expiro | 330558405a5486392d856908bf7592473c817685d266289b425e93a676661bee

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
Size

618KB
MD5

644e4d14dc2e71ecc9d70a2da540a360
SHA1

16c218c345c43c62bc8521ca2ae6f6dafd0fc2dd
SHA256

330558405a5486392d856908bf7592473c817685d266289b425e93a676661bee
SHA512

ba6434209666d03aaeb921b0434b4dd5c27e816a3bb92a86f89abb03fb9b6bc8b9c3f9d18752f6e36fc84d82fe9138b3e65fa22921b0eb6f3d99f179f8762e4a
SSDEEP

12288:mbhv02bZop2mk2jALtaOWe6x9aGMjefpxlLpNjt6bVqyYSiOPAW:mb502b2pdkKARIe6qGIYxpjgVDYgF

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral1/memory/1812-2-0x0000000001000000-0x000000000125A000-memory.dmp	family_expiro1
behavioral1/memory/2668-53-0x0000000010000000-0x0000000010258000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
2668	mscorsvw.exe
472	Process not Found
2556	mscorsvw.exe
2968	mscorsvw.exe
2496	mscorsvw.exe
1088	elevation_service.exe
1628	IEEtwCollector.exe
580	mscorsvw.exe
2276	mscorsvw.exe
3056	mscorsvw.exe
1924	mscorsvw.exe
1516	mscorsvw.exe
2484	mscorsvw.exe
1996	mscorsvw.exe
1000	mscorsvw.exe
2420	mscorsvw.exe
1604	mscorsvw.exe
2636	mscorsvw.exe
2540	mscorsvw.exe
1804	mscorsvw.exe
3004	mscorsvw.exe
2808	mscorsvw.exe
2972	mscorsvw.exe
2688	mscorsvw.exe
676	mscorsvw.exe
1392	mscorsvw.exe
3028	mscorsvw.exe
840	mscorsvw.exe
2372	mscorsvw.exe
1044	mscorsvw.exe
2592	mscorsvw.exe
1188	mscorsvw.exe
3008	mscorsvw.exe
1484	mscorsvw.exe
2992	mscorsvw.exe
940	mscorsvw.exe
2940	mscorsvw.exe
2812	mscorsvw.exe
1988	mscorsvw.exe
592	mscorsvw.exe
1960	mscorsvw.exe
2908	mscorsvw.exe
2272	mscorsvw.exe
2480	mscorsvw.exe
2288	mscorsvw.exe
2124	mscorsvw.exe
2544	mscorsvw.exe
2620	mscorsvw.exe
1420	mscorsvw.exe
2404	mscorsvw.exe
1868	mscorsvw.exe
2948	mscorsvw.exe
2824	mscorsvw.exe
1656	mscorsvw.exe
2844	mscorsvw.exe
1936	mscorsvw.exe
1988	mscorsvw.exe
1148	mscorsvw.exe
1776	mscorsvw.exe
2848	mscorsvw.exe
2900	mscorsvw.exe
3068	mscorsvw.exe
2344	mscorsvw.exe
2240	mscorsvw.exe

