expiro | 2e410d578b4089e73944da93e75cc6d1ce59fc68cf9212113f0395740c135701

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
Size

672KB
MD5

6c2dff90879c1f9661ac72c6baaf7260
SHA1

9347c2e4805a0e66c76ea84703e9eb72630bd3b7
SHA256

2e410d578b4089e73944da93e75cc6d1ce59fc68cf9212113f0395740c135701
SHA512

e817d71a6d2360e8a56faa1bb19e1a15b62d7048257c002de7e575e1ccc1c71c065598b7587211bef4cf827196e81b7e437e01301ccaa95f92c652eabfb6053d
SSDEEP

12288:tU7xC9VRB2R52TpvLult4TxPex0VXecPbJye8zd1DZuxppyr:tUSV2RoTlucmx0VXBJyeYlZypm

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 3 IoCs

backdoor

resource	yara_rule
behavioral1/memory/1732-2-0x0000000000400000-0x00000000005C7000-memory.dmp	family_expiro1
behavioral1/memory/2948-66-0x0000000010000000-0x00000000101A9000-memory.dmp	family_expiro1
behavioral1/memory/1732-147-0x0000000000400000-0x00000000005C7000-memory.dmp	family_expiro1

Executes dropped EXE 64 IoCs

pid	Process
2948	mscorsvw.exe
472	Process not Found
2884	mscorsvw.exe
2648	mscorsvw.exe
2860	mscorsvw.exe
1304	elevation_service.exe
1112	IEEtwCollector.exe
1756	mscorsvw.exe
644	mscorsvw.exe
2384	mscorsvw.exe
2756	mscorsvw.exe
2728	mscorsvw.exe
2752	mscorsvw.exe
2252	mscorsvw.exe
1492	mscorsvw.exe
2036	mscorsvw.exe
2180	mscorsvw.exe
2140	mscorsvw.exe
1976	mscorsvw.exe
616	mscorsvw.exe
3048	mscorsvw.exe
2504	mscorsvw.exe
544	mscorsvw.exe
2492	mscorsvw.exe
1516	mscorsvw.exe
2204	mscorsvw.exe
2528	mscorsvw.exe
2760	mscorsvw.exe
1664	mscorsvw.exe
2904	mscorsvw.exe
2188	mscorsvw.exe
1160	mscorsvw.exe
2436	mscorsvw.exe
2016	mscorsvw.exe
2076	mscorsvw.exe
628	mscorsvw.exe
1068	mscorsvw.exe
1780	mscorsvw.exe
2208	mscorsvw.exe
3008	mscorsvw.exe
1588	mscorsvw.exe
1376	mscorsvw.exe
2880	mscorsvw.exe
2216	mscorsvw.exe
2812	mscorsvw.exe
2652	mscorsvw.exe
2984	mscorsvw.exe
1640	mscorsvw.exe
2036	mscorsvw.exe
2044	mscorsvw.exe
2344	mscorsvw.exe
1560	mscorsvw.exe
2236	mscorsvw.exe
2292	mscorsvw.exe
1700	mscorsvw.exe
1104	mscorsvw.exe
544	mscorsvw.exe
872	mscorsvw.exe
2276	mscorsvw.exe
1384	mscorsvw.exe
2412	mscorsvw.exe
2384	mscorsvw.exe
1824	mscorsvw.exe
1616	mscorsvw.exe

