf4c65d

SHA512
fcbfe90a23f1275c770851352495ae7308e5cf039ad98a708ad2477e83180c8cc838def0857b874aaa3551c0ff333a9a81b4423aa89265dbf41d0b704aff9b4c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
799a1a881418e67b2811377b1af13158

SHA1
577f824f085cc2aa3d5ac74ec13e405b57a97825

SHA256
a7fd4a5be2fb0a1118b73b4fadceaa9d4ddaab021387795d5f067e9a8fce4d5a

SHA512
28d98508c152e7f41faec4426b3b5ba14739cbe711b9691a4f5951fd58df8f7e533582562ca7c3a5597678239a282988be51d2cb73c72606629690d5f1c4799a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir

Filesize
4.8MB

MD5
49f7e262b4b07b5e8a68f01264b7ff29

SHA1
d126ea2463b5d13663d3f2fefa2846fd2d2c3c11

SHA256
a19408c096408fcddaf9c151e7781d14815c23b0e413881e52b2174eebc0e81e

SHA512
a0733c002691b344d7b4e94fbad11a86e47ba7af16ec44e9d27666d34e09ee9e04f2d1f28773d70a6b8690fff3abf89292ad49db7e0c0eadb41b1bc10e1eb51b

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.2MB

MD5
2789bc7c4a489d4f5f92046dd84d3814

SHA1
cee8f58a377b829947790c3471f48c021007ddfa

SHA256
ea221f444756b972af358d5d9f8ff075d08e9983107e85500ad4c44f9b35bfb7

SHA512
72b03160f98d701ba37bce0ad45a1cd2bd8d096eb0cb1947c22f9ad605e0b0ea6ef1f622635e128040eeecf11625bdb60874dbe0e593503cc115f8c011329c49

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
337c6322d0c63b6c98781a56bcf439c8

SHA1
8f8adb5e095907959c9525e0fb9d382e318582ee

SHA256
4d284241f7f4b7dfa0a1189bba43ed618c120cfe4edf274b647050d60618c5aa

SHA512
a0efb928641570a8f63bd9af7128c4f2911bc9ba372a458586759e36007766bdf56c4c796abdf5fbf9687d96626778236d6e5e3b2a266f4947edd11af087578a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
0614d8c936ac9bdc58368dcdb7c28a6a

SHA1
9e0882eb63cd31b5f8d0605564e036b0cdc4fcfb

SHA256
5d0d6084aa92ede75667a67970a2fa72d5051dcffdcfad7674059284d731b72c

SHA512
31bb9e0e3c07f01a0180cd887f66ca4971dfadae4e919b4910e283a43ed1c2dc950aacba548bc3e7984db84d449b0a0d3f1248bfc49387ef3674dfee47d150a4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
567KB

MD5
504f4a64759d5714d54d00028e9974f3

SHA1
1d0c1495fc294c80c076755e1f7e9a622ee66a68

SHA256
61be13fbf718480fa08f16c1cd564391c68251c677ae7838dba87477c1101635

SHA512
f565396a3016b51d7aa15c30138f0d46b303a617c2841250c1f72d7ed315294dc2c10428a4cbb29a8c58c57e4935692372c5e65ca90b31ca6494f97e5bb5d255

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
ac3e2a24b05a158e684013b9cd7d5d5d

SHA1
51efb43f3b359a747f628d7ba8ee8ec863630fca

SHA256
5a081fe9c147e85aa42ea249b12644dcd05d71448c48891b3830192912d3855c

SHA512
1163b82f808ae73b7ee0f98e88dbf7a469d5bf2786455df01d7ace046ca9624a2328c5b1b256af5ddec0d78b61192f9cad69f76922ff6d9b97d36d4894319118

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
598KB

MD5
bf21c62aa2bf4884c9cac1db704f445c

SHA1
06ff82d1418a88602f552947a30746fe2144fe27

SHA256
f8f9f2b7b437f235b227046af31be7af62e70c52521ee356f122a6d3253bea92

SHA512
428fda0fa6c291d4804c952d82f0236921893779cbf566b446573df6589d34c92c1311d189b93f37cde005935dfae406fef4f1fe471f178be3e0c7dc05dce9ab

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\32de2425ab7756c747686c7ed75c26df\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
67fe530a76b8e6a703cb4fbff0f1056d

