Malware Analysis Report

2025-04-13 23:46

Sample ID 250103-hsh9xatlbt
Target JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0
SHA256 8026f0a34be72b273af30c71f7399b9e8b0014e4f17e6559fda4ac5962882c3d
Tags
discovery expiro backdoor credential_access evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8026f0a34be72b273af30c71f7399b9e8b0014e4f17e6559fda4ac5962882c3d

Threat Level: Known bad

The file JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0 was found to be: Known bad.

Malicious Activity Summary

discovery expiro backdoor credential_access evasion spyware stealer trojan

Expiro, m0yv

Expiro family

Expiro payload

Disables taskbar notifications via registry modification

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Windows security modification

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops Chrome extension

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-03 06:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-03 06:59

Reported

2025-01-03 07:02

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3736-0-0x0000000001000000-0x000000000127D000-memory.dmp

memory/3736-1-0x0000000001000000-0x000000000127D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-03 06:59

Reported

2025-01-03 07:02

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe"

Signatures

Expiro family

expiro

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables taskbar notifications via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000\EnableNotifications = "0" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\V: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\E: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\I: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\X: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\P: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\R: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\Z: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\S: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\U: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\O: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\Q: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\W: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\K: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\M: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\Y: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\H: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\J: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\L: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\N: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\T: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\system32\djfcjlok.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\lsass.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\system32\kobjgjfc.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\system32\ehhenolk.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\system32\mjfpfcpd.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\wbengine.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\system32\acdocaog.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\SysWOW64\mmcfhkab.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\system32\paiinicl.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\vds.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\locator.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\ui0detect.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\alg.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\SysWOW64\bgnkomqp.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\system32\aehcihgo.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\system32\bjbbcljf.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\system32\ioacebpq.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\system32\wbem\afbidnep.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\SysWOW64\anhhocop.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\ui0detect.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\dllhost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\system32\fdcncacl.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\msdtc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\SysWOW64\ficqadho.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\vssvc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\windows\system32\jjaofpop.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\ieetwcollector.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\gnciljmn.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\qfemblig.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\gmoggjie.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\jiianoje.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\klonohhl.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\nlfifejp.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\idddgalc.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\qcogljfn.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\kefbfhkg.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\cgakfigd.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\program files (x86)\mozilla maintenance service\jbcgigoc.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\akaajeom.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ighnagcm.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Internet Explorer\onnmbqjl.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\eqiodbdg.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created \??\c:\program files (x86)\microsoft office\office14\oljdoamb.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\llopmkim.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\cpkcoelj.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Program Files\Google\Chrome\Application\bhlnifll.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC34F.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP39A6.tmp\Microsoft.Office.Tools.Word.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD865.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE936.tmp\stdole.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index15c.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index15d.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index15d.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\microsoft.net\framework64\v4.0.30319\ohehilee.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification \??\c:\windows\ehome\ehsched.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC810.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB75D.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP36F8.tmp\Microsoft.Office.Tools.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\ehome\jahikmdp.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD079.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 1368 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1368 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1368 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 3056 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 3056 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 3056 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1680 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1680 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1680 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1856 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1856 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1856 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1764 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1764 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1764 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1296 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1296 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1296 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 572 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 572 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 572 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 828 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 828 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 828 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1484 wrote to memory of 2472 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6af0878c78577e69bbbca6c75651a9f0.