expiro | 8026f0a34be72b273af30c71f7399b9e8b0014e4f17e6559fda4ac5962882c3d

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
Size

764KB
MD5

6af0878c78577e69bbbca6c75651a9f0
SHA1

b8e41380c271caaab0ca124e2fdecb942f9d9d4d
SHA256

8026f0a34be72b273af30c71f7399b9e8b0014e4f17e6559fda4ac5962882c3d
SHA512

9ecef9815e6af89c9743af60113e99beb0733d471479db155c9e6bd01c49cba5129e40801c586699e8c687497d2e0b68e9ae88fbb26649bd678f8103ebaef833
SSDEEP

12288:bvuloS7zEAoHLiPcS7N06aaVH6K8pWoYYR9WRwHJSKOHRkFGv2inE6qVN/43BysV:D4oS7oAoHL8cS7O6a6H6K0WI9WRwHEKG

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2180-2-0x0000000001000000-0x000000000127D000-memory.dmp	family_expiro1
behavioral1/memory/2820-54-0x0000000010000000-0x0000000010258000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
2820	mscorsvw.exe
476	Process not Found
2600	mscorsvw.exe
3004	mscorsvw.exe
1484	mscorsvw.exe
2440	elevation_service.exe
2844	IEEtwCollector.exe
1368	mscorsvw.exe
1968	mscorsvw.exe
1996	mscorsvw.exe
3056	mscorsvw.exe
1680	mscorsvw.exe
1856	mscorsvw.exe
1764	mscorsvw.exe
1256	mscorsvw.exe
864	mscorsvw.exe
2912	mscorsvw.exe
2848	mscorsvw.exe
1776	mscorsvw.exe
1296	mscorsvw.exe
2204	mscorsvw.exe
2924	mscorsvw.exe
572	mscorsvw.exe
2020	mscorsvw.exe
1804	mscorsvw.exe
2960	mscorsvw.exe
1784	mscorsvw.exe
828	mscorsvw.exe
2472	mscorsvw.exe
340	mscorsvw.exe
848	mscorsvw.exe
1256	mscorsvw.exe
2788	mscorsvw.exe
2852	mscorsvw.exe
2596	mscorsvw.exe
2848	mscorsvw.exe
2184	mscorsvw.exe
1752	mscorsvw.exe
1164	mscorsvw.exe
2188	mscorsvw.exe
2904	mscorsvw.exe
1716	mscorsvw.exe
2464	mscorsvw.exe
988	mscorsvw.exe
772	mscorsvw.exe
1572	mscorsvw.exe
2268	mscorsvw.exe
2584	mscorsvw.exe
2916	mscorsvw.exe
2108	mscorsvw.exe
2240	mscorsvw.exe
2400	mscorsvw.exe
1704	mscorsvw.exe
2592	mscorsvw.exe
2460	mscorsvw.exe
380	mscorsvw.exe
2700	mscorsvw.exe
1132	mscorsvw.exe
272	mscorsvw.exe
2044	mscorsvw.exe
840	mscorsvw.exe
1600	mscorsvw.exe
2988	mscorsvw.exe
3056	mscorsvw.exe