SHA1
20bfc435f622b504cac74acf784f6b8adeb5f308

SHA256
c4e03fe3d9a4ccbb105bfd459d0cc510aeafb4dd0d0ded140054495ac756e1f4

SHA512
b0b6a28328cc00c7817f7ab860d4e857949b7e393c8f3363ee903af59ae893e7745a35b92de44f0756d0fc5b6a340dbc37d9849d193d9d5f153491a3664ecdd0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\52a86a4b96d5a99fd1e35198e51be22c\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
aeae144e45c0be120ddba3eb42f43745

SHA1
6cebe2a10635a2e8840e5c4bfe158d5aeec3b38a

SHA256
f62421ea775ac785a14c09d56df97e6862ed0a8f2f7430b3aa0cf9c27bab8b86

SHA512
1542facfc00ff22e3f0de653414be8711d84bdd619cfc74bad1760cbb088b3404cc54db5591956855b831f5c03604aab9476a605b962587f99c5b2faa9eb0a6d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\59cab7174d7ef934d43b586be5609f04\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
566429bd398166b93e4d4d488c78ccae

SHA1
29d3233c786d3f36d14fb94d7dac71b011f97f88

SHA256
7407d6f5c602af6b80a82e4ea7c6744d3d87e9af26ba509dcd000f87e2ec3568

SHA512
7a7bc0c40ae33b1866c5c5545106096b0d57c805dc6a1ba81b550c9bd935d121a1ecb719a22934386207713c327698fdb576921788bc819066265114ec742c90

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\cb5e7666aec9b454a14e23dd09e6bcab\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
a85ea5aa0bae23dfe538723a5f064585

SHA1
5e99cb158bddd7bc4548a6ab8d3be9cfd601b6dd

SHA256
0e6a5524fc5506a3747eb414910c608ecb16c2cc8283a3ca15bd660cedf4d164

SHA512
3aa52bb875be926ad2cb865abf5c512723adca2cd8b124f475eaac9ef75cb6b0117e661adf1841f30f2446b540ca7fb2a1e908b4d3eaa9f5017fe776cd926cbd

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
648KB

MD5
a4ce804b54dc24dcd648b160a50fc878

SHA1
3f54dd3ed9cfa649a4d89ef00cfeab92031331d6

SHA256
d3b4e62968673bf3a242aa92ea9ca127a4f18fbb4f3d97c3c2ba835f2751ad95

SHA512
c307d3c5e8c769058169edca6923a19fbe84e107a61f965960a8716277330d8b5e258cb41b9bd7bf4d56716e85ce1112f1bbedce5f94b47992123963ba6b6b49

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.0MB

MD5
35097f33fb5a157a899e4071520b7080

SHA1
16222699cc99ed0726118aa78f364a825925698c

SHA256
aaff5b24d62fe89a167d639022857fb8f3cab0564888dfaf12515d20617f781e

SHA512
ebab136ffd1c22cb59f21a1c11f95a39c4b7c2a374f6f420dde1a0f12f335851d99f5bc0d2723a40686a533e26f2c1cf22aefec0868b172e93c8b84b3e3c625f

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
723KB

MD5
14202dac247579235d1b92d3f51f8204

SHA1
731736019483d75766ef311058f9c1d8d9e65cb6

SHA256
50e88e3b351f06f64b3f9a10fae06c47fda28fc0258fa8724ce59b5f079a22ee

SHA512
2aeda6133804ef5082e4ca13f89deb4f1076aac88ba2354bc8a6c9e556200f739ffdb9d045410a877a8bc6d878fc30a07217e5510c30c0656b10e602253299c7

Download Submit
\??\c:\windows\SysWOW64\dllhost.exe

Filesize
515KB

MD5
f15c9be771546a2c8e9589a5692b503c

SHA1
dd51be0cafd7bc5a4a3334b4ed16b428238a8d84

SHA256
d6e951e15d49f99602868a7a18cc4737338304a8cbcaab9c398a3a51872c3300

SHA512
9ef8f020003f49d83393e597c65d2675586fa510ce77f44d87904a0ad7012e79d8255a9e9a5ff4c561c29cf98898e91fa0a44399d1720e0db0db008f6a4e9366

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
528KB

MD5
2e567c9e864a290f2d416334928e4d7f

SHA1
d5af51de9586072e0a935b7a003f8032012457af

SHA256
6aad6c58bb5c0d153f6616a6da96de179a3f6073b426b341ee17dcaecab39622

SHA512
e0a7e2d8af941c8b9708b8c1681be559b51f6db4b6c74430a519b00fc7257275d40a90a743196a244d569d6e344a03b6e796ec9071e7170a790565613c577ae7