Loads dropped DLL 54 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
2252	mscorsvw.exe
2252	mscorsvw.exe
2036	mscorsvw.exe
2036	mscorsvw.exe
2140	mscorsvw.exe
2140	mscorsvw.exe
616	mscorsvw.exe
616	mscorsvw.exe
2504	mscorsvw.exe
2504	mscorsvw.exe
2492	mscorsvw.exe
2492	mscorsvw.exe
2204	mscorsvw.exe
2204	mscorsvw.exe
2760	mscorsvw.exe
2760	mscorsvw.exe
2904	mscorsvw.exe
2904	mscorsvw.exe
1160	mscorsvw.exe
1160	mscorsvw.exe
2016	mscorsvw.exe
2016	mscorsvw.exe
628	mscorsvw.exe
628	mscorsvw.exe
1780	mscorsvw.exe
1780	mscorsvw.exe
3008	mscorsvw.exe
3008	mscorsvw.exe
1376	mscorsvw.exe
1376	mscorsvw.exe
2216	mscorsvw.exe
2216	mscorsvw.exe
2044	mscorsvw.exe
2044	mscorsvw.exe
2344	mscorsvw.exe
2344	mscorsvw.exe
2236	mscorsvw.exe
2236	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
3020	mscorsvw.exe
3020	mscorsvw.exe
2280	mscorsvw.exe
2280	mscorsvw.exe
1628	mscorsvw.exe
1628	mscorsvw.exe
2148	mscorsvw.exe
2148	mscorsvw.exe
2632	mscorsvw.exe
2632	mscorsvw.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1488793075-819845221-1497111674-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1488793075-819845221-1497111674-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\snmptrap.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\fxssvc.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\vds.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\wbengine.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\vssvc.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File created	\??\c:\windows\system32\msdtc.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ieetwcollector.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\msiexec.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\alg.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	C:\Program Files\Internet Explorer\iexplore.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5C05.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE5CD.tmp\Microsoft.Office.Tools.Word.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD894.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7A5E.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\ehsched.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6FD3.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6671.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1732	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe
Token: SeShutdownPrivilege	2860	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 1756	2860	mscorsvw.exe	38
PID 2860 wrote to memory of 1756	2860	mscorsvw.exe	38
PID 2860 wrote to memory of 1756	2860	mscorsvw.exe	38
PID 2860 wrote to memory of 644	2860	mscorsvw.exe	39
PID 2860 wrote to memory of 644	2860	mscorsvw.exe	39
PID 2860 wrote to memory of 644	2860	mscorsvw.exe	39
PID 2860 wrote to memory of 2384	2860	mscorsvw.exe	40
PID 2860 wrote to memory of 2384	2860	mscorsvw.exe	40
PID 2860 wrote to memory of 2384	2860	mscorsvw.exe	40
PID 2860 wrote to memory of 2756	2860	mscorsvw.exe	41
PID 2860 wrote to memory of 2756	2860	mscorsvw.exe	41
PID 2860 wrote to memory of 2756	2860	mscorsvw.exe	41
PID 2860 wrote to memory of 2728	2860	mscorsvw.exe	42
PID 2860 wrote to memory of 2728	2860	mscorsvw.exe	42
PID 2860 wrote to memory of 2728	2860	mscorsvw.exe	42
PID 2860 wrote to memory of 2752	2860	mscorsvw.exe	43
PID 2860 wrote to memory of 2752	2860	mscorsvw.exe	43
PID 2860 wrote to memory of 2752	2860	mscorsvw.exe	43
PID 2860 wrote to memory of 2252	2860	mscorsvw.exe	44
PID 2860 wrote to memory of 2252	2860	mscorsvw.exe	44
PID 2860 wrote to memory of 2252	2860	mscorsvw.exe	44
PID 2860 wrote to memory of 1492	2860	mscorsvw.exe	45
PID 2860 wrote to memory of 1492	2860	mscorsvw.exe	45
PID 2860 wrote to memory of 1492	2860	mscorsvw.exe	45
PID 2860 wrote to memory of 2036	2860	mscorsvw.exe	46
PID 2860 wrote to memory of 2036	2860	mscorsvw.exe	46
PID 2860 wrote to memory of 2036	2860	mscorsvw.exe	46
PID 2860 wrote to memory of 2180	2860	mscorsvw.exe	47
PID 2860 wrote to memory of 2180	2860	mscorsvw.exe	47
PID 2860 wrote to memory of 2180	2860	mscorsvw.exe	47
PID 2860 wrote to memory of 2140	2860	mscorsvw.exe	48
PID 2860 wrote to memory of 2140	2860	mscorsvw.exe	48
PID 2860 wrote to memory of 2140	2860	mscorsvw.exe	48
PID 2860 wrote to memory of 1976	2860	mscorsvw.exe	49
PID 2860 wrote to memory of 1976	2860	mscorsvw.exe	49
PID 2860 wrote to memory of 1976	2860	mscorsvw.exe	49
PID 2860 wrote to memory of 616	2860	mscorsvw.exe	50
PID 2860 wrote to memory of 616	2860	mscorsvw.exe	50
PID 2860 wrote to memory of 616	2860	mscorsvw.exe	50
PID 2860 wrote to memory of 3048	2860	mscorsvw.exe	51
PID 2860 wrote to memory of 3048	2860	mscorsvw.exe	51
PID 2860 wrote to memory of 3048	2860	mscorsvw.exe	51
PID 2860 wrote to memory of 2504	2860	mscorsvw.exe	52
PID 2860 wrote to memory of 2504	2860	mscorsvw.exe	52
PID 2860 wrote to memory of 2504	2860	mscorsvw.exe	52
PID 2860 wrote to memory of 544	2860	mscorsvw.exe	53
PID 2860 wrote to memory of 544	2860	mscorsvw.exe	53
PID 2860 wrote to memory of 544	2860	mscorsvw.exe	53
PID 2860 wrote to memory of 2492	2860	mscorsvw.exe	54
PID 2860 wrote to memory of 2492	2860	mscorsvw.exe	54
PID 2860 wrote to memory of 2492	2860	mscorsvw.exe	54
PID 2860 wrote to memory of 1516	2860	mscorsvw.exe	55
PID 2860 wrote to memory of 1516	2860	mscorsvw.exe	55
PID 2860 wrote to memory of 1516	2860	mscorsvw.exe	55
PID 2860 wrote to memory of 2204	2860	mscorsvw.exe	56
PID 2860 wrote to memory of 2204	2860	mscorsvw.exe	56
PID 2860 wrote to memory of 2204	2860	mscorsvw.exe	56
PID 2860 wrote to memory of 2528	2860	mscorsvw.exe	57
PID 2860 wrote to memory of 2528	2860	mscorsvw.exe	57
PID 2860 wrote to memory of 2528	2860	mscorsvw.exe	57
PID 2860 wrote to memory of 2760	2860	mscorsvw.exe	58
PID 2860 wrote to memory of 2760	2860	mscorsvw.exe	58
PID 2860 wrote to memory of 2760	2860	mscorsvw.exe	58
PID 2860 wrote to memory of 1664	2860	mscorsvw.exe	59