Loads dropped DLL 52 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
1996	mscorsvw.exe
1996	mscorsvw.exe
2420	mscorsvw.exe
2420	mscorsvw.exe
2636	mscorsvw.exe
2636	mscorsvw.exe
1804	mscorsvw.exe
1804	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2688	mscorsvw.exe
2688	mscorsvw.exe
1392	mscorsvw.exe
1392	mscorsvw.exe
840	mscorsvw.exe
840	mscorsvw.exe
1044	mscorsvw.exe
1044	mscorsvw.exe
1188	mscorsvw.exe
1188	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
940	mscorsvw.exe
940	mscorsvw.exe
2812	mscorsvw.exe
2812	mscorsvw.exe
592	mscorsvw.exe
592	mscorsvw.exe
2908	mscorsvw.exe
2908	mscorsvw.exe
2480	mscorsvw.exe
2480	mscorsvw.exe
2404	mscorsvw.exe
2404	mscorsvw.exe
1868	mscorsvw.exe
1868	mscorsvw.exe
2824	mscorsvw.exe
2824	mscorsvw.exe
2744	mscorsvw.exe
2744	mscorsvw.exe
596	mscorsvw.exe
596	mscorsvw.exe
2824	mscorsvw.exe
2824	mscorsvw.exe
1416	mscorsvw.exe
1416	mscorsvw.exe
2424	mscorsvw.exe
2424	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1488793075-819845221-1497111674-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1488793075-819845221-1497111674-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\S:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\X:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\G:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\H:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\V:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\W:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\N:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\P:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\J:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\M:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\O:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\U:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\E:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\Q:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\T:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\Z:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\I:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\L:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\R:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\Y:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened (read-only)	\??\K:	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\SysWOW64\fmcpckiq.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\system32\qhaapboc.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\system32\npjfleoj.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\system32\jggacfdo.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\SysWOW64\nhadnodl.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File created	\??\c:\windows\system32\fjbmeeck.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\system32\kinceelf.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\system32\kfpqgahq.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\system32\hfomomqo.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\system32\wbem\hfeogoce.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\system32\gipppjdg.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\SysWOW64\hhkfkbqg.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\SysWOW64\klijaakn.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\system32\bebbnoip.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\miejkghb.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\windows\system32\mqdpnena.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\cpkcoelj.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\npfilhlc.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\nblanedk.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kefbfhkg.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\llopmkim.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dgilkpmn.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bejqhopk.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\nlfifejp.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\cgakfigd.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\gdaoemja.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gnciljmn.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\iibndipn.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\nimidobm.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ighnagcm.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\qfemblig.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\feqkbkgm.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\qcogljfn.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9EA0.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	\??\c:\windows\ehome\cjgohqof.tmp	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB6E1.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP17C5.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBE31.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2230.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB29D.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB931.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAC56.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC0A1.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP26E2.tmp\Microsoft.Office.Tools.Word.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1812	JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 580	2496	mscorsvw.exe	37
PID 2496 wrote to memory of 580	2496	mscorsvw.exe	37
PID 2496 wrote to memory of 580	2496	mscorsvw.exe	37
PID 2496 wrote to memory of 2276	2496	mscorsvw.exe	38
PID 2496 wrote to memory of 2276	2496	mscorsvw.exe	38
PID 2496 wrote to memory of 2276	2496	mscorsvw.exe	38
PID 2496 wrote to memory of 3056	2496	mscorsvw.exe	39
PID 2496 wrote to memory of 3056	2496	mscorsvw.exe	39
PID 2496 wrote to memory of 3056	2496	mscorsvw.exe	39
PID 2496 wrote to memory of 1924	2496	mscorsvw.exe	40
PID 2496 wrote to memory of 1924	2496	mscorsvw.exe	40
PID 2496 wrote to memory of 1924	2496	mscorsvw.exe	40
PID 2496 wrote to memory of 1516	2496	mscorsvw.exe	41
PID 2496 wrote to memory of 1516	2496	mscorsvw.exe	41
PID 2496 wrote to memory of 1516	2496	mscorsvw.exe	41
PID 2496 wrote to memory of 2484	2496	mscorsvw.exe	42
PID 2496 wrote to memory of 2484	2496	mscorsvw.exe	42
PID 2496 wrote to memory of 2484	2496	mscorsvw.exe	42
PID 2496 wrote to memory of 1996	2496	mscorsvw.exe	43
PID 2496 wrote to memory of 1996	2496	mscorsvw.exe	43
PID 2496 wrote to memory of 1996	2496	mscorsvw.exe	43
PID 2496 wrote to memory of 1000	2496	mscorsvw.exe	44
PID 2496 wrote to memory of 1000	2496	mscorsvw.exe	44
PID 2496 wrote to memory of 1000	2496	mscorsvw.exe	44
PID 2496 wrote to memory of 2420	2496	mscorsvw.exe	45
PID 2496 wrote to memory of 2420	2496	mscorsvw.exe	45
PID 2496 wrote to memory of 2420	2496	mscorsvw.exe	45
PID 2496 wrote to memory of 1604	2496	mscorsvw.exe	46
PID 2496 wrote to memory of 1604	2496	mscorsvw.exe	46
PID 2496 wrote to memory of 1604	2496	mscorsvw.exe	46
PID 2496 wrote to memory of 2636	2496	mscorsvw.exe	47
PID 2496 wrote to memory of 2636	2496	mscorsvw.exe	47
PID 2496 wrote to memory of 2636	2496	mscorsvw.exe	47
PID 2496 wrote to memory of 2540	2496	mscorsvw.exe	48
PID 2496 wrote to memory of 2540	2496	mscorsvw.exe	48
PID 2496 wrote to memory of 2540	2496	mscorsvw.exe	48
PID 2496 wrote to memory of 1804	2496	mscorsvw.exe	49
PID 2496 wrote to memory of 1804	2496	mscorsvw.exe	49
PID 2496 wrote to memory of 1804	2496	mscorsvw.exe	49
PID 2496 wrote to memory of 3004	2496	mscorsvw.exe	50
PID 2496 wrote to memory of 3004	2496	mscorsvw.exe	50
PID 2496 wrote to memory of 3004	2496	mscorsvw.exe	50
PID 2496 wrote to memory of 2808	2496	mscorsvw.exe	51
PID 2496 wrote to memory of 2808	2496	mscorsvw.exe	51
PID 2496 wrote to memory of 2808	2496	mscorsvw.exe	51
PID 2496 wrote to memory of 2972	2496	mscorsvw.exe	52
PID 2496 wrote to memory of 2972	2496	mscorsvw.exe	52
PID 2496 wrote to memory of 2972	2496	mscorsvw.exe	52
PID 2496 wrote to memory of 2688	2496	mscorsvw.exe	53
PID 2496 wrote to memory of 2688	2496	mscorsvw.exe	53
PID 2496 wrote to memory of 2688	2496	mscorsvw.exe	53
PID 2496 wrote to memory of 676	2496	mscorsvw.exe	54
PID 2496 wrote to memory of 676	2496	mscorsvw.exe	54
PID 2496 wrote to memory of 676	2496	mscorsvw.exe	54
PID 2496 wrote to memory of 1392	2496	mscorsvw.exe	55
PID 2496 wrote to memory of 1392	2496	mscorsvw.exe	55
PID 2496 wrote to memory of 1392	2496	mscorsvw.exe	55
PID 2496 wrote to memory of 3028	2496	mscorsvw.exe	56
PID 2496 wrote to memory of 3028	2496	mscorsvw.exe	56
PID 2496 wrote to memory of 3028	2496	mscorsvw.exe	56
PID 2496 wrote to memory of 840	2496	mscorsvw.exe	57
PID 2496 wrote to memory of 840	2496	mscorsvw.exe	57
PID 2496 wrote to memory of 840	2496	mscorsvw.exe	57
PID 2496 wrote to memory of 2372	2496	mscorsvw.exe	58