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 160 -NGENProcess 194 -Pipe 1a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 160 -NGENProcess 194 -Pipe 1a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 150 -InterruptEvent 210 -NGENProcess 1ec -Pipe 138 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 258 -NGENProcess 1c4 -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 22c -Pipe 230 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1ec -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 1c4 -Pipe 214 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1ec -NGENProcess 1c4 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 270 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1b0 -NGENProcess 264 -Pipe 1ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 278 -Pipe 1b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 1c4 -Pipe 15c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 274 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 268 -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 210 -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 22c -Pipe 1c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 22c -NGENProcess 28c -Pipe 150 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 29c -NGENProcess 274 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 274 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 290 -Pipe 22c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 290 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 290 -NGENProcess 2ac -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2ac -NGENProcess 294 -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 210 -NGENProcess 27c -Pipe 2b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 27c -NGENProcess 290 -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 210 -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 28c -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2dc -NGENProcess 2ac -Pipe 2d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2ac -NGENProcess 210 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2e4 -NGENProcess 27c -Pipe 2c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 27c -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 1d8 -NGENProcess 2b8 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2b8 -NGENProcess 2d4 -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2f4 -NGENProcess 2cc -Pipe 210 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2b8 -NGENProcess 2fc -Pipe 1d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2b8 -Pipe 2f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 294 -NGENProcess 2fc -Pipe 2d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 30c -NGENProcess 2b8 -Pipe 308 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 304 -Pipe 2e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2cc -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 304 -NGENProcess 300 -Pipe 314 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2dc -NGENProcess 2cc -Pipe 304 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2cc -NGENProcess 294 -Pipe 2e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 320 -NGENProcess 2f8 -Pipe 310 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 31c -Pipe 2fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 294 -Pipe 300 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f8 -Pipe 318 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 324 -NGENProcess 334 -Pipe 328 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2dc -NGENProcess 2f8 -Pipe 2cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 30c -NGENProcess 32c -Pipe 320 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 338 -NGENProcess 31c -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 340 -NGENProcess 2f8 -Pipe 33c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 334 -Pipe 2b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 30c -NGENProcess 31c -Pipe 34c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 32c -NGENProcess 348 -Pipe 2dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 350 -NGENProcess 334 -Pipe 330 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 338 -NGENProcess 31c -Pipe 340 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 32c -NGENProcess 354 -Pipe 350 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 2d0 -NGENProcess 31c -Pipe 348 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 35c -NGENProcess 338 -Pipe 358 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 30c -Pipe 334 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2d0 -Pipe 32c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 354 -NGENProcess 30c -Pipe 2f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 36c -NGENProcess 35c -Pipe 324 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 2d0 -Pipe 368 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 31c -NGENProcess 30c -Pipe 360 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 30c -NGENProcess 36c -Pipe 364 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 37c -NGENProcess 2d0 -Pipe 378 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 35c -Pipe 344 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 2d0 -Pipe 338 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 35c -Pipe 31c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 36c -Pipe 30c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 2d0 -Pipe 37c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 38c -NGENProcess 398 -Pipe 390 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 384 -NGENProcess 2d0 -Pipe 354 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 380 -NGENProcess 36c -Pipe 384 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3a4 -NGENProcess 35c -Pipe 3a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 398 -Pipe 388 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 36c -Pipe 2d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 35c -Pipe 394 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 398 -Pipe 39c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3a4 -NGENProcess 35c -Pipe 3a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3bc -NGENProcess 3ac -Pipe 370 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c4 -NGENProcess 36c -Pipe 3c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 398 -Pipe 38c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3ac -Pipe 3b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 36c -Pipe 3b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 398 -Pipe 3a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3ac -Pipe 3bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3c8 -NGENProcess 36c -Pipe 3b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 398 -NGENProcess 35c -Pipe 3cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3dc -NGENProcess 3d0 -Pipe 3c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3ac -Pipe 1dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 35c -Pipe 3d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3d0 -Pipe 3d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3d0 -NGENProcess 3e0 -Pipe 3ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3dc -NGENProcess a4 -Pipe 3e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3ec -NGENProcess 35c -Pipe a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3d0 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3d0 -NGENProcess 3dc -Pipe 36c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a4 -InterruptEvent 3d0 -NGENProcess 3f0 -Pipe 35c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3f0 -NGENProcess 3c8 -Pipe 3dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 404 -NGENProcess 3e4 -Pipe 3fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3e4 -NGENProcess 3d0 -Pipe 3ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 40c -NGENProcess 3c8 -Pipe 398 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 408 -Pipe 3e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3e4 -NGENProcess 414 -Pipe 40c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3f4 -NGENProcess 408 -Pipe 3f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 3f0 -NGENProcess 3c8 -Pipe 3f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 420 -NGENProcess 3d0 -Pipe 41c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 404 -NGENProcess 414 -Pipe 408 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 424 -NGENProcess 410 -Pipe a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3d0 -Pipe 1e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 418 -NGENProcess 414 -Pipe 3f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 428 -NGENProcess 3c8 -Pipe 414 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 43c -NGENProcess 410 -Pipe 438 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 430 -Pipe 434 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 3c8 -Pipe 404 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 410 -Pipe 418 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 430 -Pipe 3d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 3c8 -Pipe 428 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 454 -NGENProcess 410 -Pipe 43c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 458 -NGENProcess 430 -Pipe 440 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 420 -NGENProcess 430 -Pipe 448 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 460 -NGENProcess 44c -Pipe 45c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 44c -NGENProcess 444 -Pipe 450 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp

Files

memory/2180-0-0x0000000001000000-0x000000000127D000-memory.dmp

memory/2180-1-0x000000000101A000-0x000000000101B000-memory.dmp

memory/2180-2-0x0000000001000000-0x000000000127D000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 d258f35c6e1eaff0d59524f89737b03f
SHA1 e7c403e890c5a14a367f1b0d2ed520a2120dc510
SHA256 5396f45168da7c91eae8df203af504c700d3dec7de950dd0df4b39e68679ba66
SHA512 37b0d7cdad80ccad39e94c44553ca433f6bbc8ffb6c43de4d36196790eb2edbc95c7aec13c911914003fb0aaabb91ab5e8029c3b57643cd4d6271f0d5c8734e0

memory/2820-21-0x0000000010000000-0x0000000010258000-memory.dmp

memory/2820-22-0x000000001000C000-0x000000001000D000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 f36dfc2f79a4b62da530034928d4fe1b
SHA1 d106ebbf06fcef05f4a3c269838e7c66839c3c26
SHA256 76c4de353a062bd18f9fdc0dd105605e5fee2381772d91783f2a8bb37fa2f9e9
SHA512 d5ee5904f4520bebe4c48314c69d3d9baf800830b92195276cfe0e0df82f5b411a91f13983df14c0f82f2b6ba2cc86d389d84e6825ad259913a1b4d5a1952188

memory/2600-35-0x0000000010000000-0x000000001028B000-memory.dmp

memory/2600-38-0x0000000010000000-0x000000001028B000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 2b1da772c37375e19518e0fbc09dd286
SHA1 56a9b891605463953d6705b8ac31c85fe3d0faaf
SHA256 cb4b6574fa75186622501c589a96c36ecc7a865ce2d42c378c5f1514ba8b8a61
SHA512 38ca65e61382fd98011d23677ac71df98b1381dbe86f008e8af4f234d1b54f23ce02c9c3edb21fb6bac20679c63bc6851f16fb682e1605465b7c2dc6bb695e30

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 3b690f716e9a272ef733ea4219b5de3b
SHA1 2a085d50c77936a38d5d931d92f1c08ea27340d6
SHA256 ff5b104ec2247da786eb9929d55514284f4408f12805071ce5678866976d4c09
SHA512 ec869289e08bce2a238e90fb2f6956f05a372f75d613a1e73c64f50e4682ca2f2ba66f1da8b7a1398f84ede9b4a3a77ddebd6e0a6a580c902250c2b545ae8122

memory/3004-46-0x0000000000400000-0x0000000000661000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 fe1a6050f8af376a9771800201edfef4
SHA1 d5974e6890957b0a931fc2e6f6696c7113fda29b
SHA256 bf1912a50af048f68205fd58c477af0f16db41ba77fbb793f7dc16c53223d52a
SHA512 ea10db12eb8ec90d5f336115c6bdb535f32f2ca614757d556b68e11e8a041bc56590e35c687a3b3a0167df264f739c37ca5d2b45aafea23190d2d1251ae14c32

memory/2820-54-0x0000000010000000-0x0000000010258000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 f61e991fc1b9da72650fccc73f8bf532
SHA1 bd9c9c779a9be5f3d9116e13426b8bcd2df95681
SHA256 1c6f07732191de84c0cf17dd0691cc7a7c6266777f1b36910421707b14457ea2
SHA512 9842e3d15bd0e69577006a3f89808f9297ae8adad247d3b16d2014f88d94ab908deb78ffe0b9239e4fb27c4838fa752c34849334a2194a1af1621bb98da7fc94

memory/1484-57-0x0000000140000000-0x0000000140291000-memory.dmp

memory/1484-58-0x0000000140001000-0x0000000140002000-memory.dmp

memory/2600-67-0x0000000010000000-0x000000001028B000-memory.dmp

\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 887764ca1b0edfd9113c3e4b56bb8947
SHA1 3f5e512d0def7b959b94ecdfaa5ccaedb97f1372
SHA256 ca32933a62d1e79c424d712ee85c135a82c4d64e291d674a56abb5401772d9df
SHA512 35b007578174beece5ae9bbd24d745912a4a7d26a870e70099b1ecea15789e934da2ea799fed1ed84a4abdeb82b8973b67c4231a8670e67159063e857bc8cb47

memory/2440-86-0x0000000140000000-0x000000014041B000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 62bb4c1e865e82a0694a83f5148c16c1
SHA1 a427178e26d39919949555b54bde52bef51646e9
SHA256 5119d5e8afed13b7363f2e5556f744e9b56d45939a51b034622f6770e34237c6
SHA512 62da1cd4343678cd3a4fae89c2f11556a984b7007f0f59647cd1b04fc7395f486e1454485be8c1260cec5ab2c65ef0cbd1c45743063cc0bb97c194a2680a3518

memory/2844-93-0x0000000140000000-0x0000000140292000-memory.dmp

memory/1484-161-0x0000000140000000-0x0000000140291000-memory.dmp

\??\c:\windows\system32\alg.exe

MD5 ac321dc448a7b885b5bfcf2992c787e8
SHA1 d7abd68c658b0bf2c6d4809ae7eb0fd7dafc9abf
SHA256 42db74ccad2559ca54269ca7763a33b5c88b068f673934361ae750c7ca0ed478
SHA512 e217cfa41b73470eb17760f4c0b248d32c373d2befad2d5176cd1968f1c7be83e8782cecff4e7b2e00d9b98061b4c33d8556f58529071227d4d02a7ca12c34f0

memory/2440-166-0x0000000140000000-0x000000014041B000-memory.dmp

\??\c:\windows\ehome\ehsched.exe

MD5 cbbb7fd556b900104fec06bac47df1e1
SHA1 6099952be98688d06110e5700a442f7f66b66eef
SHA256 9efdc3022216a7fbdb0fd6044a98ff8e64b252c327eedbe119b124b0c1b6a704
SHA512 74372f68b639821a2b4246d72b370205bd7a4f4aa40906203fae485937a4d69485bbb164d9911841658ff84daae565181174bdb9c4dcf047a2a4b125f4d6daa5

