expiro | a3a0ad90fa7f0dee991112e3e30a8f48264c6ca2030ca7e8d5da9144936796f7

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/01/2025, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
Size

674KB
MD5

69ed8d950ab11568faf970c77050ad90
SHA1

94590af7ceeda99dc57e82f8e31c4078e966d530
SHA256

a3a0ad90fa7f0dee991112e3e30a8f48264c6ca2030ca7e8d5da9144936796f7
SHA512

ffa06f77f0707e5ef6a0ec0b85c4166066c7167e9c4a0d5bfed627704a0da308e5316b36c3b9c0cdf1862bc00dbada8006e7b009f5baa557b5311cf3e260f21d
SSDEEP

12288:Io8IJt524U/eCC02cSpVAqA+lOBsuVdC5D/ZLx2KXa84svzvF6TU:Tn524fAWlOYRzaDczt6T

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2968-49-0x0000000010000000-0x0000000010258000-memory.dmp	family_expiro1
behavioral1/memory/1956-98-0x0000000100000000-0x0000000100293000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
2968	mscorsvw.exe
476	Process not Found
2940	mscorsvw.exe
2532	mscorsvw.exe
3048	mscorsvw.exe
2760	elevation_service.exe
764	IEEtwCollector.exe
2396	mscorsvw.exe
1048	mscorsvw.exe
2224	mscorsvw.exe
1476	mscorsvw.exe
324	mscorsvw.exe
896	mscorsvw.exe
344	mscorsvw.exe
2096	mscorsvw.exe
2260	mscorsvw.exe
924	mscorsvw.exe
1284	mscorsvw.exe
1584	mscorsvw.exe
2064	mscorsvw.exe
3004	mscorsvw.exe
1576	mscorsvw.exe
2544	mscorsvw.exe
2540	mscorsvw.exe
2568	mscorsvw.exe
2632	mscorsvw.exe
2484	mscorsvw.exe
2088	mscorsvw.exe
3024	mscorsvw.exe
1800	mscorsvw.exe
1612	mscorsvw.exe
2208	mscorsvw.exe
2376	mscorsvw.exe
2216	mscorsvw.exe
2944	mscorsvw.exe
336	mscorsvw.exe
2204	mscorsvw.exe
2420	mscorsvw.exe
1908	mscorsvw.exe
2692	mscorsvw.exe
1348	mscorsvw.exe
2836	mscorsvw.exe
264	mscorsvw.exe
2632	mscorsvw.exe
2396	mscorsvw.exe
1044	mscorsvw.exe
2932	mscorsvw.exe
940	mscorsvw.exe
284	mscorsvw.exe
2120	mscorsvw.exe
2000	mscorsvw.exe
560	mscorsvw.exe
1304	mscorsvw.exe
3008	mscorsvw.exe
1636	mscorsvw.exe
2672	mscorsvw.exe
2448	mscorsvw.exe
2676	mscorsvw.exe
2964	mscorsvw.exe
2728	mscorsvw.exe
1736	mscorsvw.exe
2524	mscorsvw.exe
1832	mscorsvw.exe
1680	mscorsvw.exe