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
632KB

MD5
cc1c342b1daa008bb876fd3af7955bd0

SHA1
7f1098cbbf9e4e2e214f4093957fad4d7e5e2328

SHA256
c949c6d3f58ff691900d654e0b31c08ba3009acc5e2b0cb48823ff983c0bfca2

SHA512
7eb83cc6f84afc8ff980f6affad5b8223e3fb2d33b41899367bfd68f9146f3f51e2fe56b84c691153ae15ca84b3fff6b9e5b8bab6691a4e8bcd20292839c0dd1

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
544KB

MD5
6fc0266c980dcbad0d576e34794d7d64

SHA1
b0b0efa68b15ee7d8433967ec98204b94459ef19

SHA256
2a64c64634beea7b8f230d9ed6c2a965949c1091093cdbe086687b9522e89f0f

SHA512
855f0bf56328092aa99c9f44466f222f8de7bd66b6f78a42c04cece4e9a98010cdf1e9bf2137de8d0fab8102cea8c51a4e2588493cbe5a18e08fef7fc59a2187

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
585KB

MD5
8a2952ea51abd89c2e9ad3a81c74283e

SHA1
0a7211d46e06275e4030cfecc43d00a06c97c854

SHA256
83ed61d1b1e859d5495bfeec99f4919a2ba10568842c095d28be4a2baf934c24

SHA512
4ba1428557282108666969dded2b252acbee3c34266730df7579eacee8710cfc1dee8b01efa18014838e406141297de771201ca31114c8d2c59ee55fed5fc58f

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
3c34f3808b8417a2fee59a261e52d1bf

SHA1
4a355e61533e7be978a1537e8046fc25c0cb3b78

SHA256
1cc81f2705c7d25ad92fbc393135e847659dcc131847964e677a7dfaa513256d

SHA512
0f4a34352bf3733ccf53d5578e0284b8f7169bddd34e2ec5f086cf267dccfe3627ee8de6c0f7a761481118d25ff0e844578322f808bf215b08905da28e1ff4fd

Download Submit
\??\c:\windows\system32\ieetwcollector.exe

Filesize
617KB

MD5
6901fa5ee0e1af16cf3e229a346705cd

SHA1
bc5f47c4ed5fa939fe801eaa783d3b55d443283b

SHA256
c649d26c99f49b94ec47fe10d716ee406f76916c31ca94f4ae5125752d9c8278

SHA512
b99c490d419c937c13a566abac526e0dbd8ff7c2ce19ffbf5b88ef064c3380d52ab547d6c638709492896282db92c469af23e98e62ef0059ee414b467a2893cb

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
646KB

MD5
fe9ff578798894d90811126b5cb24c57

SHA1
c261ccb99415694c3bbdab5ddd299a895fe70a7e

SHA256
47d72e1032c81cc6c40accd9d29cfc5fa371510824e1b8eefaff58345fd0c268

SHA512
755b86dc5a7bd3301df2148ff7ce6bcabc6c833b0019b5794979393953b12c6b38a3d880a4844b21789e4118daca2abe9e4a9ef61957b989f64564193e0f9b3f

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
633KB

MD5
fa6d30186617103251b95b76163071a9

SHA1
c39fd1a03663149746d42448bedfafaf17633712

SHA256
0959f55b2f7925806faa666cc55ab322e6341cf5b4ff14015c03c6e59bf6694a

SHA512
87171c8e7bf8c8e43608a1100e26feb6f8cbe4575cd4ee61a3c574b02ded756890cc6224c724dabb6ebcd84c3f3fb42970238b9a058879979e222d1c2eea1c1d

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
522KB

MD5
cfdd5f98e7606b599599cea7855d0622

SHA1
978672b077f3b0f3fb5a257ff8b855d4f401f75c

SHA256
e6990f2f6b931a48cf92226edeb9ae9905ff017e41ea19658d640bc18472a7cb

SHA512
93be3fae88a199154ef068e3a44f29396104696ca865138aeab24ab5b8e681ed5fa7116093c91ace777bfa7e7249984a278c2554689117547b5ffef745785276