\??\c:\windows\system32\fxssvc.exe

MD5 4a71d808251a6147c804e56384cbd549
SHA1 44ff8e1cb180a58bcf43797baa0f6c661e148bfe
SHA256 78fb1f6d5b3981267dd82a1da19c37dbff47a5fa814bacdc9730c8b703f54fda
SHA512 837157a2f24cff96af63f55e375ef5fa73799a9f710d7029ca6ea0b92b288a51a9536b17506b3f0affe006fe2bf0d821a7b7fde7d02d6976a8c332af24cab2c4

\??\c:\windows\system32\msdtc.exe

MD5 9c9100dd30f09c5598e551d84b27695a
SHA1 f30e4a1501564cb01595950c5e34a09ccc3a2cab
SHA256 6639080727ed99e84b6beed121eabc4c5e654bc943e92cbf67e8d84919b37581
SHA512 2ce7884ffe8a57be498e864d8ea8c5061dc6da812d05d3006be6557974ec52a873441fb038b89b41b77ee702d72b4a9c7112ce52005ba06dd108d72d21855e92

\??\c:\windows\system32\msiexec.exe

MD5 bd7a9795b7887278145ce0eb44fa26fb
SHA1 4226a524152c546fef17adb2897c94db81bddea7
SHA256 deccae455c5e5470a8477ea70014b83dea248ea3fd80760b6c9a15232013986e
SHA512 47f63fe712bc71975310d8f75a3bd1c3d3507b64f8eb26665239746fbb722d7a512f6c528595f1c401807034c17c6e442c7cfd0d08fc978d2b55d770814868cc

\??\c:\windows\system32\ui0detect.exe

MD5 927345449e6c1d1673822440c136ad68
SHA1 705eb47cc1a1e3500e104880bc681bc2efa4a2ef
SHA256 ff613e95506f11f1c807ec66994e8688902feb8643c7291e9c00182e23fcf87e
SHA512 39deef1573ec2414d8ab3eb264cbeabbdd323c991b0b16e448a26181f707631727e2d7a3ebbb8dbb1ece4f751521ddac77f1fe6ebab3a8203afa077253905f55

\??\c:\windows\system32\vssvc.exe

MD5 d5166ffb74d986159d974ca41c0b448c
SHA1 65539171123fce070f8a192d2c6f09aa491eab35
SHA256 d9447ceee5c9d6ae223ef3cc9733b9c8d21b230964e6b22bb0826702ff6900e9
SHA512 7a8098df1bc43b91231e6c5038646050c160209033211ff198ff23d6a4baed7acc3ca89ad2d0bf1c5d2f11d9b785c5df05442ff0dc6c9dd1497c0114aacfed96

\??\c:\windows\system32\wbem\wmiApsrv.exe

MD5 b541372eb84d0cdd545e6ede46a813a4
SHA1 bee0cdfa2b716ace6fd4d9933840397bb869b779
SHA256 fd559860fd1e27210cff7996689faa7842d35811ed2fc14cfe85bee8cecfab31
SHA512 0258f23023d8fb266f2a0bc80940c4bdb2b3d0a02cc2a72be2f6e21237914b48fb1a15e9e257e8818c8b5b890d456c427516f85988ea479f894d329435bf59f3

\??\c:\windows\system32\searchindexer.exe

MD5 daaba2185c68a12b46d380a55d2808f3
SHA1 a44b353736f4a99be9ecd275472acf61abfefb1f
SHA256 ed72c00c4db5349a1694a8a5c9c3d4dd135feafbe5e756b69d25743a2a895f1a
SHA512 d0e1f1e65aaa381ebe8d996989331029f03815deebc47ff025162597966deccf9935365a31f9fcf236b6f645af45fcc7035db5e2151ccbcfbeeda6c5d2ae44d3

\??\c:\program files\windows media player\wmpnetwk.exe

MD5 4dd0196acb58e332cfd767c174eb2ae7
SHA1 877db6a048a4ee0877d60b84179757a956b53aee
SHA256 663c7515861204170f039b59528fb3c25afa2e93522f2c2fc8d8c8f02eb6412b
SHA512 9a9683e96377307d4d2c8a644946842fff1f79ed44bda6b0c6b4ae1ce650015e31eef462924b461eb4945696db3fd592f555d36d38d83a979a202528e793f9f0