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2668

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 164 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 238 -NGENProcess 244 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 154 -InterruptEvent 1f4 -NGENProcess 1f0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 264 -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1f0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 27c -NGENProcess 1c0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1c0 -NGENProcess 26c -Pipe 154 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 284 -NGENProcess 1d4 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1d4 -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 28c -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 26c -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 294 -NGENProcess 27c -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 28c -NGENProcess 29c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 258 -NGENProcess 27c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 298 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a0 -NGENProcess 1f4 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1f4 -NGENProcess 258 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 2ac -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 29c -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b4 -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 258 -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2bc -NGENProcess 2a0 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a0 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2ac -NGENProcess 2bc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 29c -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2bc -NGENProcess 248 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2e8 -NGENProcess 298 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 298 -NGENProcess 2d8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 298 -NGENProcess 2e8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2e8 -NGENProcess 2c4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 298 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2c4 -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2d0 -NGENProcess 308 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2f8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2fc -NGENProcess 2c4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e8 -NGENProcess 2f0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f0 -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 300 -NGENProcess 310 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 31c -NGENProcess 314 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 314 -NGENProcess 2f0 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2e8 -NGENProcess 2c4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 32c -NGENProcess 31c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2d0 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2f0 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 31c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2d0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2f0 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 338 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 330 -NGENProcess 2f0 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 340 -NGENProcess 32c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 2f0 -NGENProcess 324 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 350 -NGENProcess 2c4 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 330 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 324 -NGENProcess 358 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 35c -NGENProcess 2c4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 330 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 358 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 350 -NGENProcess 2c4 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 33c -NGENProcess 364 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 370 -NGENProcess 354 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 358 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 364 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 364 -NGENProcess 370 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 380 -NGENProcess 338 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 2c4 -NGENProcess 370 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 364 -NGENProcess 388 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 384 -NGENProcess 370 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 378 -NGENProcess 324 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 394 -NGENProcess 370 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 388 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 324 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 370 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 388 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 324 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 370 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 398 -NGENProcess 388 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3a0 -NGENProcess 3ac -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 358 -NGENProcess 3bc -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3b4 -NGENProcess 3ac -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3c0 -NGENProcess 3a0 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3bc -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3ac -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3a0 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 2b4 -NGENProcess 3bc -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b4 -NGENProcess 3cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3d0 -NGENProcess 3c4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 1dc -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3cc -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3cc -NGENProcess 3c4 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:3008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3e0 -NGENProcess 1dc -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent a8 -NGENProcess 3dc -Pipe a4 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a8 -InterruptEvent 3d8 -NGENProcess 3c4 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3d0 -NGENProcess a8 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c4 -NGENProcess 3ec -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3e4 -NGENProcess a8 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3f4 -NGENProcess 3e4 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 1dc -NGENProcess 3d0 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3c4 -NGENProcess 3e4 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 408 -NGENProcess a8 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3d0 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3c4 -NGENProcess 410 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:1096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3e4 -NGENProcess 3f4 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 414 -NGENProcess 178 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 3e0 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 3f4 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 178 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 3e0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 3e4 -NGENProcess 3f4 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 3f4 -NGENProcess 3e4 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:3060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 438 -NGENProcess 178 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 42c -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 3e4 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 178 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 42c -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 3e4 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 178 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:1492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 43c -NGENProcess 42c -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 444 -NGENProcess 450 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 45c -NGENProcess 448 -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 460 -NGENProcess 178 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:2956