Loads dropped DLL 58 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
1764	mscorsvw.exe
1764	mscorsvw.exe
864	mscorsvw.exe
864	mscorsvw.exe
2848	mscorsvw.exe
2848	mscorsvw.exe
1296	mscorsvw.exe
1296	mscorsvw.exe
2924	mscorsvw.exe
2924	mscorsvw.exe
2020	mscorsvw.exe
2020	mscorsvw.exe
2960	mscorsvw.exe
2960	mscorsvw.exe
828	mscorsvw.exe
828	mscorsvw.exe
340	mscorsvw.exe
340	mscorsvw.exe
1256	mscorsvw.exe
1256	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2848	mscorsvw.exe
2848	mscorsvw.exe
1752	mscorsvw.exe
1752	mscorsvw.exe
2188	mscorsvw.exe
2188	mscorsvw.exe
1716	mscorsvw.exe
1716	mscorsvw.exe
988	mscorsvw.exe
988	mscorsvw.exe
2108	mscorsvw.exe
2108	mscorsvw.exe
2240	mscorsvw.exe
2240	mscorsvw.exe
1704	mscorsvw.exe
1704	mscorsvw.exe
2620	mscorsvw.exe
2620	mscorsvw.exe
916	mscorsvw.exe
916	mscorsvw.exe
2784	mscorsvw.exe
2784	mscorsvw.exe
2964	mscorsvw.exe
2964	mscorsvw.exe
1784	mscorsvw.exe
1784	mscorsvw.exe
3000	mscorsvw.exe
3000	mscorsvw.exe
1128	mscorsvw.exe
1128	mscorsvw.exe
272	mscorsvw.exe
272	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\T:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\G:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\I:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\Z:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\L:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\N:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\Y:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\J:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\P:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\Q:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\V:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\S:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\E:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\H:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\M:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\O:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\R:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\W:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\K:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\U:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened (read-only)	\??\X:	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\system32\djfcjlok.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\system32\kobjgjfc.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\system32\ehhenolk.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\system32\mjfpfcpd.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\system32\acdocaog.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\SysWOW64\mmcfhkab.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\system32\paiinicl.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\SysWOW64\bgnkomqp.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\system32\aehcihgo.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\system32\bjbbcljf.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\system32\ioacebpq.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\system32\wbem\afbidnep.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\anhhocop.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\system32\fdcncacl.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\SysWOW64\ficqadho.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\windows\system32\jjaofpop.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gnciljmn.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\qfemblig.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\gmoggjie.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\jiianoje.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\klonohhl.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\nlfifejp.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\idddgalc.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\qcogljfn.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kefbfhkg.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\cgakfigd.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\jbcgigoc.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\akaajeom.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ighnagcm.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Internet Explorer\onnmbqjl.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\eqiodbdg.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	\??\c:\program files (x86)\microsoft office\office14\oljdoamb.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\llopmkim.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\cpkcoelj.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Program Files\Google\Chrome\Application\bhlnifll.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC34F.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP39A6.tmp\Microsoft.Office.Tools.Word.v9.0.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD865.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE936.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15d.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\ohehilee.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC810.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB75D.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP36F8.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\jahikmdp.tmp	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD079.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2180	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2180	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
2180	JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1368	1484	mscorsvw.exe	37
PID 1484 wrote to memory of 1368	1484	mscorsvw.exe	37
PID 1484 wrote to memory of 1368	1484	mscorsvw.exe	37
PID 1484 wrote to memory of 1968	1484	mscorsvw.exe	38
PID 1484 wrote to memory of 1968	1484	mscorsvw.exe	38
PID 1484 wrote to memory of 1968	1484	mscorsvw.exe	38
PID 1484 wrote to memory of 1996	1484	mscorsvw.exe	40
PID 1484 wrote to memory of 1996	1484	mscorsvw.exe	40
PID 1484 wrote to memory of 1996	1484	mscorsvw.exe	40
PID 1484 wrote to memory of 3056	1484	mscorsvw.exe	41
PID 1484 wrote to memory of 3056	1484	mscorsvw.exe	41
PID 1484 wrote to memory of 3056	1484	mscorsvw.exe	41
PID 1484 wrote to memory of 1680	1484	mscorsvw.exe	42
PID 1484 wrote to memory of 1680	1484	mscorsvw.exe	42
PID 1484 wrote to memory of 1680	1484	mscorsvw.exe	42
PID 1484 wrote to memory of 1856	1484	mscorsvw.exe	43
PID 1484 wrote to memory of 1856	1484	mscorsvw.exe	43
PID 1484 wrote to memory of 1856	1484	mscorsvw.exe	43
PID 1484 wrote to memory of 1764	1484	mscorsvw.exe	44
PID 1484 wrote to memory of 1764	1484	mscorsvw.exe	44
PID 1484 wrote to memory of 1764	1484	mscorsvw.exe	44
PID 1484 wrote to memory of 1256	1484	mscorsvw.exe	45
PID 1484 wrote to memory of 1256	1484	mscorsvw.exe	45
PID 1484 wrote to memory of 1256	1484	mscorsvw.exe	45
PID 1484 wrote to memory of 864	1484	mscorsvw.exe	46
PID 1484 wrote to memory of 864	1484	mscorsvw.exe	46
PID 1484 wrote to memory of 864	1484	mscorsvw.exe	46
PID 1484 wrote to memory of 2912	1484	mscorsvw.exe	47
PID 1484 wrote to memory of 2912	1484	mscorsvw.exe	47
PID 1484 wrote to memory of 2912	1484	mscorsvw.exe	47
PID 1484 wrote to memory of 2848	1484	mscorsvw.exe	48
PID 1484 wrote to memory of 2848	1484	mscorsvw.exe	48
PID 1484 wrote to memory of 2848	1484	mscorsvw.exe	48
PID 1484 wrote to memory of 1776	1484	mscorsvw.exe	49
PID 1484 wrote to memory of 1776	1484	mscorsvw.exe	49
PID 1484 wrote to memory of 1776	1484	mscorsvw.exe	49
PID 1484 wrote to memory of 1296	1484	mscorsvw.exe	50
PID 1484 wrote to memory of 1296	1484	mscorsvw.exe	50
PID 1484 wrote to memory of 1296	1484	mscorsvw.exe	50
PID 1484 wrote to memory of 2204	1484	mscorsvw.exe	51
PID 1484 wrote to memory of 2204	1484	mscorsvw.exe	51
PID 1484 wrote to memory of 2204	1484	mscorsvw.exe	51
PID 1484 wrote to memory of 2924	1484	mscorsvw.exe	52
PID 1484 wrote to memory of 2924	1484	mscorsvw.exe	52
PID 1484 wrote to memory of 2924	1484	mscorsvw.exe	52
PID 1484 wrote to memory of 572	1484	mscorsvw.exe	53
PID 1484 wrote to memory of 572	1484	mscorsvw.exe	53
PID 1484 wrote to memory of 572	1484	mscorsvw.exe	53
PID 1484 wrote to memory of 2020	1484	mscorsvw.exe	54
PID 1484 wrote to memory of 2020	1484	mscorsvw.exe	54
PID 1484 wrote to memory of 2020	1484	mscorsvw.exe	54
PID 1484 wrote to memory of 1804	1484	mscorsvw.exe	55
PID 1484 wrote to memory of 1804	1484	mscorsvw.exe	55
PID 1484 wrote to memory of 1804	1484	mscorsvw.exe	55
PID 1484 wrote to memory of 2960	1484	mscorsvw.exe	56
PID 1484 wrote to memory of 2960	1484	mscorsvw.exe	56
PID 1484 wrote to memory of 2960	1484	mscorsvw.exe	56
PID 1484 wrote to memory of 1784	1484	mscorsvw.exe	57
PID 1484 wrote to memory of 1784	1484	mscorsvw.exe	57
PID 1484 wrote to memory of 1784	1484	mscorsvw.exe	57
PID 1484 wrote to memory of 828	1484	mscorsvw.exe	58
PID 1484 wrote to memory of 828	1484	mscorsvw.exe	58
PID 1484 wrote to memory of 828	1484	mscorsvw.exe	58
PID 1484 wrote to memory of 2472	1484	mscorsvw.exe	59

