expiro | 67eb7fd773412f45592e93da44f06960c92a245aae356349dee9171f5ed8bae6

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
Size

875KB
MD5

679336e9681bce4babde58d1822cf584
SHA1

37018add47ff572ba48adac742fb8dc7272c4832
SHA256

67eb7fd773412f45592e93da44f06960c92a245aae356349dee9171f5ed8bae6
SHA512

160e727989f9c59586961b3c97b2fa90a497efc5c3ce9f7e67365a5f44d3c9fa4986eb589599bb73fba8403242a527aa8d6ee3e93c59296731de67f82ecac4c5
SSDEEP

24576:pQtN/7DSBfWhzn6OZTxJ2L+AH7W7lvgX:pKh7GBfWBn6OZTkH7Qo

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral1/memory/1104-2-0x000000004AD00000-0x000000004AF06000-memory.dmp	family_expiro1
behavioral1/memory/2796-43-0x0000000010000000-0x00000000101B6000-memory.dmp	family_expiro1

Executes dropped EXE 50 IoCs

pid	Process
2796	mscorsvw.exe
464	Process not Found
2844	mscorsvw.exe
2596	mscorsvw.exe
2764	mscorsvw.exe
1620	elevation_service.exe
2912	IEEtwCollector.exe
2984	maintenanceservice.exe
2040	mscorsvw.exe
2384	mscorsvw.exe
600	mscorsvw.exe
2228	mscorsvw.exe
1808	mscorsvw.exe
1700	mscorsvw.exe
1396	mscorsvw.exe
1592	mscorsvw.exe
2300	mscorsvw.exe
684	mscorsvw.exe
2756	mscorsvw.exe
3064	mscorsvw.exe
2660	mscorsvw.exe
1688	mscorsvw.exe
1532	mscorsvw.exe
1640	mscorsvw.exe
516	mscorsvw.exe
1672	mscorsvw.exe
1180	mscorsvw.exe
872	mscorsvw.exe
2264	mscorsvw.exe
2040	mscorsvw.exe
2180	mscorsvw.exe
1656	mscorsvw.exe
536	mscorsvw.exe
2704	mscorsvw.exe
928	mscorsvw.exe
1156	mscorsvw.exe
2436	mscorsvw.exe
2608	mscorsvw.exe
1464	mscorsvw.exe
944	mscorsvw.exe
568	mscorsvw.exe
2052	mscorsvw.exe
2124	mscorsvw.exe
1528	mscorsvw.exe
1180	mscorsvw.exe
2180	mscorsvw.exe
2812	mscorsvw.exe
2748	mscorsvw.exe
1100	mscorsvw.exe
2948	mscorsvw.exe