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

Filesize
694KB

MD5
49bcb1976da14c019c6452cc46a7aed3

SHA1
aa8e160122e90fcfd19741794bd1086d577b68a7

SHA256
f9df5d5fb89c6cde59e36564e7a0df10de757f2b7c5dd7c61476ac0a1d581925

SHA512
69aa05eadbde7db2b6a7a2e31ed39eff8a4b22116018acf67ec4d286061949ee81ace9d2eacd75ad8c8ea823e624badb19a94811082069bcacbe2f7157581d98

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
8e10da5e1bf20973a6ecdfe39c4af8bc

SHA1
5fe63f95b4c174d1a24ffd15954fd0cc57938386

SHA256
c7f322d44093d757c33b8bdf019b71420a423f6040549b437b680baf475041c6

SHA512
c7c569c0eae755f43ac653900ea09b6ab5f99f932c2793fd93b678ce374bcd5704ae25131da14b204debfb7b18e2e05088109954a35c42afd70451199c986fe8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp

Filesize
4.8MB

MD5
39e8d01aff08aaf0fe46dbb8c2b249ee

SHA1
6bc5013f3ae0ecf0474c76124eec1c445beb2eb6

SHA256
afa322935a69e5153ae6fc582062664e1e2406ed4b2091d02f48493872774f8b

SHA512
b0389c9c8b29b2381a465fa8eeeecaaf5385058dac49cc644d948e2d250763992e26d5bb97b4054ad812a1b0db416bafdd82a9f86c65d7a038cddacea0ac7161

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
fd5cfac9b1f079c8faf9d7aeae080a78

SHA1
d663810d94e76ca6bd6ad3931ede2851bd0a28ba

SHA256
89f9b9f2b080fc58c1674b27176ddd5f655273ba0bca96975fc3c097e5b7931d

SHA512
18bdce5497f0036655a15ba0a7239122a49fda89d77f2f446433bd4ad406d752cc7c4140c19e79f5042d91ba49e57b485c0c86a777767afd141144872743c7ed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
dff945fb221b5c047f9540cbbd16f82f

SHA1
f375187da67ba52fc9e860111f03cf7a944b1c36

SHA256
9f04996d581c48555531ebc623c42ea1514a1003f58c0a559e91a77bf54a2a9a

SHA512
0be3d4390d30693706a61100c02aa245639aaaa509d13579387b669c065f084eee1fd3f20965d0ef9ea3af7bafdaf92cf0498fac0b4d85550b9857e02854cf77

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
9ce072a3a71cf2e9b7c6731f3b7c62bb

SHA1
53c8d7fe3cbf7700eadd341fb03062aecf91fca8

SHA256
52b3710497764a4f0351d30ab0a1f32d2b78d916752b017414557fbbb9da12d6

SHA512
7e8fa5addd081f4c597e060f970e54a8c650d117c6f262f6e830529b71b0dfadb505a8a2908c84e4bae963dde533cd3a135bf22490d42ae1318c2a58dfb07a5d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
9c5b8821026dd4e4541106a19d53082f

SHA1
8eeb202a2581450bb826d3084e45c352279bfce6

SHA256
f649255333f8c1e2947dce3ab95dd4efe3dcd77324b6687dbe71f7ecc209c31a

SHA512
9d12d016dfeb5d19210e2ecd88defc6bc7a0cd66878792aa96b4025f339bf334126678fb001d25b3e8a697e42e238f56f3e64163788fd07de9ec8fbd45582c89

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
984463b58106c418f93417daabd4e540

SHA1
de249d2f82c374f4be40495e5c8f9fc61ee22053

SHA256
1d8001a8f6873ca43b3b0a2a901617a426e49b11ee3dd0ab8d1ce4fe1c7a562a

SHA512
e66984056094e1f835673fdd2eec27768db236e15a6048b1d328b3f9f081de5b1bcbdd383bd244ed7fce969f2928ecab04adb4b2c4577b395c6eb3c6395e0891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
478fe1a916a2f3004fd11bec5e60e8a7

SHA1
7f98d3cf2736e86707a41cf7067ddf3eb08dd3f9

SHA256
83b6d65de97c6d2f71ab513bd84649ddec03cbd8d10f8b30bee7af3cf4a167d0

SHA512
480c833502d0f1f033eeeff00cff479adeb7997b51e6c66c59b5d8a3bf6c0041f1529a46437b45cfd1aa2a09d335160d7ecf74111fb2049eabf564f689392142