Loads dropped DLL 54 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
344	mscorsvw.exe
344	mscorsvw.exe
2260	mscorsvw.exe
2260	mscorsvw.exe
1284	mscorsvw.exe
1284	mscorsvw.exe
2064	mscorsvw.exe
2064	mscorsvw.exe
1576	mscorsvw.exe
1576	mscorsvw.exe
2540	mscorsvw.exe
2540	mscorsvw.exe
2632	mscorsvw.exe
2632	mscorsvw.exe
2088	mscorsvw.exe
2088	mscorsvw.exe
1800	mscorsvw.exe
1800	mscorsvw.exe
2208	mscorsvw.exe
2208	mscorsvw.exe
2216	mscorsvw.exe
2216	mscorsvw.exe
336	mscorsvw.exe
336	mscorsvw.exe
2420	mscorsvw.exe
2420	mscorsvw.exe
2692	mscorsvw.exe
2692	mscorsvw.exe
2836	mscorsvw.exe
2836	mscorsvw.exe
2632	mscorsvw.exe
2632	mscorsvw.exe
2120	mscorsvw.exe
2120	mscorsvw.exe
2000	mscorsvw.exe
2000	mscorsvw.exe
1304	mscorsvw.exe
1304	mscorsvw.exe
1552	mscorsvw.exe
1552	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
1288	mscorsvw.exe
1288	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe
1064	mscorsvw.exe
1064	mscorsvw.exe
2580	mscorsvw.exe
2580	mscorsvw.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3551809350-4263495960-1443967649-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3551809350-4263495960-1443967649-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File created	\??\c:\windows\system32\ikgcaplf.tmp	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File created	\??\c:\windows\system32\gikbnlmg.tmp	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\jiaodmjn.tmp	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File created	\??\c:\program files (x86)\microsoft office\office14\ipplaieo.tmp	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\dhdldpob.tmp	mscorsvw.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\bdjnfiio.tmp	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\microsoft office\office14\qgljpkmg.tmp	mscorsvw.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\nfpfcflc.tmp	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBF69.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCABE.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDD93.tmp\ehiActivScp.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD652.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA850.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP24EE.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB348.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDB52.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\hfabfhee.tmp	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3811.tmp\Microsoft.Office.Tools.Word.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1956	JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2396	3048	mscorsvw.exe	36
PID 3048 wrote to memory of 2396	3048	mscorsvw.exe	36
PID 3048 wrote to memory of 2396	3048	mscorsvw.exe	36
PID 3048 wrote to memory of 1048	3048	mscorsvw.exe	37
PID 3048 wrote to memory of 1048	3048	mscorsvw.exe	37
PID 3048 wrote to memory of 1048	3048	mscorsvw.exe	37
PID 3048 wrote to memory of 2224	3048	mscorsvw.exe	40
PID 3048 wrote to memory of 2224	3048	mscorsvw.exe	40
PID 3048 wrote to memory of 2224	3048	mscorsvw.exe	40
PID 3048 wrote to memory of 1476	3048	mscorsvw.exe	41
PID 3048 wrote to memory of 1476	3048	mscorsvw.exe	41
PID 3048 wrote to memory of 1476	3048	mscorsvw.exe	41
PID 3048 wrote to memory of 324	3048	mscorsvw.exe	42
PID 3048 wrote to memory of 324	3048	mscorsvw.exe	42
PID 3048 wrote to memory of 324	3048	mscorsvw.exe	42
PID 3048 wrote to memory of 896	3048	mscorsvw.exe	43
PID 3048 wrote to memory of 896	3048	mscorsvw.exe	43
PID 3048 wrote to memory of 896	3048	mscorsvw.exe	43
PID 3048 wrote to memory of 344	3048	mscorsvw.exe	44
PID 3048 wrote to memory of 344	3048	mscorsvw.exe	44
PID 3048 wrote to memory of 344	3048	mscorsvw.exe	44
PID 3048 wrote to memory of 2096	3048	mscorsvw.exe	45
PID 3048 wrote to memory of 2096	3048	mscorsvw.exe	45
PID 3048 wrote to memory of 2096	3048	mscorsvw.exe	45
PID 3048 wrote to memory of 2260	3048	mscorsvw.exe	46
PID 3048 wrote to memory of 2260	3048	mscorsvw.exe	46
PID 3048 wrote to memory of 2260	3048	mscorsvw.exe	46
PID 3048 wrote to memory of 924	3048	mscorsvw.exe	47
PID 3048 wrote to memory of 924	3048	mscorsvw.exe	47
PID 3048 wrote to memory of 924	3048	mscorsvw.exe	47
PID 3048 wrote to memory of 1284	3048	mscorsvw.exe	48
PID 3048 wrote to memory of 1284	3048	mscorsvw.exe	48
PID 3048 wrote to memory of 1284	3048	mscorsvw.exe	48
PID 3048 wrote to memory of 1584	3048	mscorsvw.exe	49
PID 3048 wrote to memory of 1584	3048	mscorsvw.exe	49
PID 3048 wrote to memory of 1584	3048	mscorsvw.exe	49
PID 3048 wrote to memory of 2064	3048	mscorsvw.exe	50
PID 3048 wrote to memory of 2064	3048	mscorsvw.exe	50
PID 3048 wrote to memory of 2064	3048	mscorsvw.exe	50
PID 3048 wrote to memory of 3004	3048	mscorsvw.exe	51
PID 3048 wrote to memory of 3004	3048	mscorsvw.exe	51
PID 3048 wrote to memory of 3004	3048	mscorsvw.exe	51
PID 3048 wrote to memory of 1576	3048	mscorsvw.exe	52
PID 3048 wrote to memory of 1576	3048	mscorsvw.exe	52
PID 3048 wrote to memory of 1576	3048	mscorsvw.exe	52
PID 3048 wrote to memory of 2544	3048	mscorsvw.exe	53
PID 3048 wrote to memory of 2544	3048	mscorsvw.exe	53
PID 3048 wrote to memory of 2544	3048	mscorsvw.exe	53
PID 3048 wrote to memory of 2540	3048	mscorsvw.exe	54
PID 3048 wrote to memory of 2540	3048	mscorsvw.exe	54
PID 3048 wrote to memory of 2540	3048	mscorsvw.exe	54
PID 3048 wrote to memory of 2568	3048	mscorsvw.exe	55
PID 3048 wrote to memory of 2568	3048	mscorsvw.exe	55
PID 3048 wrote to memory of 2568	3048	mscorsvw.exe	55
PID 3048 wrote to memory of 2632	3048	mscorsvw.exe	56
PID 3048 wrote to memory of 2632	3048	mscorsvw.exe	56
PID 3048 wrote to memory of 2632	3048	mscorsvw.exe	56
PID 3048 wrote to memory of 2484	3048	mscorsvw.exe	57
PID 3048 wrote to memory of 2484	3048	mscorsvw.exe	57
PID 3048 wrote to memory of 2484	3048	mscorsvw.exe	57
PID 3048 wrote to memory of 2088	3048	mscorsvw.exe	58
PID 3048 wrote to memory of 2088	3048	mscorsvw.exe	58
PID 3048 wrote to memory of 2088	3048	mscorsvw.exe	58
PID 3048 wrote to memory of 3024	3048	mscorsvw.exe	59