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2820

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 160 -NGENProcess 194 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 160 -NGENProcess 194 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 150 -InterruptEvent 210 -NGENProcess 1ec -Pipe 138 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 258 -NGENProcess 1c4 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 22c -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1ec -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 1c4 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1ec -NGENProcess 1c4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 270 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1b0 -NGENProcess 264 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 278 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 1c4 -Pipe 15c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 274 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 268 -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 210 -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 22c -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 22c -NGENProcess 28c -Pipe 150 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 29c -NGENProcess 274 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 274 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 290 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 290 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 290 -NGENProcess 2ac -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2ac -NGENProcess 294 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 210 -NGENProcess 27c -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 27c -NGENProcess 290 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 210 -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 28c -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2dc -NGENProcess 2ac -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2ac -NGENProcess 210 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2e4 -NGENProcess 27c -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 27c -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 1d8 -NGENProcess 2b8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2b8 -NGENProcess 2d4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2f4 -NGENProcess 2cc -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2b8 -NGENProcess 2fc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2b8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 294 -NGENProcess 2fc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 30c -NGENProcess 2b8 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 304 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2cc -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 304 -NGENProcess 300 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2dc -NGENProcess 2cc -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2cc -NGENProcess 294 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 320 -NGENProcess 2f8 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 31c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 294 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f8 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 324 -NGENProcess 334 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2dc -NGENProcess 2f8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 30c -NGENProcess 32c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 338 -NGENProcess 31c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 340 -NGENProcess 2f8 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 334 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 30c -NGENProcess 31c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 32c -NGENProcess 348 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 350 -NGENProcess 334 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 338 -NGENProcess 31c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 32c -NGENProcess 354 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 2d0 -NGENProcess 31c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 35c -NGENProcess 338 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 30c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2d0 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 354 -NGENProcess 30c -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 36c -NGENProcess 35c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 2d0 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 31c -NGENProcess 30c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 30c -NGENProcess 36c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 37c -NGENProcess 2d0 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 35c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 2d0 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 35c -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 36c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 2d0 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 38c -NGENProcess 398 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 384 -NGENProcess 2d0 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 380 -NGENProcess 36c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3a4 -NGENProcess 35c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 398 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 36c -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 35c -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 398 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3a4 -NGENProcess 35c -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3bc -NGENProcess 3ac -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c4 -NGENProcess 36c -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 398 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3ac -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 36c -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:1632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 398 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3ac -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3c8 -NGENProcess 36c -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 398 -NGENProcess 35c -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3dc -NGENProcess 3d0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3ac -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  PID:832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 35c -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3d0 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3d0 -NGENProcess 3e0 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3dc -NGENProcess a4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3ec -NGENProcess 35c -Pipe a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3d0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3d0 -NGENProcess 3dc -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a4 -InterruptEvent 3d0 -NGENProcess 3f0 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3f0 -NGENProcess 3c8 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 404 -NGENProcess 3e4 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3e4 -NGENProcess 3d0 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 40c -NGENProcess 3c8 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 408 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:1588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3e4 -NGENProcess 414 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3f4 -NGENProcess 408 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 3f0 -NGENProcess 3c8 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 420 -NGENProcess 3d0 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 404 -NGENProcess 414 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 424 -NGENProcess 410 -Pipe a4 -Comment "NGen Worker Process"
  2⤵
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3d0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 418 -NGENProcess 414 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 428 -NGENProcess 3c8 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:2392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 43c -NGENProcess 410 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 430 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 3c8 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 410 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:1300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 430 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 3c8 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 454 -NGENProcess 410 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 458 -NGENProcess 430 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 420 -NGENProcess 430 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:3020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 460 -NGENProcess 44c -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 44c -NGENProcess 444 -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