Download Submit
C:\Windows\Temp\Cab169C.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar17E6.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\38d1db7279097937bc14ca53adb3d6c4\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
0b6c2295fccac47f35c46b79fee5fd93

SHA1
bccca049a6889facd4aaaf611321528350b74e71

SHA256
78b9644d8ea1dd8e11a8b2a5c70e3fda4f9e6b6ae048e99c62cc15a1fb67ebac

SHA512
9d0a5ca8d8cf6d7d1c7db104f617605e45f88b28056621b6ca74a0edd7b36a1bbe344aa7d14e0efb2e1428b4defd3f2db3503fb19edbb68e793ec9b49e337aa9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3d9c5caab700e1c866fbad07d9ac4cbd\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
7bae29992191cb8844c6fb9dfa3f1b44

SHA1
4cdd21c54d50f167f6b74716475431b2c90bd4cf

SHA256
08841acde4762c4a9094afcad0611f063be114ffff3b7b18e856ee924fefb3a5

SHA512
9ab88ce48bd8c5fe7bd6b7983d476f18bac582435bb6c6c96fc3e5de2f8b3cc03fce3f2c63d4ab5e22220cb8e882dd7fe822481bc0442f9010bc8d6b89b75425

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\769e5729bde12f3aabb543d6a83b90ce\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
541f9e8d24a235585066dc6564606e84

SHA1
14ba22365ddfe99b090b2d93243ed7b8577f3998

SHA256
79ae44579d219d2513fe763640b5621e607cf2c139296e4dacb90571e57cf999

SHA512
6aaaf7e0afa46d4ca13e427945d3a472cdda4fbeea4dc97ae5c38efa30f3b7635904de74a4436d4ffa6f77a22e89843fbe45f7cb2fd2f831cb1b64aee640619a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ca8253bf02d8095c20d2c91cb44607ce\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
66e64893efa07f9df1010a6278926b04

SHA1
26d33c29ae6b50ccda66bf0aa1605e448885626a

SHA256
7a571130bfe3117f2e36bb64621ebfdf08474f24c564fa5ed36976142e3a86d5

SHA512
bdf919eaf3abacd044c55a9c1717e939d0ff5a017ad1f57c7b80450964a31f0a4c31d241f7b6869fecc24916ea50a571e8a5267bebdecc39dedae898de3c8472

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
694KB

MD5
9949178561c5b1144e2eff3e6db11a23

SHA1
051b89c3e9b6d2aba8e7d028235369313056e786

SHA256
cbb62bf30830333777f785267252be62d05c6bf78b0377aca54488b50e77f767

SHA512
60922a8cd1804c13d0a1a51fcac889b2983ed5debf9668ae26dfa3983b50ddd795303d6a7b41d935369499d2b1c4c08b4abd4b65553cae297ba4131c88f73be1

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
2af4c27faa9bde151290d3630a75e144

SHA1
462d605b5f1e9f97fc39c7f5763cf70e3f05e4cf

SHA256
ad2f667e6df480eeb0785f56d2fbb8eb6fd5cd2a0b8f65a5f944449ea9423e33

SHA512
0e02efdd2a0ac59044c4620d62ab045a97d998a68fdd53ffd49da37379b575db026608d322dead7aa8dfd83c868e8ba2a64ef05edcd245fe0dc6425c8ff608ce

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
773KB

MD5
ae2f06cd728d44d2bdd8acae820a6011

SHA1
afdf0cdf9fa4b32381b6bedd8314edf70f89bccd

SHA256
f4061862bccdff8c4b418429efce1cddd9ae2a518cb456fc1d21de1183b0e191

SHA512
3b0189b4817f54e5fcd6688a6bcaf569cea979975a48c1c35fd1109e7cd92edde98301332ac76e5950c37406ca1f1b46f98d7f4e2aa9f6ce44d3e1b79429be90

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
4067bc402a86e32d68308c1259e4e6ab

SHA1
646fcaad52a8ed1d136d287f945f081731079b8a

SHA256
df5eafb27410eb4ec53325aae5379a5af58bc764c5f33b9a5654cb7f328eff43

SHA512
11d16468bba94a689b9c63864bd697da994efb6598883c98870ff9ed34c2729fb8c302e57ac8dad6ed9d5db46640a4e3eb71c0eeb10583695c9156178c8f967b

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
23f8094039eb230b52edfda7dc6e8ca0

SHA1
7ed0d9bb1b75cf6be5a44b36149d58aae2dc9b3d

SHA256
64884c1bb7ecf823bc115d8b48af97de9695045ba41ee9d241cf6b5c3f5dbdac

SHA512
cc17475075ac54ae8053a9abc4077b00132f4c8b58a2746814d5f3d5e403d0dc700a3b4f972911cf2c90a73a0f619becf26d7e3cced62c8f31e6c383c7937ac6