Loads dropped DLL 37 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1396	mscorsvw.exe
1396	mscorsvw.exe
2300	mscorsvw.exe
2300	mscorsvw.exe
2756	mscorsvw.exe
2756	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
1532	mscorsvw.exe
1532	mscorsvw.exe
516	mscorsvw.exe
516	mscorsvw.exe
1180	mscorsvw.exe
1180	mscorsvw.exe
2264	mscorsvw.exe
2264	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
536	mscorsvw.exe
536	mscorsvw.exe
928	mscorsvw.exe
928	mscorsvw.exe
2436	mscorsvw.exe
2436	mscorsvw.exe
1464	mscorsvw.exe
1464	mscorsvw.exe
568	mscorsvw.exe
568	mscorsvw.exe
2124	mscorsvw.exe
2124	mscorsvw.exe
1180	mscorsvw.exe
1180	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3692679935-4019334568-335155002-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3692679935-4019334568-335155002-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\E:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\L:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\T:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\S:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\N:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\O:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\G:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\I:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\M:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\R:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\U:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\H:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\K:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\P:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\Q:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\X:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\Y:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\V:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\J:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\W:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened (read-only)	\??\Z:	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\windows\system32\ieetwcollector.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\windows\system32\snmptrap.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\wbengine.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\windows\system32\msdtc.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\windows\system32\msiexec.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\windows\system32\vds.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File created	\??\c:\windows\system32\vssvc.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File created	\??\c:\windows\system32\alg.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\windows\system32\fxssvc.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\windows\system32\ui0detect.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7zFM.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\Internet Explorer\ieinstal.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\DVD Maker\DVDMaker.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\7-Zip\7zG.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\ehome\ehsched.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPEA1.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPEA7E.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2AE7.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP13BF.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFE0E.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1ED6.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1AD1.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP38BC.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1104	JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2040	2764	mscorsvw.exe	40
PID 2764 wrote to memory of 2040	2764	mscorsvw.exe	40
PID 2764 wrote to memory of 2040	2764	mscorsvw.exe	40
PID 2764 wrote to memory of 2384	2764	mscorsvw.exe	41
PID 2764 wrote to memory of 2384	2764	mscorsvw.exe	41
PID 2764 wrote to memory of 2384	2764	mscorsvw.exe	41
PID 2764 wrote to memory of 600	2764	mscorsvw.exe	43
PID 2764 wrote to memory of 600	2764	mscorsvw.exe	43
PID 2764 wrote to memory of 600	2764	mscorsvw.exe	43
PID 2764 wrote to memory of 2228	2764	mscorsvw.exe	44
PID 2764 wrote to memory of 2228	2764	mscorsvw.exe	44
PID 2764 wrote to memory of 2228	2764	mscorsvw.exe	44
PID 2764 wrote to memory of 1808	2764	mscorsvw.exe	45
PID 2764 wrote to memory of 1808	2764	mscorsvw.exe	45
PID 2764 wrote to memory of 1808	2764	mscorsvw.exe	45
PID 2764 wrote to memory of 1700	2764	mscorsvw.exe	46
PID 2764 wrote to memory of 1700	2764	mscorsvw.exe	46
PID 2764 wrote to memory of 1700	2764	mscorsvw.exe	46
PID 2764 wrote to memory of 1396	2764	mscorsvw.exe	47
PID 2764 wrote to memory of 1396	2764	mscorsvw.exe	47
PID 2764 wrote to memory of 1396	2764	mscorsvw.exe	47
PID 2764 wrote to memory of 1592	2764	mscorsvw.exe	48
PID 2764 wrote to memory of 1592	2764	mscorsvw.exe	48
PID 2764 wrote to memory of 1592	2764	mscorsvw.exe	48
PID 2764 wrote to memory of 2300	2764	mscorsvw.exe	49
PID 2764 wrote to memory of 2300	2764	mscorsvw.exe	49
PID 2764 wrote to memory of 2300	2764	mscorsvw.exe	49
PID 2764 wrote to memory of 684	2764	mscorsvw.exe	50
PID 2764 wrote to memory of 684	2764	mscorsvw.exe	50
PID 2764 wrote to memory of 684	2764	mscorsvw.exe	50
PID 2764 wrote to memory of 2756	2764	mscorsvw.exe	51
PID 2764 wrote to memory of 2756	2764	mscorsvw.exe	51
PID 2764 wrote to memory of 2756	2764	mscorsvw.exe	51
PID 2764 wrote to memory of 3064	2764	mscorsvw.exe	52
PID 2764 wrote to memory of 3064	2764	mscorsvw.exe	52
PID 2764 wrote to memory of 3064	2764	mscorsvw.exe	52
PID 2764 wrote to memory of 2660	2764	mscorsvw.exe	53
PID 2764 wrote to memory of 2660	2764	mscorsvw.exe	53
PID 2764 wrote to memory of 2660	2764	mscorsvw.exe	53
PID 2764 wrote to memory of 1688	2764	mscorsvw.exe	54
PID 2764 wrote to memory of 1688	2764	mscorsvw.exe	54
PID 2764 wrote to memory of 1688	2764	mscorsvw.exe	54
PID 2764 wrote to memory of 1532	2764	mscorsvw.exe	55
PID 2764 wrote to memory of 1532	2764	mscorsvw.exe	55
PID 2764 wrote to memory of 1532	2764	mscorsvw.exe	55
PID 2764 wrote to memory of 1640	2764	mscorsvw.exe	56
PID 2764 wrote to memory of 1640	2764	mscorsvw.exe	56
PID 2764 wrote to memory of 1640	2764	mscorsvw.exe	56
PID 2764 wrote to memory of 516	2764	mscorsvw.exe	57
PID 2764 wrote to memory of 516	2764	mscorsvw.exe	57
PID 2764 wrote to memory of 516	2764	mscorsvw.exe	57
PID 2764 wrote to memory of 1672	2764	mscorsvw.exe	58
PID 2764 wrote to memory of 1672	2764	mscorsvw.exe	58
PID 2764 wrote to memory of 1672	2764	mscorsvw.exe	58
PID 2764 wrote to memory of 1180	2764	mscorsvw.exe	59
PID 2764 wrote to memory of 1180	2764	mscorsvw.exe	59
PID 2764 wrote to memory of 1180	2764	mscorsvw.exe	59
PID 2764 wrote to memory of 872	2764	mscorsvw.exe	60
PID 2764 wrote to memory of 872	2764	mscorsvw.exe	60
PID 2764 wrote to memory of 872	2764	mscorsvw.exe	60
PID 2764 wrote to memory of 2264	2764	mscorsvw.exe	61
PID 2764 wrote to memory of 2264	2764	mscorsvw.exe	61
PID 2764 wrote to memory of 2264	2764	mscorsvw.exe	61
PID 2764 wrote to memory of 2040	2764	mscorsvw.exe	62