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 164 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 204 -NGENProcess 21c -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1f0 -NGENProcess 180 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1c0 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 268 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 260 -Pipe 160 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 24c -NGENProcess 248 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 280 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 268 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 28c -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 27c -NGENProcess 270 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 294 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 268 -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 29c -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 270 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 27c -NGENProcess 28c -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 28c -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 2a0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a0 -NGENProcess 27c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 25c -NGENProcess 27c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2a0 -NGENProcess 2c0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2cc -NGENProcess 2a4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2a4 -NGENProcess 2a0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2d4 -NGENProcess 2b8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2cc -NGENProcess 2d8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 27c -NGENProcess 2a0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2e4 -NGENProcess 2c4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2c4 -NGENProcess 29c -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ec -NGENProcess 2a0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2a0 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e4 -NGENProcess 2a0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2d4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2c4 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2a0 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2d4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2a0 -NGENProcess 2d4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2d4 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 31c -NGENProcess 304 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 304 -NGENProcess 2a0 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 31c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 310 -NGENProcess 2a0 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2e4 -NGENProcess 2c4 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 320 -NGENProcess 2d4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 330 -NGENProcess 2d8 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2a0 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2d4 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2d8 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2a0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2d4 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 330 -NGENProcess 2d8 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 340 -NGENProcess 324 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 350 -NGENProcess 33c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2d4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 324 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 33c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 348 -NGENProcess 2d4 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 350 -NGENProcess 35c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 364 -NGENProcess 354 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 29c -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 35c -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 354 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 29c -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 36c -NGENProcess 378 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 364 -NGENProcess 29c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 350 -NGENProcess 354 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 384 -NGENProcess 35c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 378 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 354 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 35c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 354 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 384 -NGENProcess 35c -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 39c -NGENProcess 38c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a4 -NGENProcess 354 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 378 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 38c -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 354 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a4 -NGENProcess 378 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 384 -NGENProcess 3b4 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 390 -NGENProcess 354 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 35c -NGENProcess 384 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3c4 -NGENProcess 3b0 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3b4 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 384 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3b0 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3b4 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 35c -NGENProcess 384 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3d8 -NGENProcess 3c8 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3b4 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 35c -NGENProcess 3e0 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3d0 -NGENProcess 3b4 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3e4 -NGENProcess 3dc -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3e0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 384 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 2ec -NGENProcess 3e0 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3cc -NGENProcess 3ec -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3e0 -NGENProcess 35c -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 35c -NGENProcess 3d4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3f8 -NGENProcess 2ec -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 2ec -NGENProcess 3e0 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 404 -NGENProcess 3d4 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3d4 -NGENProcess 3f8 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 408 -NGENProcess 1cc -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3f0 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 3f8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 1cc -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 40c -NGENProcess 418 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 1cc -NGENProcess 404 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 420 -NGENProcess 1d4 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 42c -NGENProcess 414 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:1720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 3d4 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 1d4 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 414 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:2216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 430 -NGENProcess 43c -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 420 -NGENProcess 414 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1cc -NGENProcess 430 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 448 -NGENProcess 3d4 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 43c -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 430 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:764