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
679KB

MD5
c34273b9ac788c8749cae63494678467

SHA1
7d950c8afc3e3fe03d48af5b414493e5327e380f

SHA256
23c1f1cfb79304a4b6c3d0f140c15b486c0440f84ac13af98580ba4fb84d2211

SHA512
e1ff8f5e0ca33f82e8848899d74e892c2212578f871ea2dbf4bd4d39d7bd0dc8f286ea3e2d02563a13f1071c1a38453638c758c69aca515a7a4ce2d03d8cb0f4

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
591KB

MD5
9e165e3cf3e8392c534679391e275d65

SHA1
f604076341fd51f20bb80a703dc50b79a82cfc11

SHA256
46a4c50f329f197949281a893c9a4a4005dd7419eacaf7c23459e77ab425b8bf

SHA512
98c19139572d7d6fe0e85cb95e7b2bd029f77530a7a3505f647bd77a26b92d5ae966bd97cfd270297f1ebd6a075de3674ad4dd9fe19fa9561907a5678923bd4e

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
632KB

MD5
a198a07645c7c34dc56341e57ef26b6c

SHA1
c5bbe3feca1463ccacc1da25fa619d24df70b804

SHA256
ea17e986bd921d15e45557282b6a62b272102598d2b6fb92ac4466df1bbec89b

SHA512
5370462f793bd913089ea7daefac6f0c5b92f2f5613ffa31be963f00595dafba307c95aa8e89d8617ab7d2543921698dd3218e66dc3287719760f784bbda1a3a

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
5d2538bbcb650d2d54746986b16e18f1

SHA1
a58151fb42d748f1856aca4411283bb070d84e46

SHA256
e881b98660d849b82763874d688093770b30bc92a9abaaab66c2ba3f76490b20

SHA512
1f5955359e126a25fa91ab71f128f55471d335a0cfdf5e8dd82ea5065612779f394bef34f4c3592735e901d62b6f3be3456c6c747a3a283b7ed15165ca85f6f6

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
693KB

MD5
e1ec3652b2de3c3613bdca079cbe3577

SHA1
cc6e278ea15e91f9b20fcdcc36545d7e3f282e16

SHA256
89ab366a970a5672a8d2751cad1c30f1ac64b1912e220da09a5398d2ec9bb0ab

SHA512
32b4a14e7f966e4de4096b22bc76aa655649b2490a8e547f97af7bce77cea1f2ed4982aef06ba23855c22e211cbd4038f7c6568f7e7ffce975416a1fdb712051

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
683KB

MD5
10e93e35529fce159e8ed9111737d2d3

SHA1
b6a58ed21ef4d069048567453c3a9e72e09492d5

SHA256
eae66655184d19093dd99f8d981cbc34a6f6e94a557d9c3fcc201b678696cecd

SHA512
0bfe2ce8b7a08096fcbce538b3a7a48c5a90509c3483a3498fb88a7241119716d68ec9c599094a40f17e6bd8549c6b89af9e7e984c706e3b2f2430e7a9f41062

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.1MB

MD5
3eec53b6dff82171aa32411b8508f8e3

SHA1
aea30d3b864565a2ffc33f9154f7ca6db98204d6

SHA256
30e51c3551b36a32a1740061b355d2d4885fc14648c36f58540c39acc865e5ad

SHA512
04acba5fe29ad6e01e61a01791622997577bc343fa78f112308dc5a34357c31ae220b2d55b3df67c741e195eeedbf5cdd81ed21b6301e9e3773059a7d69a8c84

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
569KB

MD5
984e2aec216afffbf8d36f1ca1bf0e2d

SHA1
3add94cacc59909d51aa04c5d6784e69c7da38cd

SHA256
4e68ad75864703833e997145eb9984fdb2e0b33054713c45ae1c7b79f7abc675

SHA512
47731fd306ef663d87852a8f8ff27cb1194cafe688de660470c822b087dc2226e6a4ecba5d446fb38ce6f06ff9f5ca55bb8033c51167d09c978f01de5264a130

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
595KB

MD5
e74ec446155c045f05e48396dba5d51e

SHA1
21799efa78fe88ebc11df9d56be3db0a006c2335

SHA256
bfde21ced281d60bea4ada9ff01ec52bcb44a091955aaf6de3d279bc990928bd

SHA512
df662520ca97f196267e8cb4a01f9c96e5616a0df7908ea36769ad2a79861b120f3a45a4136e1dcca18ae3e75a458fbaa766e118f8d8d3eac10344f39bdec33a

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
76e6d1eb090a5d0cfacad83cd25f1703