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_679336e9681bce4babde58d1822cf584.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2796

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 198 -NGENProcess 19c -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 238 -NGENProcess 244 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1b8 -NGENProcess 1dc -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 268 -NGENProcess 234 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 240 -NGENProcess 270 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 234 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 234 -NGENProcess 250 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 250 -NGENProcess 25c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 28c -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 25c -NGENProcess 250 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 28c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 294 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 290 -NGENProcess 28c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 268 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 28c -NGENProcess 240 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 240 -NGENProcess 290 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 240 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 29c -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 28c -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2bc -NGENProcess 2a8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c4 -NGENProcess 25c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2a0 -NGENProcess 25c -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2d0 -NGENProcess 290 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 160 -InterruptEvent 2c8 -NGENProcess 2d4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c0 -NGENProcess 290 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 290 -NGENProcess 160 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2d8 -NGENProcess 2bc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2bc -NGENProcess 2c0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2e0 -NGENProcess 160 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 160 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 160 -InterruptEvent 2e8 -NGENProcess 2c0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2c0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 160 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2e0 -Pipe 198 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2912

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
636KB

MD5
ecc3f47aae7b3b0815aa5fdc2fb80308

SHA1
80f66fa1ec6ccac567542fdfa10d6582ebdb54d0

SHA256
77f131ed12222f8dabde9ff634a1b49d468cf95cfa484f1743d109c6e1809269

SHA512
c33e6bbfaba93bc34ad7ff793ba041de3852a940b52f2e7afb9d03b531023febd46a8e193bf4eb0ad9e188e65645697cd805c4b72b204c338411146c0b065b59

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
9d9d734475c345ff3bd106189d956a79

SHA1
9fc0465ae89158145210bbb81ac636a6b8b4fb78

SHA256
2a90fa0c862677d763eb0f846cba08856cf0d8dc5389c278e243080dce2cdd6a

SHA512
b347a82b18061ca9807b21a88fb331e2c0b9134b6ebcce8a34c472ec9bfcc1ee15767dfb54b989b798bc0f295ee54c8ee98561b76c2ee9a4bfb119706734a95a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir

Filesize
4.8MB

MD5
f23b0756869eac0ef92f1d93a7754c63

SHA1
6687ab3af3f39960c76ac07adf5ddda621f5a371

SHA256
d002066949e1cf3caf80752a5d1e8f88a0567c24cf201fbaa3277a223c10aad6

SHA512
346583341d1a080733e162744077b7bc5ceeb778aa7970f07440a4b05bfa2856435ddfa536ef1ad093d73fda60517b1fd5c1f59203eff9ff9ea5dbeade6da035