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

Filesize
694KB

MD5
2dff1c6516f6e24c4e86bbe8df6c9d4f

SHA1
9721834d8e0f56ed75291de253f2704a2ad48093

SHA256
71dcce24e3996466f06bc16e8a9eedb2dbd7d55acbfef9b5517ed08c638f1b71

SHA512
0ebff08c6dd23ad4353c8cd696d94dae5e606f96eb4147317fd5fcfba839fa0ed5ce365b5949df693f6735f3bcc873dd369b52f4e2e09a3446047d993b968957

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a392024141f291fd9ea9c0219fbbf05b

SHA1
92f0f67f84b0f034686185f96b2b3ec035685494

SHA256
a27699a0b0f64114830c76e269871ce9a369027befa025e4bdaedecaa13f94ec

SHA512
5110f95a00ed609f711647eb0fbdddd23377584b2527275ce466175c5bdb5055fbc751dc5a8e32befb5aa7d8e730b9ba933996bc6f0e48784bef3512c9ebe2a2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
5KB

MD5
51b74c820a84d38c6a62c04307be1478

SHA1
0cfd5c7dd638bfc49dd19c3dbcfee367796f7e43

SHA256
b9d44694aad19f75691cb9d8acb26df62b27a2eda94c49d6bc33a802b9e5bd61

SHA512
cc7f30a52bb2f5cb984b8787b73d858c4bb491880982d731f6928c02111a5e79bb4054d9f903dd2c0d71a3fe5bea29a6d15ce7732e2daa1d74f17114988b5663

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
93e3ce88d900397bade3a4cb04c4472e

SHA1
771757160a720cb719c860c8243b240985cd6bf8

SHA256
aeee8766d275fb5e5764a175af10fb9c9d4096c6c331be4ff5ef314b0ebb8bca

SHA512
d1c7e4679d7c03a7d181866d3282b270431a9626430da3632351a72d614ca1a435c2fb40ccb2f24a9e6d96642967b86784c41a38ce15f3430275f3c981658395

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
7975dd3639a948207dab9ef3640c7dc2

SHA1
1323dd6c10403bdc72b72d3e0e71be2f9feea610

SHA256
550f13d4a4532b61c4611a4667ba1dd773290c9911e168f14ce7c7e413a72e4a

SHA512
1168da0e3a54111d79b5d293a22dd3be6a178754b78bf4ffc37a382f4f58420316d7c26a9344cbf7374b61c5ef549068fd520ff9a6acc84329a731c5cd73a53b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
6e42a53f05e0b39977c40576493b284b