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
548KB

MD5
4db530b7de6a3404a95e9545a85af82e

SHA1
991fc1ecaac7ad273ff317c22c8fbfe03989b064

SHA256
461e74bff12d4fe57532dae5cbc7c8517d9cd45a0f825f55c2a4f35faf7514a2

SHA512
c347b7a8aecfc59ebafa27775c9e5b409446d639f5101be6c5937584d6c76f1fdeb39543c04e87b01939ac6739e6024549dc265730dd07ae25d1fbddf8c0c27b

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.0MB

MD5
facfd4373d802699d73a4046e7b3e024

SHA1
7890ba343dc984b3ea64951b2317056e30a745e4

SHA256
d956f1fabfb607b83e55c8d4af3cbad6f88b4bfee33bf33847ab4cf95758419a

SHA512
ff90e6cd3715d024321ed71433956d8f83ecc76818e4ebc4be32c7d749ad987e2eaada60d38e0c81545ca68dcb715816ec317bb8fd5e52edac256fdcd6e60775

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.0MB

MD5
ff110fcc5017cbb12ef23d6b1487b4d0

SHA1
d379148d21308bf9b4713e28636673a72e4f3110

SHA256
a173ad10c10aa1ee37aff05f3ed69c9e54ca91a3d9644fc61cd48cbf63cf69ab

SHA512
a01468f05ae9ff9ddd789651ddf9fd8a66b4e0eacf18dd47d2bc20cabb4a1d65382343818c274a1b8084d554a34c196e443c796108246b3b9239ddfefb0402aa

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
706KB

MD5
b8523096c1b4df3d8f20397162933da6

SHA1
c75f269034871347a1a44fedfe47674c78ccb3d3

SHA256
4a0a63610f8c3593bb8a934ce92710eca4833903ff679d2002d3a8dadd5f336b

SHA512
46d7c2aaffab07014c272a4e36de14b17cccf06c36560fe64f04ce468d5692eaf38a5d92b3b2a9f3dede07cd9d53ea366ec1aa9e4d7fd5b50c2dad8816d8592d

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
1.9MB

MD5
323d966134c072bc995f37f6edb76a91

SHA1
ae7ee3a2f3414cc220c0d335ff7feaa24a4c073e

SHA256
bf849e56dbfc3fb0e9fd9b26c7cde801a8479c71854f821cf762b34822441b51

SHA512
51f9182015d55ef25eb73417f80c0a160d3ee02cdf4f78481522ddd518cb1cee9bbcaf5c3caabd83e4fd0c95f93696acf88dcc2cb443b5485211f206bce47ee4

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a307217175c4d446853f58c211366dc7

SHA1
0831cc8785f026bab5deda47acf280c14c288c6f

SHA256
67e96556103ea887f639bd8553891429dc12104474f31398402f5afb30cd1796

SHA512
fd9131339dd85c9907840ca6ca920098703ed0df2a424fc2791e01c28cdea1db30e5543a1bdadc1a722c01979623c4dfc283fd1f2b0e2daf9d3caa1f0f0da4d2

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
590KB

MD5
960fa1f51e521f6efdeeac1393acf989

SHA1
abedb7ee7fdfb80767975ce0625806a85c68a20d

SHA256
96d03d76cc631be057519c377dace902311b32bdc9d830e7ed503351177eaf7a

SHA512
5479b35fa11565d3475325121a30a66630c451ce4c93f2d5d57383233e2135271e9b6d1f745cb4b4609f4d5ea5694a50e45af1ec8c32ae7e6835516c06cdefd5

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
618KB

MD5
8a2b9567ef9563a4e33813deae57edb9

SHA1
42b445cca4cbf25555530e5fb1b9dadc957ac7e2

SHA256
a7404a1732bb567fe8e8459028ba4bbfba7a1d7ed77e9422cd3796c70cc6d23b

SHA512
4b734814539395963034f4f286681fe77d7336c2d1b02f7dddd504552c017d8b7d6c78891159793bb120691b3cd6a3277add1ee4c992fdf66a49ba79d20262ef

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP99C0.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9CEB.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA0B2.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA38F.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA6BB.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA9A7.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
memory/264-177-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/264-105-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/556-454-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/556-453-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/804-303-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/808-389-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/808-373-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/808-374-0x0000000003100000-0x0000000003148000-memory.dmp

Filesize
288KB

Download
memory/808-375-0x0000000003150000-0x000000000316A000-memory.dmp

Filesize
104KB

Download
memory/808-380-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/808-381-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/808-376-0x000000001C540000-0x000000001C550000-memory.dmp