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.2MB

MD5
5f46937eeefe91e379dce2e06aa3c3c6

SHA1
75eec5918e220cd20ba9bd07875cd83f187d5b66

SHA256
7f80bdd00b69c48b06d27d1402e7b0679deb1fe4165912ac9707719f50c38ac2

SHA512
1a005554e96be7438b591433f558a37c10a03ad1e6e319f2aa51d38c4d0b57d11a6fdf8b3eabb019f459ca9100ec9de4cd69a867aad538408f901ee051622979

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
6bc75cb187bc34ee3a363c1516f8d468

SHA1
746f895639592b2ad84f172a8081714d65c44aae

SHA256
ea42c30e89f7832bf6e8b1e92d75ef9b9904caad2577a20ee1d18d0cfc552486

SHA512
97bdc9196bc492bab36a2402629a220a3597028b080467e73c62cc3d7c7c49f3e654aa898ed6fe5e36884aeb1dd24ca6127a5e0e0db95e4162c6b3805f68f58f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
92c9a35d70ab04fc97ad78d4675989bc

SHA1
4a7f8892750c9c16fb32c58ba8394fcfd2fbb73e

SHA256
a5e686562e9364fa63f1f7ea69570973941bad474aafc430ffbe70db1f7cd57d

SHA512
b15efe1fd0bfdb6abe0cd3ed939aec412eee65a05103d507341baa1b11c9cc455e9ab13b7aefc0dc80032cf2aea1eaaa49bfccb32134f21bf5012ab0cb9a2f9e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
555KB

MD5
41a39f32207326536bcb0cd9895077a3

SHA1
2ae2f1655562a9d54d1d2c3486690e400d3b14a9

SHA256
ec26abb1b64cd898cc65acc1b9d7e25edd2a7ee35756b0a38bdd0220ae09efaf

SHA512
1751fd966f5ff7373963328a6c9339c163f762a0756be0bbfd619a0b6f582d4fe80a9e00f338465625a9de239c261af513116c4c45a81decd513bd5977ec9012

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
6f3dd7c3b0b39c9ec439df14db35bf74

SHA1
42ca899b1a9a7362a23874f0c389d7c276d55b66

SHA256
f85a8f2da6e2da12bca60c6c899a171932ba44658a457092ad2fd4ee3857788e

SHA512
a2d75671bacd7e5cadfe9e1ba00ca2921e8ffcdd3759ebb3ff48a6172f6e34d59489074a3d5e9f0a7a3687148e636bd3fa285feee3f5750a3d1b98fe5574aad9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
586KB

MD5
09f0d47fba05d51003a46358ef4f5e52

SHA1
469216ca746f4930549d34cdaf1dc7d35fc392ba

SHA256
3122f8cf1b44cd559e89bb05ed03b207024025a94577a691ded465c130a0bc3f

SHA512
dc18bf40a2f895ecd25fa8a65ebb3a1e7f9ea7cac31e10eac1b1f47d523807d1a8c11818b35d6dbe02c486be48209c97d8646e2f0ce8ef6d8e29bdfd44b8aed5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\35c301d5b9c4e545f4d7fe8fd7ed02b0\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
80ca36297de3f1fcf8b9f030f81b71ea

SHA1
3318f3a9b7ab6fc69101280612a398ba44de4dd1

SHA256
74eb3f101cd19a1219aef5965991c7e4674ad8c124081ac7aabdbfeed95af45e

SHA512
62bd93855dd47278a1d0652c680eadbd1be757fed757f5bff6122781e18d3995022ef37005754b83cecb7a1ef562b72f417de626adcb031ab3cc8697ca522070

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\443425ea10a718fa130f07ecefdd07fc\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
2c415eaeeed3ba76b5365f7486b15342