\??\c:\windows\system32\wbengine.exe

MD5 b48d2f0030beffaf3b0351e18320c2ce
SHA1 2420cb66d3dde3a71f7ff166ea1a6d19937d7db3
SHA256 50430542bc1e03d31c206c68a81cf5369ebe41a6d18951f747caab4b87fe31ab
SHA512 d2ebcd05ae472efd4e336260edef7ee71427c942438bed84657f12cf62acf30c473f89e0d9f547c82ecc4402e3f632a037c6f857945571c830f676defb2128ae

\??\c:\windows\system32\vds.exe

MD5 a7ace78d0d4de885b1bbf265ae8d2d25
SHA1 5578c47bb0ac46149b57fd120f1f39161e2ce6d7
SHA256 eb6e2a4bebab87a1bfaf983136e45cf1ec4369d7e65540ec4d12314e2100daee
SHA512 87620f036e9a2696afa407dcec8ddf1954b3b359765699f95080167c36b5cc24aa8069e2cdd2c3307b2a5edf2c32815d8d6cd0b9547ec1b8bb94dd19214ce8b1

\??\c:\windows\system32\snmptrap.exe

MD5 4c3dbdc3251179a3a0527a045188b859
SHA1 149bd1ab7f39194cd904f581369a6429de4e5be0
SHA256 c2f74afa75454da248de01ec583d24e461d24b4f35744e1601d90660d32a4a55
SHA512 db9521b4ddd0bcd547cc5c34acb868e78293f670d9e172db000da9a30a6574c939a36f39455c345c6ed1c9664f8c1520cc07f969a1a502ce9fbe527e037a7d00

memory/2844-184-0x0000000140000000-0x0000000140292000-memory.dmp

\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

MD5 1c510c3e5e93632b41b1ce32971ab8e6
SHA1 2e82d1f8c11dd3688ae6e985dc603f537b1eb2b9
SHA256 fd01980c61ec31cb92be4f6df5629b27217b5060ca71ac7639a7b8cc97d470db
SHA512 28bad7150572f7c5062138f9f911dbc4d7069de6dd73b07aee025ffa4a2d8c6e8ab97c6c5426f92023fd37aa60cbd3f976a94b6420bc718baef89c724bbb8d06

\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

MD5 270eec13a065ca7cff771bc33f180752
SHA1 3a9a589efd35673d7501de7982a5917e4f8be39c
SHA256 50c115b971c424da3fad4812e551edf5adf7af343d957a44baf9fc622ef79b32
SHA512 506d134a99e2581b1dde16011ae1bbf9096fceb0c3c8b10dab01c2acbe3b4636d3833f3e9584d2b4a4f687c23e9908d7363a2bdf5435262e1f58cee013647ccd

\??\c:\program files (x86)\microsoft office\office14\groove.exe

MD5 fc93253baee4b719941c7fa136594a36
SHA1 5e9ef5480495671532c3a5b6b710d9d338790b11
SHA256 503ef811d4f0403613c010b4c9130e8653b72d7dcf0e49aa8d740b0d86a1e0c7
SHA512 8edf5dc6dee4c65bbeac130d6d89dc29636e7b96675e15c571dd3d0d0a43cf33db436fe89172b0350ccfd34d3754f20b29fe0c1241bfa47c9731fe9d18c1e9c2

\??\c:\windows\ehome\ehrecvr.exe

MD5 953d751778eae1b93f8696d5443f154d
SHA1 2f23f598e97f105da9832736a75a09e82ad8eab2
SHA256 76cad18d7491d8147c133dfe668bcdbc94d9e952b7625726c5adf2b8ee130112
SHA512 07c5547034f05f6689aac4c78a6c4ffec4245c129ab1fb8f3299731d69a62eed7d43aef3d73f8744e962ce60231f0f01d505c593bf2903dfa89b11798fab4d52

memory/1368-167-0x0000000140000000-0x0000000140291000-memory.dmp

\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

MD5 67e78af4faa5bd854aa9b09b7224c719
SHA1 e850dd00ee87e4d77d89e7208280d5c1ef82c92a
SHA256 f7f31c8be2aba42bbbeed3312323447ceac3b83763dfa8550a14b53aaaf2d644
SHA512 87c917bc4e8147e4c540fd865a2db501d27a2a5a923aec4c21cf564fd4261f249682939640a6fedec5a4a674e39bd0527d0885176a1d28bf01314a3497fa43c0

memory/1968-186-0x0000000140000000-0x0000000140291000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