SHA1
2871232ef9bde591cedda484f0dc072b8046fec5

SHA256
03603b2f97f44f8a9764ef0bbab4699af1b3be9d92daa832084f26b54ed5d5ae

SHA512
af97dbd7e4b8a19d91a8382a25826df789eedcd36b381b701c0e485e3d4c2df5224832788359839202c8f09b48fd4afd0d5b9404390e374e0eefe0ad72fba1dc

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
1034012569ea07d4f4e84b1595aa984e

SHA1
21536b0443f8756eefb49aa37c8476ada9e53fdd

SHA256
c21c3b940e054e5d7347c7b97446bfa207fd3ccb0e756eb58455898b1b1d4917

SHA512
41210bc5c2d30c84e8eb6f520bb79eeffa220e5bea673c3a6849b50a86a0e6b59ff0bc9faadc93069cc0f6eda2cba420ab4128e7e02f3d6be9274a89fcfa70d0

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
753KB

MD5
7b030b5df2f0cf8ca9b78d36f1b606b2

SHA1
2623b90a66b3e7c47320d0177c079970422d29e4

SHA256
05b0b778abf89cd820dec5040b668e56f4cdb53947f7575f15808921a348b8c7

SHA512
2f4339325908f6cccf6fb413c1fcba699a8877c9f73e986bd96beaf668a67af5a9bc4a70a5757a9df66c1360c778a7d038a807b4de1d33f7b9d546ca3d9479fa

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
bf8cb9f336477a6363ca55b3804bd1db

SHA1
d5c6c69cc7f336a89f3a0bec9a1642853c6b9714

SHA256
7e0e32dcf79627b8c422667bac89c83fe7c24006b79a0c451e42272b8f6f088e

SHA512
2ce5fd363bc41bc82a68e0b2a53b2c216702a86b18b91ca1e58fc046aab500a379043cfe113461cbe5fd5cb20cfd7ed0313f9f500b4504b36a2c4ce260fce177

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ec475dd6b044fde95a2f996333ec800e

SHA1
257f6dbd6a9a61bb929fc7c48c0d1803e962dff4

SHA256
dfbadd98f63af9b2bf172f01a67c4c524b8686fba342846de94d035893f355d2

SHA512
20531e77fbed3171b7fae568d795d094d2b2e0d0cadb56b6b21f62ab432c470151fcdd9535447c3b425acd355d92349fcfc44a7b562e770dac01331d84d2db09

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
cd216b49c17b5a9fed2e993df4cf8042

SHA1
f4851a3158143a182990365ab5f0e75770d53b0b

SHA256
53aea09994fc0a8c69b98fe7072a1c60ddc5e8dc23b7d02116ea466cf896d219

SHA512
9897c951379cda7841b25958f71ee240edc999280d68d4963345f8287c467312c7ae3fc0f7b6b7a3725a1f209ced695b9a9ec1b7e8fe6da7aa7829b4aa6e0e5e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
8622a478589f4f9e5b2e8ceaa82974aa

SHA1
b72df2597468e8de359af1bea194f46541202e1b

SHA256
30a786ddf9b55213ed8f40a78587a6524ae548088a9d1ba3eeaa88d3d8d82d45

SHA512
75ce9697b7abf20e4ea73d375282c79e6bdd43192afbe152993608d5079c4b40932904fae51294bacaa00f9c2b8f318e6dd01691d37dd64a0c55636612080b5f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
666KB

MD5
8dc1761aef169a183c5fd2d436eb70c9

SHA1
22f0dfe0527582a6bffef0ad895e66e1407be998

SHA256
1ec01634ab3277212a1163aa77161afa6fbdcfa140bbdb176dd05527fea4f8ef

SHA512
dd8631c9fc5b686b4413d240edaf08ca08fd03aed61dd1dbffa97986ff99e34ed19921878e758767f7670c7d0abee4b7886145125b8e75db78230e5f2a2880c7

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9BF1.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9EA0.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA238.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA4F6.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA757.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
memory/580-163-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/580-186-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/676-486-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/676-488-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1000-362-0x00000000008C0000-0x00000000008D8000-memory.dmp

Filesize
96KB

Download
memory/1000-368-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1000-366-0x000000001C530000-0x000000001C54E000-memory.dmp

Filesize
120KB

Download
memory/1000-365-0x000000001C510000-0x000000001C52A000-memory.dmp

Filesize
104KB

Download
memory/1000-364-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/1000-360-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1088-86-0x0000000140000000-0x000000014041B000-memory.dmp