SHA1
8335d5555625518626219adf370805c3068e9efd

SHA256
39185f1f40cd69752f695118789b1db8cf6cb648940d09c43d0a78fb5e97a272

SHA512
b5805c913dbaccb7499386107c9ebed7e674af1d6198299f405ca5e3f9510787ca337734076a334216f1412ac841cfb9fc7623fb99f39849c77cb642f060f2a1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\7bbe8b1e79e5a10523df15dabf87be90\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
7fe589ed059d59315055919683f27224

SHA1
9cde82b39456135ef6e8480d94bbb7243813c9cc

SHA256
e7917bc9b9a91984b6376f7d5408430c91b160426d28567d1d3edacc1067ec8d

SHA512
b2158879e2ae27da8539773d5c0bb2f7c2a1748e6f97462271812ec9ff43b198c41a58736700b3ad98bf5d7cb70d416b992111afe6023d7948a07eb25886576b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d8145963a030ab74543febd190d66f8f\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
dd4732b94c9be36e2461cc902d173642

SHA1
55767c95027df0686e10a239ce0f441ed8f15b7c

SHA256
8500e854bdd8956b421ba76bce7a37c7a29e82d37bfd5d644e76a6debbdf1335

SHA512
049a61596e5b8095e1fe90b706a259d2dce71e7d23e45507dc2f277edc355054db747d2bea238dbb1eca5b1d4b4c7d8287661b864c00d22669fb5db0a9fdb08d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
636KB

MD5
6c8e202121b3a56b8fef6a8496183c76

SHA1
aa1152cf9262a46df88b0cf8f0d114332917d5f8

SHA256
0b4dd95b39c6ad72c4105b44a86df231bbc0fc907b1c0e532dbedad2d502eb46

SHA512
a20d72cb5974c3e5a8125efbe6b0e138e6de2084bf8ce99624ded7b6eb6e354df11fe4e74eb3efb232145f9b2875b689c946e70438abfb9e0001df94c94f6d23

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.0MB

MD5
60062cffec128ed3c1b70d97d849fcdf

SHA1
a7bd7103da07aac20c828c908740038446b9e6c5

SHA256
128c96032a36499972ddcc98ccaff6e7a478996bdb246d8479eb580b000eb192

SHA512
d7b324ee024fcba87dd77e171463294d4e743180095f4a649240cd534d9bd9b5c4f89dd4e3413f9966b83d01585ec74602a1c8a570c8fdb1526aa6e5b261a60d

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
624KB

MD5
e19f744086859ab645bb7515467e3494

SHA1
08f20304d53df2dfdfc96f60ea0150aa5e84edfd

SHA256
2ee68f7ea528dbd129b76b8b64c1de2116ae4bf228d2f862c6924cfe0c88475d

SHA512
5127941e869c081c021787bf9ad7f67ee0f4254ee800ccd985ac176da51984d1fbcec6bfda83a8f469bfa24260bc615d4d89609703233f47069e98206545791d

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
536KB

MD5
909516b6ccd9ee0f72125ab1861cddac

SHA1
bb2efec38095a3df7e48733329ad5fe306863174

SHA256
13d092c04b0c474f521c2539a33706c6f3c436a8f0f993f9ec0190350a662117

SHA512
818676bee59f2cab27c0a0a28948d8f656d53a2b57b540324377e91add0f78196f1c2aaf99bce9564d9e590c18fe66bf9108a325662e6a5c3ada2f171536081c

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
577KB

MD5
01e6eccf81647a95c7a3f2f7b584c44b

SHA1
0d4cecf37ae5abcfceff6975674f698e68e70110

SHA256
d9d7f2a90f1e38bcb0cec47f4fd22dd1b4249d373ed76f6bfd38286ca43ffd6c

SHA512
9d47830091d2fc5f29c00c0b13352dce50157bdd703b06a9360e20786bc308fa62c8b3c233c0c381ca837aefbc03fc177fdb27c7acc78dc63c65dcec20bd5e77