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2948

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 244 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e8 -NGENProcess 214 -Pipe 18c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 25c -NGENProcess 1d0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1c8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 214 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1d0 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 214 -NGENProcess 1d0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 274 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 268 -NGENProcess 260 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 280 -NGENProcess 240 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 240 -NGENProcess 278 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 288 -NGENProcess 260 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 260 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 290 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1e8 -NGENProcess 278 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 278 -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 1e8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a0 -NGENProcess 2ac -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b8 -NGENProcess 1e8 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 1e8 -NGENProcess 2b0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 278 -NGENProcess 2bc -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2bc -NGENProcess 2b8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 278 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b0 -NGENProcess 2cc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d8 -NGENProcess 2dc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e8 -NGENProcess 2cc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2cc -NGENProcess 2d8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2f0 -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d0 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2d8 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2fc -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2fc -NGENProcess 308 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 308 -NGENProcess 2d8 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 314 -NGENProcess 2fc -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 324 -NGENProcess 2d8 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 320 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2fc -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2d8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 320 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2fc -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2d8 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 320 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2fc -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2d8 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 334 -NGENProcess 320 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 34c -NGENProcess 2ac -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2d8 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 320 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2ac -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2d8 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 320 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2ac -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2d8 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 320 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 2ac -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 2d8 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 320 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 320 -NGENProcess 370 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 374 -NGENProcess 2d8 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 368 -NGENProcess 380 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 320 -NGENProcess 38c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2fc -NGENProcess 364 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 380 -NGENProcess 394 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 37c -NGENProcess 364 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 390 -NGENProcess 39c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 2d8 -NGENProcess 364 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 398 -NGENProcess 3a4 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 38c -NGENProcess 364 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3a0 -NGENProcess 3ac -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 394 -NGENProcess 364 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 3b0 -NGENProcess 3a8 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 39c -NGENProcess 364 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3b8 -NGENProcess 3a0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3a8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 39c -NGENProcess 3c4 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 38c -NGENProcess 3a8 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3ac -NGENProcess 3bc -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3ac -NGENProcess 38c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 278 -NGENProcess 3bc -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:1656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 3cc -NGENProcess 39c -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3a0 -NGENProcess 38c -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3c8 -NGENProcess 3d0 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  PID:1080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3d8 -NGENProcess 39c -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 38c -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3c8 -NGENProcess 3e4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 278 -NGENProcess 38c -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:1632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 3e8 -NGENProcess 3dc -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3e4 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:3020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3e4 -NGENProcess 278 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3f4 -NGENProcess 3dc -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3dc -NGENProcess 3ec -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3fc -NGENProcess 278 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 278 -NGENProcess 3f4 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 408 -NGENProcess 3ec -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3ec -NGENProcess 3fc -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 410 -NGENProcess 3f4 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3f4 -NGENProcess 408 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 414 -NGENProcess 3c8 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 3d0 -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 424 -NGENProcess 408 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 278 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 3d0 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 430 -NGENProcess 408 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 278 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 428 -NGENProcess 3d0 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 418 -NGENProcess 438 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:1360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 440 -NGENProcess 278 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 3d0 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 448 -NGENProcess 438 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 278 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:616