SHA1
d8f2e77c835fd5cc46308453b90d34092f1eaa7e

SHA256
51ad9d6896ef3141ed84812b7f8754f87608cb05379e8059e0e7900c7e9bd9a1

SHA512
bbed746f40277391e460b2671aa6c5e0bc826814f1271debe8373fad3216c9d01f100229c952b97735b3cc423528d782a8216223188282146e382e300598cba3

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
141KB

MD5
0f3d76321f0a7986b42b25a3aa554f82

SHA1
7036bba62109cc25da5d6a84d22b6edb954987c0

SHA256
dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460

SHA512
bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
154KB

MD5
f0ecfbfa3e3e59fd02197018f7e9cb84

SHA1
961e9367a4ef3a189466c0a0a186faf8958bdbc4

SHA256
cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324

SHA512
116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
145KB

MD5
ce233fa5dc5adcb87a5185617a0ff6ac

SHA1
2e2747284b1204d3ab08733a29fdbabdf8dc55b9

SHA256
68d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31

SHA512
1e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
142KB

MD5
d73172c6cb697755f87cd047c474cf91

SHA1
abc5c7194abe32885a170ca666b7cce8251ac1d6

SHA256
9de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57

SHA512
7c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
114KB

MD5
1f998386566e5f9b7f11cc79254d1820

SHA1
e1da5fe1f305099b94de565d06bc6f36c6794481

SHA256
1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea

SHA512
a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
668KB

MD5
5026297c7c445e7f6f705906a6f57c02

SHA1
4ec3b66d44b0d44ec139bd1475afd100748f9e91

SHA256
506d3bec72805973df3b2e11aba4d074aeb4b26b7335536e79ea1145108817cc

SHA512
5be8e51ecacda465b905df3e38ac114240d8fa6bae5bb17e8e53a87630454b57514ca0abbd8afefd798d450cd4ee89caf4391eeb837ced384260c188482fb48d

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
646KB

MD5
aecab86cc5c705d7a036cba758c1d7b0

SHA1
e88cf81fd282d91c7fc0efae13c13c55f4857b5e

SHA256
9bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066

SHA512
e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
727KB

MD5
7d0bac4e796872daa3f6dc82c57f4ca8

SHA1
b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a

SHA256
ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879

SHA512
145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
727KB

MD5
5f684ce126de17a7d4433ed2494c5ca9

SHA1
ce1a30a477daa1bac2ec358ce58731429eafe911

SHA256
2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c

SHA512
4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
722KB

MD5
4623482c106cf6cc1bac198f31787b65

SHA1
5abb0decf7b42ef5daf7db012a742311932f6dad

SHA256
eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349

SHA512
afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
406KB

MD5
54c674d19c0ff72816402f66f6c3d37c

SHA1
2dcc0269545a213648d59dc84916d9ec2d62a138

SHA256
646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5

SHA512
4d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
3KB

MD5
b133a676d139032a27de3d9619e70091

SHA1
1248aa89938a13640252a79113930ede2f26f1fa

SHA256
ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

SHA512
c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
27KB

MD5
46d08e3a55f007c523ac64dce6dcf478

SHA1
62edf88697e98d43f32090a2197bead7e7244245

SHA256
5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614

SHA512
b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

Download Submit
C:\Windows\Temp\Cab23A7.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar252F.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1ec9ce80f9e50acad59f757cdf821294\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
572f42aa3aa822c75e94ce0cc8f843a6

SHA1
c269bd1e2d186da827365bf9381042297948ecf7

SHA256
c8588470e2f79ff428d2f9e9f15d71f9d79299954acf93d8e4ca414036a1fb06

SHA512
e01279cd67a59e186df066e828a541b78c13d5a04dc1bc01a1dff7d7a471264d849cfb6d29f212b1203f1027f0f1b79b15c39e27df49d3e5d0e3a6037115bd76

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2db9d21473c334061d3045756a72e83a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
d0ed07c942ae760cf8ca174ecdeacbdd