Filesize
64KB

Download
memory/808-372-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/808-367-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/808-371-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/808-370-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/840-398-0x00000000030B0000-0x00000000030BC000-memory.dmp

Filesize
48KB

Download
memory/840-412-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/840-397-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/840-394-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/840-404-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/840-403-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/840-399-0x0000000003120000-0x0000000003134000-memory.dmp

Filesize
80KB

Download
memory/1464-331-0x00000000031F0000-0x0000000003208000-memory.dmp

Filesize
96KB

Download
memory/1464-333-0x0000000000960000-0x000000000096E000-memory.dmp

Filesize
56KB

Download
memory/1464-334-0x0000000003270000-0x000000000328A000-memory.dmp

Filesize
104KB

Download
memory/1464-335-0x000000001C530000-0x000000001C54E000-memory.dmp

Filesize
120KB

Download
memory/1464-337-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1716-340-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/1716-342-0x0000000000970000-0x00000000009B8000-memory.dmp

Filesize
288KB

Download
memory/1716-351-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/1716-352-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/1716-339-0x00000000003B0000-0x00000000003C8000-memory.dmp

Filesize
96KB

Download
memory/1716-361-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1716-343-0x00000000032C0000-0x00000000032DA000-memory.dmp

Filesize
104KB

Download
memory/1716-341-0x0000000000940000-0x000000000094E000-memory.dmp

Filesize
56KB

Download
memory/1716-344-0x00000000032E0000-0x00000000032FE000-memory.dmp

Filesize
120KB

Download
memory/1732-300-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1732-298-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1764-314-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/1764-316-0x0000000000760000-0x0000000000776000-memory.dmp

Filesize
88KB

Download
memory/1764-313-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/1764-330-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1764-315-0x0000000000710000-0x0000000000758000-memory.dmp

Filesize
288KB

Download
memory/1764-321-0x0000000000A30000-0x0000000000A3E000-memory.dmp

Filesize
56KB

Download
memory/1764-320-0x0000000000A30000-0x0000000000A3E000-memory.dmp

Filesize
56KB

Download
memory/1952-302-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1952-305-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2176-309-0x00000000030F0000-0x0000000003106000-memory.dmp

Filesize
88KB

Download
memory/2176-306-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2176-307-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2176-308-0x00000000030A0000-0x00000000030E8000-memory.dmp

Filesize
288KB

Download
memory/2176-311-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2272-390-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2272-391-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/2272-392-0x00000000032F0000-0x0000000003304000-memory.dmp

Filesize
80KB

Download
memory/2272-395-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2312-363-0x0000000002F30000-0x0000000002F3C000-memory.dmp

Filesize
48KB

Download
memory/2312-368-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2312-365-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/2312-362-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2416-178-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2416-176-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2536-452-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2536-440-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/2536-444-0x00000000030B0000-0x00000000030BE000-memory.dmp

Filesize
56KB

Download
memory/2564-47-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2564-100-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2564-92-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2564-46-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2608-86-0x0000000140000000-0x000000014036B000-memory.dmp

Filesize
3.4MB

Download
memory/2608-174-0x0000000140000000-0x000000014036B000-memory.dmp

Filesize
3.4MB

Download
memory/2664-418-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2664-414-0x00000000006B0000-0x00000000006CA000-memory.dmp

Filesize
104KB

Download
memory/2664-413-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2664-415-0x00000000006E0000-0x00000000006F6000-memory.dmp

Filesize
88KB

Download
memory/2848-0-0x0000000001000000-0x00000000011AA000-memory.dmp

Filesize
1.7MB

Download
memory/2848-1-0x0000000001002000-0x0000000001003000-memory.dmp

Filesize
4KB

Download
memory/2848-2-0x0000000001000000-0x00000000011AA000-memory.dmp

Filesize
1.7MB

Download
memory/2864-35-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2864-36-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2864-76-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2868-62-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/2868-101-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2868-58-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2884-435-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2884-421-0x0000000003070000-0x0000000003086000-memory.dmp

Filesize
88KB

Download
memory/2884-417-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2884-426-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2884-420-0x0000000003050000-0x000000000306A000-memory.dmp

Filesize
104KB

Download
memory/2884-425-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2928-438-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2928-436-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2948-55-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/2948-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2948-21-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download