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1304

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
f0cd5dcc0775782a865da8838f6b9d0c

SHA1
b1673dfe4245dad42867ba7a2a4088dd4b25f209

SHA256
b92245a37054a296ec918c666d23a61863a98c6a18babac285f224640c8e0a84

SHA512
4ec34761f319bc0e49b43ecce545dc5fb3aa7e08d04432b9d126257424313b544a00ff15c8676066175b0652087ffe2f32197f92b2a4ca66e4f8d42f9af13b5b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
99673bf5160b3f027df19cf6ed62e31b

SHA1
1d0983819b2dcab93655ca8c1ded2df7f0a11b96

SHA256
c92124114d5e52e3e801a0cc81683a374364792f38523229af24ff5fb164d043

SHA512
676ecea52872bafae5b9b2cf7532803d42f9e8f5388e3eb754bf1cbf83456a247c8e5624bc5350a7592a84ebec3e20c9c02b02bf92b68cd14445ea6c8f19d881

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
567KB

MD5
c96b27656d3a5764123c12b22c329ea6

SHA1
9d745b5dd875887f0de5e93f11e27fdaf36afb2d

SHA256
3f9d65ebee99764f42969ecde9d8503cc3d1a9c407ed82216d2be47e6745e652

SHA512
b6ecabae0b0f1029415b000ce093f3a60e2b47a4444239deca0ddb05793d23c6c1c7c2e9f5c70749f083ad7ab76f59e053688cbc1b1f033a84d275d676b8b694

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
03470a628e2b5dee6a520df083aba1cc

SHA1
229a7bbd524b552795829ce34569ce399cb3dba2

SHA256
14c8e029226487220128f2c8182e203649707c21173246389b87e9fb2dd08633

SHA512
23775524fe57d7ee96e13b2c98af1028dd64bf447525bc3c42991e73bf381fc84f33da5e317cf50e6a220a982debfabc4cac78d4bdc03c153dadacc31084af07

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
598KB

MD5
3e4aaf9b405f9e47d0a2a8d969cae76c

SHA1
ba5e26c48e4d64a9fb5d17807f95d3c66eed7419

SHA256
60e6a6dd52d8986f393e99bc95f1ffe07ef328d005c70fb5ad2ab8f9bfdcd945

SHA512
03e9033877beefbe3753889dc912d441292880e9a029625ac3610d1de20871236deb09510c64f81420a994571aead30dd006aaee6a96c0d517bb95e7db86793d

Download Submit
C:\Windows\Temp\CabD22E.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarD387.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1386ece85246fcbb32d0edf124946fea\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
b9799a86439fb003e7b25aec05f4cd1a

SHA1
c31d28d5be2a1d35eb6580fdc7c0204888235bbc

SHA256
6b9770fbbbb74f2b41494eadf39aa291fd03fb6e20818dea56ef703435471744

SHA512
4b2f561a8e60069ff0e044d82ab770dd65a9976c7b9ccc2a224764fe8bf49e1f6d0b79146f62ae381deec1e9c35ae29b2325f1d3ff1066bfdc4cd857a4d055ef

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2c85cd0dcf9914fd11b6ce3cb322617e\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
befbf45ea3412c483df6b3deaee577bb

SHA1
a4d982d879ba24a8a2b994a1abe126b7b3cf682f

SHA256
ead6a82186141fcb5d58ef7c24dd894ab69aaf52ba4d0c29e181897390ca934a

SHA512
5b660c30a305f6515e19fe2136dd90d5510ae94df5f34b838b40cb926507449b2853bff333aa069a6d98b75cfaf46864553f6687c0ef2e401ffd105162b9bbec

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\c114dec2731bf087e8b7925092acee41\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
795c0d49a9070028d7f2d2e893af5688

SHA1
2020fb2446a01b9053014cf1f1fba5291d7bf85a

SHA256
b04b3ce047ccceb8bb23cec6810320192aa1f0334b4d56aad222edfac50938b4

SHA512
1c2fbce28f07bc2a85820a4e2c94905f0c48e206b749d4a04c414036d14c1ffca3cf318850d955454c81caade6ca85fc8ad1b3b51e555b4f9bc64bd23bc91e5e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\c811afd7af0d7acfb210c8b6e6820305\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
7766158569c0250183e7d811fc22c09c