Filesize
694KB

MD5
d837baf3238a9da0df8eade68ccd06d0

SHA1
201d3228db3e6b5ad4960393baede458f237d82e

SHA256
6f99243785d8e06d26631acfb5252eeba93aeb7aa7b013397d95fa97e3471d7f

SHA512
66d93e52d6719eb4ea1f4adaa0a80d454818fbb64fcbd76b5f596c3aa5907b562dd566a06d8b0191e3c530b1eda76ce1c201fd0c40fcdd6732723374b7489e4d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
20cce6b4c0969f0b28045bfeb7780f89

SHA1
a70fdc68668728d131633eb803981b4fad3be40d

SHA256
9882de25ed125a9efe3549fa416f47e5cf97a810de910895dc4483e6702f6d42

SHA512
0e852367461741e3390c9ec0e9ae1e829719fd8b2f2732ae77697cf0fa465a95c5f84a6c330646106f67bc3466617d8644edf3c7ea6c47237d3321aba691ba40

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp

Filesize
4.8MB

MD5
8594a88dd9fe8fe1e2f73bb7a17dda54

SHA1
f0ba55b591c6da3e960d7ba9e7650a3489e61f4c

SHA256
15c4b60f13bb05863e83bc0a6c91187c6e88f28a71802e1330d845fa82ed7e2c

SHA512
19b02349496e93a887a40c3b4e19d71284fc630adcd890a78220dce100250e7c0d330a826006fe1619bab95a14fec6caebcd6d63156fd7d152176a374bab77f6

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
c36aee191848a489657ffff638c2e189

SHA1
a14e379e0028da22e5144c1b36789c7f88999222

SHA256
96238e997ee317793aa1a465a05aa4fe4913ec25891dd00f13788ea8ce6910af

SHA512
227dfbd03408ff94816fcb1293d15d6d9f2d94a38b432db63c147221487e6bf19c084d68f98c57385b457c147edaad046b78c8a640baf22eb655ff041305c4cc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
f36dfc2f79a4b62da530034928d4fe1b

SHA1
d106ebbf06fcef05f4a3c269838e7c66839c3c26

SHA256
76c4de353a062bd18f9fdc0dd105605e5fee2381772d91783f2a8bb37fa2f9e9

SHA512
d5ee5904f4520bebe4c48314c69d3d9baf800830b92195276cfe0e0df82f5b411a91f13983df14c0f82f2b6ba2cc86d389d84e6825ad259913a1b4d5a1952188

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
fe1a6050f8af376a9771800201edfef4

SHA1
d5974e6890957b0a931fc2e6f6696c7113fda29b

SHA256
bf1912a50af048f68205fd58c477af0f16db41ba77fbb793f7dc16c53223d52a

SHA512
ea10db12eb8ec90d5f336115c6bdb535f32f2ca614757d556b68e11e8a041bc56590e35c687a3b3a0167df264f739c37ca5d2b45aafea23190d2d1251ae14c32

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
4KB

MD5
d5616e7325fbaeb2c5e04dc99c06f369

SHA1
88fd00f5cea9ed43ad9da2ab231c6adf1f2f9931

SHA256
be214262c2c028d459d635ac231659ad4c96f707539114381fd43757724bd84e

SHA512
006ddd2be240113cc26f365a318029fc7e8d4f070bcbb94eb7bb15efd23ddf41b01ddb226f5eed99a7d8059e1126fb2c9099806fba5632237bd8052d9b2c44fe

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
d258f35c6e1eaff0d59524f89737b03f

SHA1
e7c403e890c5a14a367f1b0d2ed520a2120dc510

SHA256
5396f45168da7c91eae8df203af504c700d3dec7de950dd0df4b39e68679ba66

SHA512
37b0d7cdad80ccad39e94c44553ca433f6bbc8ffb6c43de4d36196790eb2edbc95c7aec13c911914003fb0aaabb91ab5e8029c3b57643cd4d6271f0d5c8734e0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
2b1da772c37375e19518e0fbc09dd286

SHA1
56a9b891605463953d6705b8ac31c85fe3d0faaf

SHA256
cb4b6574fa75186622501c589a96c36ecc7a865ce2d42c378c5f1514ba8b8a61

SHA512
38ca65e61382fd98011d23677ac71df98b1381dbe86f008e8af4f234d1b54f23ce02c9c3edb21fb6bac20679c63bc6851f16fb682e1605465b7c2dc6bb695e30

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
3b690f716e9a272ef733ea4219b5de3b