MD5 d837baf3238a9da0df8eade68ccd06d0
SHA1 201d3228db3e6b5ad4960393baede458f237d82e
SHA256 6f99243785d8e06d26631acfb5252eeba93aeb7aa7b013397d95fa97e3471d7f
SHA512 66d93e52d6719eb4ea1f4adaa0a80d454818fbb64fcbd76b5f596c3aa5907b562dd566a06d8b0191e3c530b1eda76ce1c201fd0c40fcdd6732723374b7489e4d

memory/1368-191-0x0000000140000000-0x0000000140291000-memory.dmp

memory/1968-192-0x0000000140000000-0x0000000140291000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 20cce6b4c0969f0b28045bfeb7780f89
SHA1 a70fdc68668728d131633eb803981b4fad3be40d
SHA256 9882de25ed125a9efe3549fa416f47e5cf97a810de910895dc4483e6702f6d42
SHA512 0e852367461741e3390c9ec0e9ae1e829719fd8b2f2732ae77697cf0fa465a95c5f84a6c330646106f67bc3466617d8644edf3c7ea6c47237d3321aba691ba40

memory/2844-247-0x0000000140000000-0x0000000140292000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp

MD5 8594a88dd9fe8fe1e2f73bb7a17dda54
SHA1 f0ba55b591c6da3e960d7ba9e7650a3489e61f4c
SHA256 15c4b60f13bb05863e83bc0a6c91187c6e88f28a71802e1330d845fa82ed7e2c
SHA512 19b02349496e93a887a40c3b4e19d71284fc630adcd890a78220dce100250e7c0d330a826006fe1619bab95a14fec6caebcd6d63156fd7d152176a374bab77f6

C:\Program Files\Internet Explorer\iexplore.exe

MD5 c36aee191848a489657ffff638c2e189
SHA1 a14e379e0028da22e5144c1b36789c7f88999222
SHA256 96238e997ee317793aa1a465a05aa4fe4913ec25891dd00f13788ea8ce6910af
SHA512 227dfbd03408ff94816fcb1293d15d6d9f2d94a38b432db63c147221487e6bf19c084d68f98c57385b457c147edaad046b78c8a640baf22eb655ff041305c4cc

memory/1996-330-0x0000000140000000-0x0000000140291000-memory.dmp

memory/1996-332-0x0000000140000000-0x0000000140291000-memory.dmp

memory/3056-334-0x0000000140000000-0x0000000140291000-memory.dmp

memory/1680-336-0x0000000140000000-0x0000000140291000-memory.dmp

memory/1856-337-0x00000000006A0000-0x00000000006AE000-memory.dmp

memory/1856-338-0x00000000006E0000-0x00000000006EC000-memory.dmp

memory/1856-339-0x0000000000830000-0x0000000000878000-memory.dmp

memory/1856-340-0x0000000000700000-0x0000000000716000-memory.dmp

memory/1856-342-0x0000000140000000-0x0000000140291000-memory.dmp

memory/1764-344-0x00000000003C0000-0x00000000003CE000-memory.dmp

memory/1764-347-0x00000000030E0000-0x00000000030F6000-memory.dmp

memory/1764-346-0x0000000003090000-0x00000000030D8000-memory.dmp

memory/1764-345-0x0000000000910000-0x000000000091C000-memory.dmp

\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB4BF.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

MD5 5180107f98e16bdca63e67e7e3169d22
SHA1 dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256 d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA512 27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

memory/1764-351-0x0000000003330000-0x000000000333E000-memory.dmp

memory/1764-352-0x0000000003330000-0x000000000333E000-memory.dmp

memory/1764-361-0x0000000140000000-0x0000000140291000-memory.dmp

memory/1256-364-0x0000000000870000-0x000000000087E000-memory.dmp

memory/1256-362-0x0000000000840000-0x0000000000858000-memory.dmp

memory/1256-365-0x000000001C510000-0x000000001C52A000-memory.dmp

memory/1256-366-0x000000001C530000-0x000000001C54E000-memory.dmp

memory/1256-368-0x0000000140000000-0x0000000140291000-memory.dmp

memory/864-370-0x0000000002F30000-0x0000000002F48000-memory.dmp

memory/864-371-0x0000000002FB0000-0x0000000002FBE000-memory.dmp

memory/864-372-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

memory/864-373-0x0000000002FF0000-0x0000000003038000-memory.dmp

memory/864-374-0x0000000003040000-0x000000000305A000-memory.dmp

memory/864-375-0x0000000003060000-0x000000000307E000-memory.dmp

\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB75D.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

MD5 5fd34a21f44ccbeda1bf502aa162a96a
SHA1 1f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA256 5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA512 58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

memory/864-383-0x000000001D1C0000-0x000000001D1D8000-memory.dmp

memory/864-382-0x000000001D1C0000-0x000000001D1D8000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