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.1MB

MD5
7d2211e868ac864c0957fbb846ac1e74

SHA1
10cda8dcde7a14d29155db4fbd3f81980eb1f4a7

SHA256
8236f6bbb00a2c494f6f50034189fcc79721008ba8b37a7bd62101e27781a8a8

SHA512
c03ea8dd145742b5b8c73174d50fb2756d578336f9ed1178bbef55176f1441b5b9bc1c5a15d0eb14815b01cfaf053b3e30ebc9b05eb2fc775579bc1ba17a4bfa

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
638KB

MD5
cccdb0f0d340995f36fa7b14631b6196

SHA1
ecd668e3920852ec2f5283e95c7430ac56b4fbe4

SHA256
58ddfe730e741c06d71978e8281f54192e9432aa581ddadc87e055327a8f5787

SHA512
944f7f0835cb3b84502d2cebab403019e23d1662e83ef698d4b9061172b3436d436c0b8a15e0563de8b5bd46771562b7b979923d4bdecaa3de41697f4b7047e5

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
625KB

MD5
d3e4a6898554f1579d4ea284804f2843

SHA1
ed8d483dfd55c5d22e0823ba5a65daa069c8b364

SHA256
f022e2ddd092f0174285aa5b641f02ccaf2afb5ec57d9c542ca1a54897b7911c

SHA512
6dad5dd98fc4788dc70b0ef45835420bbb53a5cd9a5d3d1612f1113e66c305456db807157a93afd7bafcce9bdaac798ff130f676118515eeaecad2a4f3b5078a

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
514KB

MD5
b083f0e1faba180c386509f2decb1db1

SHA1
05ab3491d9529804684df4541dd4e849495ec92d

SHA256
a04c0f8d84582f5d6218a9c6d5b77cc550db28992e9004f9e40bc8b0855c8e0d

SHA512
ec99d4d08fea2e5695585d4752f59b31aef4b0bdc4d518d8cf6aadddf6297caef4a8e69565f6cdec2ab9a95e8c35d912a2f11b74dd2b71176a4766300f04ac35

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
540KB

MD5
d9277c9254babab121be451e83043499

SHA1
20ba3295acc52d1e0397bfe9c7e940bb899bfb26

SHA256
31c253cdf6a92d81f2a07c4ab2bbc3538fab960f6eb7271e2639da5a0d16f61c

SHA512
7a049270abb0cf23ebf6e6ac36f21880c98fa655b64d395ba5049ebdecd2a05a678bbbfb0d53a75020f7e09012a8347c67c96a634bc2aeb73923c0cc10be299c

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1021KB

MD5
7e2907081cf35895c61185eb30b387cf

SHA1
a8b739d7c2732808421c80a512d266acddad7735

SHA256
11cd1bec71564eb763fc826fde6089d9c5d5f101a5d963f66f27772c9c39e52a

SHA512
4df12f5370244aff725f524a2516f844e2d6aaa01fcbebef4d0381b0e444346ce0deb261107351e543112c410df68a95a9fa944f5817273be1484437b1f300be

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.0MB

MD5
f61dcc628e0288ce680c5d8c14159c7f

SHA1
bddecd05801e81bf73403fc5a343b5b4cfcb695f

SHA256
8d3882c5da3111c4a9a849170b899411f1141d755c09b96d65fc96db0df7c8dc

SHA512
563aa044ac98d03e23cc8ae12379eb92914342f6893ceeed9e3fd7b760be95b3e36bee9b6507716f62c3f933221833ee0e845dee95594341c4e84fffd56f236d

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
698KB

MD5
75c50373afb30420de5ed7eab798d8b4

SHA1
bf21106bbc98f6b2ecd801e36599d023fa1e8e0f

SHA256
9ab2b387241cae9965975a741fa357c1a1c8558f3c64dd5ad601a35446677d96

SHA512
6e2d5375083860f3922ac20406f9445b29692027927eb133f8384ce53342e6fea11c2113229587e3d51bedf563004daa229f764523ee9526089d988c7f2fce2c