SHA1
2a085d50c77936a38d5d931d92f1c08ea27340d6

SHA256
ff5b104ec2247da786eb9929d55514284f4408f12805071ce5678866976d4c09

SHA512
ec869289e08bce2a238e90fb2f6956f05a372f75d613a1e73c64f50e4682ca2f2ba66f1da8b7a1398f84ede9b4a3a77ddebd6e0a6a580c902250c2b545ae8122

Download Submit
C:\Windows\Temp\Cab28C5.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar29C1.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\025f3688f8eea99014499b2178983483\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
1a6be0e572dc022bdc7a66bf37001d89

SHA1
e3081f7cd148bb1f6a6d4404a33ad79c61bda7a3

SHA256
62a32b715e1d1da35d8d5feca4604db67c6c36c5751e2db7f66e246e5fea3367

SHA512
56cb7dc85421996a2f3aed4ba0df9bd8ba18f538991ecd90a0026d7d551fc28fd0b0b039fe1011088f386cd4587926ae3b4045dc6de434e6aaffe9ec341c0ca6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\291edf644da92b3cde87e45995335afe\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
47fca3a17525676ff51980774ef94a05

SHA1
08411f90396d3915ac0445843e3c1167c988ba8a

SHA256
bc6978b3ae15eb0e39186b0bb5a7a7300081c5b863c0fe7254ff5aadfb172652

SHA512
0c478d3ff7669217ccb93a28f2d1585c72e4fa7288e429170a3c79868c32c255cb8e6b94e0c88e384b4196ddb08ce525e08c0b569c6c57015c7b44a84d07f279

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4a73e85975acb23dd976bb689dadda25\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
2e94cea0e52ff3a2cb56555abd53eb0f

SHA1
31b3f1cdbc44951e7e07fb45eeecd67ed4680b08

SHA256
3dd4f139ba3e76f654ab7dee2c6f9a6edd50e7f247d689319821081ca6e3e4b7

SHA512
cdf7638cadf580f553305333b33572051e4b541c9af50b245d484823b7ab816530b3c1579acfe42fc17a20c7322f6e6669c5a6119120b07545ace1c5a52e71ac

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
91KB

MD5
adc5887e89bc56694a193d92898d3518

SHA1
267f14c45a86d50ad627c6cb00626049e9c1ee20

SHA256
edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b

SHA512
bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.8MB

MD5
04a6857c04546270358d14398fde209e

SHA1
596a3e11ac6c303c679edfd6c30aa71e8eaf8a23

SHA256
8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285

SHA512
4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\cf592180b987031367efbf287c9b0335\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
ca864fcb54dbdd6dd80af91ec64a02a8

SHA1
26f07bd14af800fe64880bde692d03fba3b5414b

SHA256
4d2d905ee2fc2cf2fca2077f1547be8c13aa46d5f5d2971667eafcc6578a304a

SHA512
cab7a670505cb884396a4a555fa4de7914d39428b360a99cfb630e81e8bb5dc3b1e0f0b52c23d531959d94cacb8ea49985878d79ed7491747c9b3d03c352a82b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
694KB

MD5
1c510c3e5e93632b41b1ce32971ab8e6

SHA1
2e82d1f8c11dd3688ae6e985dc603f537b1eb2b9

SHA256
fd01980c61ec31cb92be4f6df5629b27217b5060ca71ac7639a7b8cc97d470db

SHA512
28bad7150572f7c5062138f9f911dbc4d7069de6dd73b07aee025ffa4a2d8c6e8ab97c6c5426f92023fd37aa60cbd3f976a94b6420bc718baef89c724bbb8d06

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
fc93253baee4b719941c7fa136594a36

SHA1
5e9ef5480495671532c3a5b6b710d9d338790b11

SHA256
503ef811d4f0403613c010b4c9130e8653b72d7dcf0e49aa8d740b0d86a1e0c7

SHA512
8edf5dc6dee4c65bbeac130d6d89dc29636e7b96675e15c571dd3d0d0a43cf33db436fe89172b0350ccfd34d3754f20b29fe0c1241bfa47c9731fe9d18c1e9c2

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
773KB

MD5
270eec13a065ca7cff771bc33f180752

SHA1
3a9a589efd35673d7501de7982a5917e4f8be39c

SHA256
50c115b971c424da3fad4812e551edf5adf7af343d957a44baf9fc622ef79b32

SHA512
506d134a99e2581b1dde16011ae1bbf9096fceb0c3c8b10dab01c2acbe3b4636d3833f3e9584d2b4a4f687c23e9908d7363a2bdf5435262e1f58cee013647ccd

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
4dd0196acb58e332cfd767c174eb2ae7

SHA1
877db6a048a4ee0877d60b84179757a956b53aee

SHA256
663c7515861204170f039b59528fb3c25afa2e93522f2c2fc8d8c8f02eb6412b

SHA512
9a9683e96377307d4d2c8a644946842fff1f79ed44bda6b0c6b4ae1ce650015e31eef462924b461eb4945696db3fd592f555d36d38d83a979a202528e793f9f0