MD5 d5616e7325fbaeb2c5e04dc99c06f369
SHA1 88fd00f5cea9ed43ad9da2ab231c6adf1f2f9931
SHA256 be214262c2c028d459d635ac231659ad4c96f707539114381fd43757724bd84e
SHA512 006ddd2be240113cc26f365a318029fc7e8d4f070bcbb94eb7bb15efd23ddf41b01ddb226f5eed99a7d8059e1126fb2c9099806fba5632237bd8052d9b2c44fe

memory/864-391-0x0000000140000000-0x0000000140291000-memory.dmp

memory/2912-396-0x00000000006B0000-0x00000000006BC000-memory.dmp

memory/2912-397-0x00000000006E0000-0x00000000006FA000-memory.dmp

memory/2912-398-0x0000000000710000-0x0000000000726000-memory.dmp

memory/2912-399-0x0000000003030000-0x0000000003040000-memory.dmp

memory/2912-400-0x0000000003050000-0x000000000305E000-memory.dmp

memory/2912-403-0x0000000140000000-0x0000000140291000-memory.dmp

memory/2848-410-0x000000001C540000-0x000000001C550000-memory.dmp

memory/2848-409-0x000000001C520000-0x000000001C53A000-memory.dmp

memory/2848-408-0x000000001C4D0000-0x000000001C518000-memory.dmp

memory/2848-407-0x000000001C4B0000-0x000000001C4C6000-memory.dmp

memory/2848-406-0x000000001C4A0000-0x000000001C4AE000-memory.dmp

memory/2848-405-0x000000001C490000-0x000000001C49C000-memory.dmp

\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBB05.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

MD5 3d6987fc36386537669f2450761cdd9d
SHA1 7a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA256 34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA512 1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

memory/2848-415-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

memory/2848-423-0x0000000140000000-0x0000000140291000-memory.dmp

memory/2848-414-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

memory/2848-404-0x000000001C100000-0x000000001C10C000-memory.dmp

memory/1776-424-0x0000000002F30000-0x0000000002F3C000-memory.dmp

memory/1776-425-0x000000001C500000-0x000000001C516000-memory.dmp

memory/1776-426-0x000000001C520000-0x000000001C52E000-memory.dmp

memory/1776-427-0x000000001C530000-0x000000001C544000-memory.dmp

memory/1296-429-0x0000000140000000-0x0000000140291000-memory.dmp

memory/1776-430-0x0000000140000000-0x0000000140291000-memory.dmp

memory/1296-435-0x000000001C540000-0x000000001C554000-memory.dmp

memory/1296-434-0x000000001C4F0000-0x000000001C538000-memory.dmp

memory/1296-433-0x00000000009A0000-0x00000000009AC000-memory.dmp

memory/1296-432-0x0000000000950000-0x000000000095C000-memory.dmp

\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBDF2.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

MD5 a8b651d9ae89d5e790ab8357edebbffe
SHA1 500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA256 1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512 b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

memory/1296-440-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

memory/1296-439-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

memory/1296-448-0x0000000140000000-0x0000000140291000-memory.dmp

memory/2204-449-0x00000000008D0000-0x00000000008EA000-memory.dmp

memory/2204-451-0x0000000140000000-0x0000000140291000-memory.dmp

memory/2924-452-0x0000000140000000-0x0000000140291000-memory.dmp

memory/2924-454-0x00000000007F0000-0x0000000000806000-memory.dmp

\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC091.tmp\Microsoft.Office.Tools.v9.0.dll

MD5 4bbf44ea6ee52d7af8e58ea9c0caa120
SHA1 f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256 c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512 c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

memory/2924-458-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

memory/2924-459-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

memory/2924-467-0x0000000140000000-0x0000000140291000-memory.dmp

memory/572-468-0x0000000000730000-0x000000000073E000-memory.dmp

memory/572-470-0x0000000140000000-0x0000000140291000-memory.dmp

memory/2020-472-0x00000000006C0000-0x00000000006CE000-memory.dmp

\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC34F.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

MD5 ed5c3f3402e320a8b4c6a33245a687d1
SHA1 4da11c966616583a817e98f7ee6fce6cde381dae
SHA256 b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512 d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

memory/2020-475-0x0000000000760000-0x000000000076E000-memory.dmp

memory/2020-483-0x0000000140000000-0x0000000140291000-memory.dmp

memory/1804-482-0x0000000140000000-0x0000000140291000-memory.dmp

memory/1804-484-0x0000000140000000-0x0000000140291000-memory.dmp

memory/2960-487-0x0000000003040000-0x0000000003056000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

MD5 9d9305a1998234e5a8f7047e1d8c0efe
SHA1 ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256 469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA512 58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

MD5 dd1dfa421035fdfb6fd96d301a8c3d96
SHA1 d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256 f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA512 8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

MD5 57b601497b76f8cd4f0486d8c8bf918e
SHA1 da797c446d4ca5a328f6322219f14efe90a5be54
SHA256 1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA512 1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