SHA1
b2f1f4ad7be87771d2b910cb1ba1d965f3685a67

SHA256
88d31f36d7d97dcc9368f583e719630739dd1f92accb81347a724a9093172167

SHA512
68964e14fb0cd93ff39ccb1a3e8a4f76e210e87cbad34b8526df0a19a96b80549f9d60017046b2a84f6d1aeff13599914557d05440f0cc13441151aa91056a2b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\46c748b51eeb5e5eb50e26fcfa18ba08\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
6c83a03e6dbf0fe41007810d1f2671bb

SHA1
55887d8b6b411156113c06acd71616e3166bd176

SHA256
1897d7fc0afddcf6ce403fd4458912c16bbd5a9dc63a842094d3232cc0e0f22f

SHA512
bac997040c19885511a00e23e9eebc2bf6fe695f83d36766b7c1ff98f04523bfebf44a7d1a1f50a7ee74da97b4cba0fc4ac06d1a2d660b1a6a2db2da43b910f7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dfe7c2f5729164ef4962caadc2a619ca\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
82b23aa29d27f2bb312b804490da72f7

SHA1
37bae3490a22fdba4d6dbf95ac775016f1b7b491

SHA256
f8b56e855de000f682eb4ef753d961a3f0555ca0aeeda3fa03bd49e182c4d215

SHA512
3c436f3656170ab46284037c809dc4e0cdd8a04d9e202a44e55b0f018eee902d2c14727e9c380d0faad9200ca7fcfdd35278f6fbdbcc81721ca5c7acb98bf6ee

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
9317778aeec04489dd7f2792517e1987

SHA1
c22873b21997a0eb6a87d374aec0a9394b2aa6d3

SHA256
399dbde4918f13cdc8c25fb8694e18d257e99a13ba591d3245bf39489d3f0b11

SHA512
187c55baa0cf399d40ef123ac453c75aa5053c135a78e4a333e3c926398a4dec7f7d241a2462662768416ed2cad26e73794dec18bcca9944443b61ed67306276

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
679KB

MD5
0dfe1224c700ae71e0b212e2a86760b0

SHA1
287ba306f35bce0c46eb3a2dda14b56cb744805e

SHA256
0c1bbf3b868384920076d6bbb4c3758e3aaab84809cb370b46786a7f02a0220a

SHA512
d74c75519ed4daab2fecea86e92ef11cb9b57a0e01d9d925c9926dd87140a4efb5fd081074c2c8dd4cda021346a2f4d366dfc3faaa2a0254ec27aae7479f6d2b

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
591KB

MD5
d3e074ba43dcf1d3970379e37b91b2ee

SHA1
3b316fa4ec1b6c7336be957aca51faac3ca31bca

SHA256
d27a78a5c05cabd3e49f785f6127284772b6d9750dd18feea56cd28982a77e02

SHA512
25f12bed7c947dc640e98611b4d4e99a16918da29633ce70b98594bfd5f50290bebe1dcada33afaa39b6d0b5a33a438f5fef8ee14f9e0e6d30de115be8926f14

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
632KB

MD5
350080797e46911fc2e2814d5cdde064

SHA1
cab92c444b5ad743853f0227df8c1d456d87fde3

SHA256
90c53e93fae6725f8b11c85b4619fdc493a37f2c8f909fa15832662ce9f96810

SHA512
34b43d4c431129400d9a76153e73270880b62c72e23e95e655f05f0d078b1e9ab976d6f11e9a4868d6055c61c92ff021a229eb85c5a1d27c82efb90c38f2ae99

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
f0ad4caf75166e2c7efb2cb5bbe08c90

SHA1
1e431420d8cf36d6371bd318f79a64061550a882

SHA256
ae22fc783e3e6113c238d4f7c0cf85b02d0314199ac04bd5c916dd39dc8ddd52

SHA512
ba611519ab8e3270a66cb5c249919703f57d4083740efc8f1c1935eca707788993f0c39d6edc880cfb05f6ba325aef8c2dac8a83c8fc569fdbe8be0743f44e35