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
1.9MB

MD5
452c9b528e37a239a69a318abc2aa7a2

SHA1
e5b06bdbedb17ac8a64ce3df100fe2194df9a703

SHA256
18a7662e0c6d5936b75e8fd41c2d42cfe54767050aa5b0569628241966304282

SHA512
27b0595a0ab69f9292c90561662e56bb8c12db74ca69252908103788db7b04642e63b728c13ecc6280f61a56351dd75e25467a36c7b4523400e4ad6ecb2fa632

Download Submit
\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
715KB

MD5
266d159ac65464f38c0fd6ff12012b2d

SHA1
7fec856e656f723e0d6b70575b0101cbb95b4f67

SHA256
acdc418c3c0aef7821bb1d6541236c346e4f5cd1876d352101623942dd81e648

SHA512
6d63b7ecf95d5b93a134883c0673c7ef54bb16d63cb84540ed7d6db8f822fa84f5b1aa7e1cced80cddbff97e2bbd5f2ba6e0049e9311302c5e68761ef76d4d0b

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d480625cc9a167105b4d23aa7706629a

SHA1
a62266cd2f3dc009dbc1bb64a68df151324ac9bc

SHA256
0289436560a4de72de6cb5a3635674498d1be1355bdc838461f5d902072f2cf3

SHA512
f972c7c1c39cdc0e396bee83dee70bb9f111611fe758ddddcfa82284a59022fcface15fab877f73b1d4b5b6741e3a82b9ca6a9076347ec97f9a2bfbd619d3338

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
582KB

MD5
6e22667724adf898094506825989b130

SHA1
4d3488e9d70af4808a0f3937b5d89ec39c5dd57d

SHA256
9b46681f87533f7418290685585d956cb3ccd970ad6cd93aae1dba0c631bd986

SHA512
9659eed12bf6b2b546c8ade3025d36475f622b56a366e2db031c639b2aede5b453c784defccef9f834ae105d45c5feb6d5e612e66b812b713cd7c267a524ee10

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
610KB

MD5
4464f320877b1ad933365102fa11582d

SHA1
90ca90741f06f5bb8015ce7278c7140f6004e8c0

SHA256
2b4112c465a79197b6b73a44b4a10b0f42685df2cc837b2a73ab875ba3365c43

SHA512
7609edcde57b383a2e9511dac04662725882caef44fcc1f071e47c51a71db533b17e555054b1def3380e02ddb8cbe518ea687ae243e7abf6a899a4b851be082f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
609KB

MD5
1a536287e8af60695c677d9acc89cba5

SHA1
666eb5f4e3e4a3c47a87d39bcaa04dae9f6f0198

SHA256
57a49d367f8ef2b682bed0d27cd79c1ffb8ce57bd5ef2920a894b5a076125cec

SHA512
50bc24b9fb0f7e521241968e11196d72b9c6593ebece1015ef5d84ac8a2560d9b869134df7a74e2109fdcb4bc5d6234013589860d3798fc52022b3294c65a3a5

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP474.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9E0.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPEA7E.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF21C.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFE0E.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
memory/516-482-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/516-490-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/516-480-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/600-339-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/684-408-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/684-404-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/684-411-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/684-406-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/1104-0-0x000000004AD00000-0x000000004AF06000-memory.dmp

Filesize
2.0MB

Download
memory/1104-2-0x000000004AD00000-0x000000004AF06000-memory.dmp

Filesize
2.0MB

Download
memory/1104-1-0x000000004AD05000-0x000000004AD06000-memory.dmp

Filesize
4KB

Download
memory/1180-492-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1180-502-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1396-354-0x0000000002F10000-0x0000000002F1E000-memory.dmp

Filesize
56KB

Download
memory/1396-352-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1396-357-0x0000000002F90000-0x0000000002FA6000-memory.dmp

Filesize
88KB

Download
memory/1396-356-0x0000000002FC0000-0x0000000003008000-memory.dmp

Filesize
288KB

Download
memory/1396-355-0x0000000002F80000-0x0000000002F8C000-memory.dmp

Filesize
48KB

Download
memory/1396-361-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1396-362-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1396-372-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1532-461-0x00000000008E0000-0x00000000008F6000-memory.dmp