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
953d751778eae1b93f8696d5443f154d

SHA1
2f23f598e97f105da9832736a75a09e82ad8eab2

SHA256
76cad18d7491d8147c133dfe668bcdbc94d9e952b7625726c5adf2b8ee130112

SHA512
07c5547034f05f6689aac4c78a6c4ffec4245c129ab1fb8f3299731d69a62eed7d43aef3d73f8744e962ce60231f0f01d505c593bf2903dfa89b11798fab4d52

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
679KB

MD5
cbbb7fd556b900104fec06bac47df1e1

SHA1
6099952be98688d06110e5700a442f7f66b66eef

SHA256
9efdc3022216a7fbdb0fd6044a98ff8e64b252c327eedbe119b124b0c1b6a704

SHA512
74372f68b639821a2b4246d72b370205bd7a4f4aa40906203fae485937a4d69485bbb164d9911841658ff84daae565181174bdb9c4dcf047a2a4b125f4d6daa5

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
591KB

MD5
67e78af4faa5bd854aa9b09b7224c719

SHA1
e850dd00ee87e4d77d89e7208280d5c1ef82c92a

SHA256
f7f31c8be2aba42bbbeed3312323447ceac3b83763dfa8550a14b53aaaf2d644

SHA512
87c917bc4e8147e4c540fd865a2db501d27a2a5a923aec4c21cf564fd4261f249682939640a6fedec5a4a674e39bd0527d0885176a1d28bf01314a3497fa43c0

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
632KB

MD5
ac321dc448a7b885b5bfcf2992c787e8

SHA1
d7abd68c658b0bf2c6d4809ae7eb0fd7dafc9abf

SHA256
42db74ccad2559ca54269ca7763a33b5c88b068f673934361ae750c7ca0ed478

SHA512
e217cfa41b73470eb17760f4c0b248d32c373d2befad2d5176cd1968f1c7be83e8782cecff4e7b2e00d9b98061b4c33d8556f58529071227d4d02a7ca12c34f0

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
4a71d808251a6147c804e56384cbd549

SHA1
44ff8e1cb180a58bcf43797baa0f6c661e148bfe

SHA256
78fb1f6d5b3981267dd82a1da19c37dbff47a5fa814bacdc9730c8b703f54fda

SHA512
837157a2f24cff96af63f55e375ef5fa73799a9f710d7029ca6ea0b92b288a51a9536b17506b3f0affe006fe2bf0d821a7b7fde7d02d6976a8c332af24cab2c4

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
693KB

MD5
9c9100dd30f09c5598e551d84b27695a

SHA1
f30e4a1501564cb01595950c5e34a09ccc3a2cab

SHA256
6639080727ed99e84b6beed121eabc4c5e654bc943e92cbf67e8d84919b37581

SHA512
2ce7884ffe8a57be498e864d8ea8c5061dc6da812d05d3006be6557974ec52a873441fb038b89b41b77ee702d72b4a9c7112ce52005ba06dd108d72d21855e92

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
683KB

MD5
bd7a9795b7887278145ce0eb44fa26fb

SHA1
4226a524152c546fef17adb2897c94db81bddea7

SHA256
deccae455c5e5470a8477ea70014b83dea248ea3fd80760b6c9a15232013986e

SHA512
47f63fe712bc71975310d8f75a3bd1c3d3507b64f8eb26665239746fbb722d7a512f6c528595f1c401807034c17c6e442c7cfd0d08fc978d2b55d770814868cc

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.1MB

MD5
daaba2185c68a12b46d380a55d2808f3

SHA1
a44b353736f4a99be9ecd275472acf61abfefb1f

SHA256
ed72c00c4db5349a1694a8a5c9c3d4dd135feafbe5e756b69d25743a2a895f1a

SHA512
d0e1f1e65aaa381ebe8d996989331029f03815deebc47ff025162597966deccf9935365a31f9fcf236b6f645af45fcc7035db5e2151ccbcfbeeda6c5d2ae44d3

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
569KB

MD5
4c3dbdc3251179a3a0527a045188b859

SHA1
149bd1ab7f39194cd904f581369a6429de4e5be0

SHA256
c2f74afa75454da248de01ec583d24e461d24b4f35744e1601d90660d32a4a55

SHA512
db9521b4ddd0bcd547cc5c34acb868e78293f670d9e172db000da9a30a6574c939a36f39455c345c6ed1c9664f8c1520cc07f969a1a502ce9fbe527e037a7d00

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
595KB

MD5
927345449e6c1d1673822440c136ad68

SHA1
705eb47cc1a1e3500e104880bc681bc2efa4a2ef

SHA256
ff613e95506f11f1c807ec66994e8688902feb8643c7291e9c00182e23fcf87e

SHA512
39deef1573ec2414d8ab3eb264cbeabbdd323c991b0b16e448a26181f707631727e2d7a3ebbb8dbb1ece4f751521ddac77f1fe6ebab3a8203afa077253905f55