Filesize
4.1MB

Download
memory/1088-165-0x0000000140000000-0x000000014041B000-memory.dmp

Filesize
4.1MB

Download
memory/1392-491-0x0000000003140000-0x0000000003156000-memory.dmp

Filesize
88KB

Download
memory/1392-499-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1516-335-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1604-394-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1604-401-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/1604-399-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1604-403-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1628-181-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/1628-93-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/1628-246-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/1804-438-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/1804-432-0x0000000002F30000-0x0000000002F3C000-memory.dmp

Filesize
48KB

Download
memory/1804-433-0x0000000003130000-0x000000000313C000-memory.dmp

Filesize
48KB

Download
memory/1804-434-0x000000001C540000-0x000000001C554000-memory.dmp

Filesize
80KB

Download
memory/1804-439-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/1804-449-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1812-2-0x0000000001000000-0x000000000125A000-memory.dmp

Filesize
2.4MB

Download
memory/1812-1-0x000000000100B000-0x000000000100D000-memory.dmp

Filesize
8KB

Download
memory/1812-0-0x0000000001000000-0x000000000125A000-memory.dmp

Filesize
2.4MB

Download
memory/1924-332-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1996-343-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/1996-350-0x0000000003330000-0x000000000333E000-memory.dmp

Filesize
56KB

Download
memory/1996-344-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1996-345-0x0000000000980000-0x00000000009C8000-memory.dmp

Filesize
288KB

Download
memory/1996-346-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/1996-361-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1996-351-0x0000000003330000-0x000000000333E000-memory.dmp

Filesize
56KB

Download
memory/2276-187-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2420-372-0x0000000002FB0000-0x0000000002FBE000-memory.dmp

Filesize
56KB

Download
memory/2420-384-0x000000001D1C0000-0x000000001D1D8000-memory.dmp

Filesize
96KB

Download
memory/2420-383-0x000000001D1C0000-0x000000001D1D8000-memory.dmp

Filesize
96KB

Download
memory/2420-376-0x000000001CA10000-0x000000001CA2E000-memory.dmp

Filesize
120KB

Download
memory/2420-375-0x0000000003050000-0x000000000306A000-memory.dmp

Filesize
104KB

Download
memory/2420-374-0x0000000003000000-0x0000000003048000-memory.dmp

Filesize
288KB

Download
memory/2420-393-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2420-373-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

Filesize
88KB

Download
memory/2420-371-0x0000000000900000-0x000000000090C000-memory.dmp

Filesize
48KB

Download
memory/2420-370-0x00000000008D0000-0x00000000008E8000-memory.dmp

Filesize
96KB

Download
memory/2484-336-0x00000000007B0000-0x00000000007BE000-memory.dmp

Filesize
56KB

Download
memory/2484-341-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2484-334-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2484-339-0x0000000002FE0000-0x0000000002FF6000-memory.dmp

Filesize
88KB

Download
memory/2484-337-0x00000000007F0000-0x00000000007FC000-memory.dmp

Filesize
48KB

Download
memory/2484-338-0x00000000009B0000-0x00000000009F8000-memory.dmp

Filesize
288KB

Download
memory/2496-161-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2496-58-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/2496-57-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2540-430-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2540-428-0x00000000031D0000-0x00000000031E4000-memory.dmp

Filesize
80KB

Download
memory/2540-427-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/2540-426-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2556-67-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2556-42-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2556-35-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2636-405-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2636-411-0x000000001C540000-0x000000001C550000-memory.dmp

Filesize
64KB

Download
memory/2636-406-0x0000000003240000-0x000000000324C000-memory.dmp

Filesize
48KB

Download
memory/2636-407-0x0000000003250000-0x000000000325E000-memory.dmp

Filesize
56KB

Download
memory/2636-416-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2636-425-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2636-408-0x0000000003260000-0x0000000003276000-memory.dmp

Filesize
88KB

Download
memory/2636-409-0x000000001C4F0000-0x000000001C538000-memory.dmp

Filesize
288KB

Download
memory/2636-410-0x0000000003280000-0x000000000329A000-memory.dmp

Filesize
104KB

Download
memory/2636-415-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2668-53-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/2668-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2668-21-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/2688-487-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2688-478-0x0000000002FF0000-0x0000000002FFE000-memory.dmp

Filesize
56KB

Download
memory/2688-476-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2808-461-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2808-455-0x00000000007B0000-0x00000000007CA000-memory.dmp

Filesize
104KB

Download
memory/2808-470-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2808-460-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2808-456-0x00000000007F0000-0x0000000000806000-memory.dmp

Filesize
88KB

Download
memory/2968-46-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2972-474-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2972-471-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2972-472-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/3004-453-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3004-451-0x00000000006E0000-0x00000000006F6000-memory.dmp

Filesize
88KB

Download
memory/3004-448-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3004-450-0x00000000006C0000-0x00000000006DA000-memory.dmp

Filesize
104KB

Download
memory/3056-330-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download