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a671210feb2984a99cf4f4c15525b81a

SHA1
d1f1d0326e776a93f89d03c496374becefa5b297

SHA256
9b37b6fff023b106e5398381b55ef413a766265393530aa1cc210776e00aeb86

SHA512
dbbb0688e1c98ecf2a16bb9fba5753eb24ddef6e6ebd836296c9defbaa5c5f507053916239e97bd75db27b4a965f80140ca269c690175e2b318608f5e4037863

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
a29ab075643b1764fbf36e075752cd49

SHA1
e2608efd7d7c30a583be95791b9784c0674f6acc

SHA256
c24b46d920fa8ceb60925edffd046f0bc88350c44bcb55cac603e1597c337024

SHA512
13665bda307fd5cb26a70508f31a45b70393c00602092edb36a338a6fe1366e093d4331d9b7cac48cf62f29aeae2b89a5f1a23b4d6d2539808416983e289b90b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
69d1ff8bbd9695a7f6c3d1c859c66bfa

SHA1
661bdc63bf6fc4e7a7e5a0cecca9829a17552fa8

SHA256
c882ba1c4796d9b362adfacf7de22e77820d51f1e96feb939b28f64fbc722e39

SHA512
3f3ebc7ba6a6ad428c758723d12065a5361fcf4e4f5ea93e1a7bb870062cf4b4a985fc7ce56dd4a9bf73a7c727baac2e5a16bdd7373a389cd30650cb8d5e1f9f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
666KB

MD5
a07b712d10c89bbb0a00b168f86be8a0

SHA1
f9d62deb7b9a58c28ce36edbb21354e0d9866488

SHA256
c4c6b60435ebf2f16cd3802a3c545537166d7ae3b7106d0469deade7e3fbe725

SHA512
61265fdae9fb9caa1400b59a883e7eb0d8d94de96e33e3fbd424cae1a777965424140272f5d3651825ddb87d1672854858481a4e84e953a270bc146efc089bd9

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA12F.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA39F.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA64D.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA850.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAC37.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB08A.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB348.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB5A9.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB819.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBA3B.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
memory/324-273-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/344-283-0x000000001C4B0000-0x000000001C4F8000-memory.dmp

Filesize
288KB

Download
memory/344-297-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/344-281-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/344-284-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/344-282-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/344-288-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/344-289-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/764-108-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/764-85-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/764-121-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/896-275-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/896-274-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/896-277-0x0000000000820000-0x0000000000836000-memory.dmp

Filesize
88KB

Download
memory/896-276-0x00000000030B0000-0x00000000030F8000-memory.dmp

Filesize
288KB

Download
memory/896-279-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/924-341-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/924-338-0x0000000000A00000-0x0000000000A0E000-memory.dmp

Filesize
56KB

Download
memory/924-337-0x00000000007C0000-0x00000000007D0000-memory.dmp

Filesize
64KB

Download
memory/924-339-0x0000000000A10000-0x0000000000A1E000-memory.dmp

Filesize
56KB

Download
memory/924-336-0x00000000009E0000-0x00000000009F6000-memory.dmp

Filesize
88KB

Download
memory/924-334-0x00000000005B0000-0x00000000005C8000-memory.dmp

Filesize
96KB

Download
memory/924-335-0x00000000006F0000-0x000000000070A000-memory.dmp

Filesize
104KB

Download
memory/924-333-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1048-116-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1048-114-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1284-345-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/1284-350-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/1284-354-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/1284-343-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1284-355-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/1284-346-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/1284-347-0x00000000008A0000-0x00000000008AE000-memory.dmp

Filesize
56KB

Download
memory/1284-363-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1284-348-0x000000001C4C0000-0x000000001C4D6000-memory.dmp

Filesize
88KB

Download
memory/1284-344-0x00000000003D0000-0x00000000003E8000-memory.dmp

Filesize
96KB

Download
memory/1284-349-0x000000001C530000-0x000000001C54A000-memory.dmp

Filesize
104KB

Download
memory/1476-271-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1576-397-0x00000000009C0000-0x00000000009DA000-memory.dmp