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
a7ace78d0d4de885b1bbf265ae8d2d25

SHA1
5578c47bb0ac46149b57fd120f1f39161e2ce6d7

SHA256
eb6e2a4bebab87a1bfaf983136e45cf1ec4369d7e65540ec4d12314e2100daee

SHA512
87620f036e9a2696afa407dcec8ddf1954b3b359765699f95080167c36b5cc24aa8069e2cdd2c3307b2a5edf2c32815d8d6cd0b9547ec1b8bb94dd19214ce8b1

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
d5166ffb74d986159d974ca41c0b448c

SHA1
65539171123fce070f8a192d2c6f09aa491eab35

SHA256
d9447ceee5c9d6ae223ef3cc9733b9c8d21b230964e6b22bb0826702ff6900e9

SHA512
7a8098df1bc43b91231e6c5038646050c160209033211ff198ff23d6a4baed7acc3ca89ad2d0bf1c5d2f11d9b785c5df05442ff0dc6c9dd1497c0114aacfed96

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
753KB

MD5
b541372eb84d0cdd545e6ede46a813a4

SHA1
bee0cdfa2b716ace6fd4d9933840397bb869b779

SHA256
fd559860fd1e27210cff7996689faa7842d35811ed2fc14cfe85bee8cecfab31

SHA512
0258f23023d8fb266f2a0bc80940c4bdb2b3d0a02cc2a72be2f6e21237914b48fb1a15e9e257e8818c8b5b890d456c427516f85988ea479f894d329435bf59f3

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
b48d2f0030beffaf3b0351e18320c2ce

SHA1
2420cb66d3dde3a71f7ff166ea1a6d19937d7db3

SHA256
50430542bc1e03d31c206c68a81cf5369ebe41a6d18951f747caab4b87fe31ab

SHA512
d2ebcd05ae472efd4e336260edef7ee71427c942438bed84657f12cf62acf30c473f89e0d9f547c82ecc4402e3f632a037c6f857945571c830f676defb2128ae

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
887764ca1b0edfd9113c3e4b56bb8947

SHA1
3f5e512d0def7b959b94ecdfaa5ccaedb97f1372

SHA256
ca32933a62d1e79c424d712ee85c135a82c4d64e291d674a56abb5401772d9df

SHA512
35b007578174beece5ae9bbd24d745912a4a7d26a870e70099b1ecea15789e934da2ea799fed1ed84a4abdeb82b8973b67c4231a8670e67159063e857bc8cb47

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
f61e991fc1b9da72650fccc73f8bf532

SHA1
bd9c9c779a9be5f3d9116e13426b8bcd2df95681

SHA256
1c6f07732191de84c0cf17dd0691cc7a7c6266777f1b36910421707b14457ea2

SHA512
9842e3d15bd0e69577006a3f89808f9297ae8adad247d3b16d2014f88d94ab908deb78ffe0b9239e4fb27c4838fa752c34849334a2194a1af1621bb98da7fc94

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
666KB

MD5
62bb4c1e865e82a0694a83f5148c16c1

SHA1
a427178e26d39919949555b54bde52bef51646e9

SHA256
5119d5e8afed13b7363f2e5556f744e9b56d45939a51b034622f6770e34237c6

SHA512
62da1cd4343678cd3a4fae89c2f11556a984b7007f0f59647cd1b04fc7395f486e1454485be8c1260cec5ab2c65ef0cbd1c45743063cc0bb97c194a2680a3518

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB4BF.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB75D.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBB05.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBDF2.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC091.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC34F.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
memory/572-470-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/572-468-0x0000000000730000-0x000000000073E000-memory.dmp

Filesize
56KB

Download
memory/864-372-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

Filesize
88KB

Download
memory/864-373-0x0000000002FF0000-0x0000000003038000-memory.dmp

Filesize
288KB

Download
memory/864-391-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/864-382-0x000000001D1C0000-0x000000001D1D8000-memory.dmp

Filesize
96KB

Download
memory/864-383-0x000000001D1C0000-0x000000001D1D8000-memory.dmp

Filesize
96KB

Download
memory/864-375-0x0000000003060000-0x000000000307E000-memory.dmp

Filesize
120KB

Download
memory/864-374-0x0000000003040000-0x000000000305A000-memory.dmp

Filesize
104KB

Download
memory/864-371-0x0000000002FB0000-0x0000000002FBE000-memory.dmp

Filesize
56KB

Download
memory/864-370-0x0000000002F30000-0x0000000002F48000-memory.dmp

Filesize
96KB

Download
memory/1256-362-0x0000000000840000-0x0000000000858000-memory.dmp

Filesize
96KB

Download
memory/1256-365-0x000000001C510000-0x000000001C52A000-memory.dmp

Filesize
104KB

Download
memory/1256-366-0x000000001C530000-0x000000001C54E000-memory.dmp

Filesize
120KB

Download
memory/1256-368-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1256-364-0x0000000000870000-0x000000000087E000-memory.dmp