Filesize
88KB

Download
memory/1532-460-0x00000000007B0000-0x00000000007CA000-memory.dmp

Filesize
104KB

Download
memory/1532-465-0x000000001CEE0000-0x000000001CEFA000-memory.dmp

Filesize
104KB

Download
memory/1532-466-0x000000001CEE0000-0x000000001CEFA000-memory.dmp

Filesize
104KB

Download
memory/1532-475-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-375-0x0000000000920000-0x000000000092E000-memory.dmp

Filesize
56KB

Download
memory/1592-373-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/1592-376-0x0000000002FE0000-0x0000000002FFA000-memory.dmp

Filesize
104KB

Download
memory/1592-377-0x0000000003000000-0x000000000301E000-memory.dmp

Filesize
120KB

Download
memory/1592-379-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-371-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1620-82-0x0000000140000000-0x0000000140377000-memory.dmp

Filesize
3.5MB

Download
memory/1640-478-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1640-476-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/1672-491-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1688-458-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1688-456-0x0000000000990000-0x00000000009A6000-memory.dmp

Filesize
88KB

Download
memory/1688-455-0x00000000007C0000-0x00000000007DA000-memory.dmp

Filesize
104KB

Download
memory/1700-347-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/1700-344-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1700-351-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1700-349-0x0000000003010000-0x0000000003026000-memory.dmp

Filesize
88KB

Download
memory/1700-346-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/1700-348-0x00000000009D0000-0x0000000000A18000-memory.dmp

Filesize
288KB

Download
memory/1808-341-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1808-345-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2040-166-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2040-193-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2228-342-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2300-382-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

Filesize
48KB

Download
memory/2300-385-0x000000001C6C0000-0x000000001C708000-memory.dmp

Filesize
288KB

Download
memory/2300-381-0x0000000002F30000-0x0000000002F48000-memory.dmp

Filesize
96KB

Download
memory/2300-395-0x000000001D3C0000-0x000000001D3D8000-memory.dmp

Filesize
96KB

Download
memory/2300-386-0x000000001C710000-0x000000001C72A000-memory.dmp

Filesize
104KB

Download
memory/2300-383-0x0000000002FC0000-0x0000000002FCE000-memory.dmp

Filesize
56KB

Download
memory/2300-384-0x000000001C6A0000-0x000000001C6B6000-memory.dmp

Filesize
88KB

Download
memory/2300-394-0x000000001D3C0000-0x000000001D3D8000-memory.dmp

Filesize
96KB

Download
memory/2300-405-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2300-387-0x000000001CC00000-0x000000001CC1E000-memory.dmp

Filesize
120KB

Download
memory/2384-202-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2384-184-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2596-49-0x0000000000400000-0x00000000005BF000-memory.dmp

Filesize
1.7MB

Download
memory/2660-438-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/2660-439-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

Filesize
48KB

Download
memory/2660-440-0x000000001C760000-0x000000001C774000-memory.dmp

Filesize
80KB

Download
memory/2660-444-0x000000001C7E0000-0x000000001C7EC000-memory.dmp

Filesize
48KB

Download
memory/2660-445-0x000000001C7E0000-0x000000001C7EC000-memory.dmp

Filesize
48KB

Download
memory/2660-454-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2756-418-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/2756-410-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2756-414-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/2756-413-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/2756-415-0x0000000002FC0000-0x0000000002FCE000-memory.dmp

Filesize
56KB

Download
memory/2756-432-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2756-423-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2756-422-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2756-417-0x0000000003080000-0x00000000030C8000-memory.dmp

Filesize
288KB

Download
memory/2756-416-0x0000000002FD0000-0x0000000002FE6000-memory.dmp

Filesize
88KB

Download
memory/2764-154-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2764-58-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2764-59-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/2796-43-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2796-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2796-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2844-56-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/2844-37-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/2844-36-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/2912-89-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2912-175-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2912-227-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2984-100-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2984-118-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/3064-436-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3064-433-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/3064-434-0x00000000030D0000-0x00000000030E4000-memory.dmp

Filesize
80KB

Download