MD5 68c51bcdc03e97a119431061273f045a
SHA1 6ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA256 4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512 d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

MD5 0a41e63195a60814fe770be368b4992f
SHA1 d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA256 4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA512 1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

MD5 2eeeff61d87428ae7a2e651822adfdc4
SHA1 66f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA256 37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512 cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\cf592180b987031367efbf287c9b0335\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

MD5 ca864fcb54dbdd6dd80af91ec64a02a8
SHA1 26f07bd14af800fe64880bde692d03fba3b5414b
SHA256 4d2d905ee2fc2cf2fca2077f1547be8c13aa46d5f5d2971667eafcc6578a304a
SHA512 cab7a670505cb884396a4a555fa4de7914d39428b360a99cfb630e81e8bb5dc3b1e0f0b52c23d531959d94cacb8ea49985878d79ed7491747c9b3d03c352a82b

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\291edf644da92b3cde87e45995335afe\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

MD5 47fca3a17525676ff51980774ef94a05
SHA1 08411f90396d3915ac0445843e3c1167c988ba8a
SHA256 bc6978b3ae15eb0e39186b0bb5a7a7300081c5b863c0fe7254ff5aadfb172652
SHA512 0c478d3ff7669217ccb93a28f2d1585c72e4fa7288e429170a3c79868c32c255cb8e6b94e0c88e384b4196ddb08ce525e08c0b569c6c57015c7b44a84d07f279

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4a73e85975acb23dd976bb689dadda25\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

MD5 2e94cea0e52ff3a2cb56555abd53eb0f
SHA1 31b3f1cdbc44951e7e07fb45eeecd67ed4680b08
SHA256 3dd4f139ba3e76f654ab7dee2c6f9a6edd50e7f247d689319821081ca6e3e4b7
SHA512 cdf7638cadf580f553305333b33572051e4b541c9af50b245d484823b7ab816530b3c1579acfe42fc17a20c7322f6e6669c5a6119120b07545ace1c5a52e71ac

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\025f3688f8eea99014499b2178983483\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

MD5 1a6be0e572dc022bdc7a66bf37001d89
SHA1 e3081f7cd148bb1f6a6d4404a33ad79c61bda7a3
SHA256 62a32b715e1d1da35d8d5feca4604db67c6c36c5751e2db7f66e246e5fea3367
SHA512 56cb7dc85421996a2f3aed4ba0df9bd8ba18f538991ecd90a0026d7d551fc28fd0b0b039fe1011088f386cd4587926ae3b4045dc6de434e6aaffe9ec341c0ca6

C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

MD5 10b5a285eafccdd35390bb49861657e7
SHA1 62c05a4380e68418463529298058f3d2de19660d
SHA256 5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a
SHA512 19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

MD5 1f394b5ca6924de6d9dbfb0e90ea50ef
SHA1 4e2caa5e98531c6fbf5728f4ae4d90a1ad150920
SHA256 9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998
SHA512 e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

MD5 929653b5b019b4555b25d55e6bf9987b
SHA1 993844805819ee445ff8136ee38c1aee70de3180
SHA256 2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2
SHA512 effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

MD5 d9c0055c0c93a681947027f5282d5dcd
SHA1 9bd104f4d6bd68d09ae2a55b1ffc30673850780f
SHA256 dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed
SHA512 5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

C:\Windows\Temp\Cab28C5.tmp

MD5 d59a6b36c5a94916241a3ead50222b6f
SHA1 e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256 a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA512 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

C:\Windows\Temp\Tar29C1.tmp

MD5 b13f51572f55a2d31ed9f266d581e9ea
SHA1 7eef3111b878e159e520f34410ad87adecf0ca92
SHA256 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512 f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

MD5 598a06ea8f1611a24f86bc0bef0f547e
SHA1 5a4401a54aa6cd5d8fd883702467879fb5823e37
SHA256 e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512
SHA512 774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

MD5 9958f23efa2a86f8195f11054f94189a
SHA1 78ec93b44569ea7ebce452765568da5c73511931
SHA256 3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6
SHA512 3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

MD5 0a4ed78b7995d94fa42379f84cd5f8e9
SHA1 90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b
SHA256 0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86
SHA512 86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

MD5 7835e60e560a49049ae728698da3d301
SHA1 87b357b1b3c9a2ad2f3b89b10a42af021ab76afe
SHA256 df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa
SHA512 b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

MD5 04a6857c04546270358d14398fde209e
SHA1 596a3e11ac6c303c679edfd6c30aa71e8eaf8a23
SHA256 8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285
SHA512 4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

MD5 adc5887e89bc56694a193d92898d3518
SHA1 267f14c45a86d50ad627c6cb00626049e9c1ee20
SHA256 edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b
SHA512 bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37