Filesize
56KB

Download
memory/1296-448-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1296-429-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1296-435-0x000000001C540000-0x000000001C554000-memory.dmp

Filesize
80KB

Download
memory/1296-434-0x000000001C4F0000-0x000000001C538000-memory.dmp

Filesize
288KB

Download
memory/1296-433-0x00000000009A0000-0x00000000009AC000-memory.dmp

Filesize
48KB

Download
memory/1296-432-0x0000000000950000-0x000000000095C000-memory.dmp

Filesize
48KB

Download
memory/1296-440-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/1296-439-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/1368-167-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1368-191-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1484-57-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1484-58-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/1484-161-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1680-336-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1764-347-0x00000000030E0000-0x00000000030F6000-memory.dmp

Filesize
88KB

Download
memory/1764-346-0x0000000003090000-0x00000000030D8000-memory.dmp

Filesize
288KB

Download
memory/1764-345-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/1764-344-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/1764-351-0x0000000003330000-0x000000000333E000-memory.dmp

Filesize
56KB

Download
memory/1764-352-0x0000000003330000-0x000000000333E000-memory.dmp

Filesize
56KB

Download
memory/1764-361-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1776-424-0x0000000002F30000-0x0000000002F3C000-memory.dmp

Filesize
48KB

Download
memory/1776-430-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1776-427-0x000000001C530000-0x000000001C544000-memory.dmp

Filesize
80KB

Download
memory/1776-426-0x000000001C520000-0x000000001C52E000-memory.dmp

Filesize
56KB

Download
memory/1776-425-0x000000001C500000-0x000000001C516000-memory.dmp

Filesize
88KB

Download
memory/1804-484-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1804-482-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1856-340-0x0000000000700000-0x0000000000716000-memory.dmp

Filesize
88KB

Download
memory/1856-338-0x00000000006E0000-0x00000000006EC000-memory.dmp

Filesize
48KB

Download
memory/1856-337-0x00000000006A0000-0x00000000006AE000-memory.dmp

Filesize
56KB

Download
memory/1856-339-0x0000000000830000-0x0000000000878000-memory.dmp

Filesize
288KB

Download
memory/1856-342-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1968-192-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1968-186-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1996-330-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1996-332-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2020-483-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2020-475-0x0000000000760000-0x000000000076E000-memory.dmp

Filesize
56KB

Download
memory/2020-472-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/2180-0-0x0000000001000000-0x000000000127D000-memory.dmp

Filesize
2.5MB

Download
memory/2180-2-0x0000000001000000-0x000000000127D000-memory.dmp

Filesize
2.5MB

Download
memory/2180-1-0x000000000101A000-0x000000000101B000-memory.dmp

Filesize
4KB

Download
memory/2204-449-0x00000000008D0000-0x00000000008EA000-memory.dmp

Filesize
104KB

Download
memory/2204-451-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2440-166-0x0000000140000000-0x000000014041B000-memory.dmp

Filesize
4.1MB

Download
memory/2440-86-0x0000000140000000-0x000000014041B000-memory.dmp

Filesize
4.1MB

Download
memory/2600-35-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2600-38-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2600-67-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2820-21-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/2820-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2820-54-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/2844-247-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/2844-93-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/2844-184-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/2848-405-0x000000001C490000-0x000000001C49C000-memory.dmp

Filesize
48KB

Download
memory/2848-406-0x000000001C4A0000-0x000000001C4AE000-memory.dmp

Filesize
56KB

Download
memory/2848-409-0x000000001C520000-0x000000001C53A000-memory.dmp

Filesize
104KB

Download
memory/2848-414-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2848-408-0x000000001C4D0000-0x000000001C518000-memory.dmp

Filesize
288KB

Download
memory/2848-423-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2848-407-0x000000001C4B0000-0x000000001C4C6000-memory.dmp

Filesize
88KB

Download
memory/2848-415-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2848-410-0x000000001C540000-0x000000001C550000-memory.dmp

Filesize
64KB

Download
memory/2848-404-0x000000001C100000-0x000000001C10C000-memory.dmp

Filesize
48KB

Download
memory/2912-403-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2912-399-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/2912-400-0x0000000003050000-0x000000000305E000-memory.dmp

Filesize
56KB

Download
memory/2912-398-0x0000000000710000-0x0000000000726000-memory.dmp

Filesize
88KB

Download
memory/2912-397-0x00000000006E0000-0x00000000006FA000-memory.dmp

Filesize
104KB

Download
memory/2912-396-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2924-467-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2924-454-0x00000000007F0000-0x0000000000806000-memory.dmp

Filesize
88KB

Download
memory/2924-459-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2924-458-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2924-452-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2960-487-0x0000000003040000-0x0000000003056000-memory.dmp

Filesize
88KB

Download
memory/3004-46-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/3056-334-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download