Filesize
104KB

Download
memory/1576-398-0x00000000009C0000-0x00000000009DA000-memory.dmp

Filesize
104KB

Download
memory/1576-406-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1576-393-0x00000000006C0000-0x00000000006D6000-memory.dmp

Filesize
88KB

Download
memory/1576-392-0x00000000003A0000-0x00000000003BA000-memory.dmp

Filesize
104KB

Download
memory/1584-365-0x0000000003110000-0x000000000311E000-memory.dmp

Filesize
56KB

Download
memory/1584-364-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/1584-369-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1584-366-0x0000000003150000-0x000000000315E000-memory.dmp

Filesize
56KB

Download
memory/1584-367-0x0000000003160000-0x0000000003174000-memory.dmp

Filesize
80KB

Download
memory/1956-98-0x0000000100000000-0x0000000100293000-memory.dmp

Filesize
2.6MB

Download
memory/1956-2-0x0000000100000000-0x0000000100293000-memory.dmp

Filesize
2.6MB

Download
memory/1956-0-0x0000000100000000-0x0000000100293000-memory.dmp

Filesize
2.6MB

Download
memory/1956-1-0x0000000100001000-0x0000000100002000-memory.dmp

Filesize
4KB

Download
memory/2064-377-0x0000000003100000-0x000000000310C000-memory.dmp

Filesize
48KB

Download
memory/2064-378-0x0000000003100000-0x000000000310C000-memory.dmp

Filesize
48KB

Download
memory/2064-371-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2064-372-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/2064-386-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2064-373-0x0000000000A90000-0x0000000000AA4000-memory.dmp

Filesize
80KB

Download
memory/2096-305-0x000000001C540000-0x000000001C55E000-memory.dmp

Filesize
120KB

Download
memory/2096-304-0x0000000000850000-0x000000000086A000-memory.dmp

Filesize
104KB

Download
memory/2096-298-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2096-299-0x00000000007E0000-0x00000000007F8000-memory.dmp

Filesize
96KB

Download
memory/2096-300-0x00000000007C0000-0x00000000007CE000-memory.dmp

Filesize
56KB

Download
memory/2096-301-0x0000000000800000-0x000000000080E000-memory.dmp

Filesize
56KB

Download
memory/2096-303-0x000000001C4F0000-0x000000001C538000-memory.dmp

Filesize
288KB

Download
memory/2096-302-0x0000000000820000-0x0000000000836000-memory.dmp

Filesize
88KB

Download
memory/2224-269-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2260-323-0x00000000031B0000-0x00000000031C8000-memory.dmp

Filesize
96KB

Download
memory/2260-314-0x0000000000870000-0x00000000008B8000-memory.dmp

Filesize
288KB

Download
memory/2260-307-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2260-324-0x00000000031B0000-0x00000000031C8000-memory.dmp

Filesize
96KB

Download
memory/2260-332-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2260-316-0x00000000008E0000-0x00000000008FE000-memory.dmp

Filesize
120KB

Download
memory/2260-310-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/2260-311-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2260-312-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/2260-309-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download
memory/2260-313-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/2260-315-0x00000000008C0000-0x00000000008DA000-memory.dmp

Filesize
104KB

Download
memory/2396-115-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2396-90-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2532-42-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2760-94-0x0000000140000000-0x000000014041B000-memory.dmp

Filesize
4.1MB

Download
memory/2760-78-0x0000000140000000-0x000000014041B000-memory.dmp

Filesize
4.1MB

Download
memory/2940-38-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2940-67-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2940-31-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2968-17-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/2968-18-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2968-49-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/3004-390-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3004-388-0x00000000007F0000-0x0000000000806000-memory.dmp

Filesize
88KB

Download
memory/3004-387-0x00000000006A0000-0x00000000006BA000-memory.dmp

Filesize
104KB

Download
memory/3048-52-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3048-53-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/3048-88-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download