SHA1
3c7f0082deede6591287586a74f1430cf95a9dc5

SHA256
fd34db6c0ed31775be9fb6143b101b07de076e357cb9bb64acc5513a757ab07d

SHA512
07ae51fc9e33982154092ffa626814a43adbb98db50ee688ae552d36887cdd9512c0c164e90d758a78c568c093131042ffe0f368d0006f3516debc0aec95af26

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
648KB

MD5
16ac4df91fd892bf1f296efc9f57dfe2

SHA1
a06f773b1e3e98ddf707e3ffacd925c583636a54

SHA256
2948a88894b2594e0701324e7e9162c7cfea45297190c505052ad19d5a7ac597

SHA512
c508705fe57aa5a714a251172c1771d0a20f6d2026adecd7cb608ca2d02f2bbc1d2ac6f9cc9f2b049381ccddb6d183fd397c1df8e527777631c3c9c10150d2b7

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.0MB

MD5
033feed6b99cb0292d6a8a86063f21e6

SHA1
46493ef0761a7d3102d0b636bcebeade1dc6a8ad

SHA256
d5ccea967edf5be8094735323124d1e026e43d0ad80384aa87bb80dfbea091dc

SHA512
a1f53e99d39bcfce7d8ac850b19d752f56ebbf96b389a71a96c353728421c3c2db12dbfe29802207c4ad46cb085613b23b23b00ba7a1770d37167d88335916db

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
723KB

MD5
6b3505c0fd3bdfaea9dab9d6b38e4790

SHA1
49e2e9cc1572159a7e07a769432036f29fc6be34

SHA256
89ed9c29b48fb6b62b6a72f614be4bb77b0fcd9fa5aee5a4c3537a375c1e391f

SHA512
0858cfc4aed09d43c04ca85504a11cd6b0e87b9789bc7be0927913e5d7c0b7bd6da5c0c1a78c0b79b7c14d08fcd45bb2e66daf5d239cf7d05e2480053167d19c

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
632KB

MD5
ac9dcaa8f81d4a7638e1904a78986a74

SHA1
4528039c9c5fcd1c7a5fefb5ec16766364104580

SHA256
d4720d61f5f3ded0562a2e4efd7093b8888e3c9b2f29942b2c4e152e87cf7d92

SHA512
6656bd099b5bcb545682284633a3a143fbca7f5a05f323d8888d57991d372dbb24587826fd789b09202a4a7608351f57f2b6ccc9e9631bcba6fa9a66de1ea4e4

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
544KB

MD5
ceeb5df28b211041ec9682c4aaa87a2b

SHA1
3a45a7701e3c5066fa74f3b0ed5ac26d05ed917d

SHA256
9790421fb33a6e5a3f4b7a070ecf2ffc29469b82fb6c498bc51bb4fecba9891d

SHA512
858803c50772e31ed0f4bca8ac142a5c608fcc738cd12da2a2619853bf89c03b77e8eb9a083abff1a42388334bf1fc5db1c5ad0aa72a93cd8d914d86a3dffacc

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
585KB

MD5
8e97cbe085a6de587888743481fe64fc

SHA1
22ed7ada3e53223f20d449850c3f00a1c5bc7c51

SHA256
ef55adabb6aeb220576b14225a9868ccb58b7f1f69fb23c34aa71878b8af0f19

SHA512
180d878bc259090ec751bcf0af315d0db094102a0aad9c04e81b289d541e346c39dae16fae85581a7a070216120639a44f4f6632e20d5e9e60a209b24362f2ff

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
745ccb9dff2e031106adeb081fed5bb3

SHA1
6e0716de925c4b03f2e75911e34044a67a688fd5

SHA256
5a15dc8f5dc2cb03e5b15404523a8b81b7e3c5605b0363b8353014db3d2c3382

SHA512
8d072ffa6f34a67585495526c7f2567110c008b820102a7db5f602d323d6fa92fff20f0b72eba382a26dbcc807ebfa6b3d9457706f2304429b351bca2a452e42

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
646KB

MD5
70bc92f5390ec1c003beb7d0b3d86f2f

SHA1
fc3d3ba3ac03e392f0e51f6fbb74ee62258bca26

SHA256
1f88b91820d97ae94fd94374b93dad17b5d41a45519ce9cec020a5541a9aed7d

SHA512
679afb6d2a0173ddd5ed12afb66380baa365186a3367a5894d871a949e91b412d9492f0887ec9cb8431b5f40aaa34d616b04cd1a08539145079da5cfb02c4416

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
633KB

MD5
efa96805db5d22d882aa1d139d4e445f

SHA1
be1d678077e5b09d3762635b25efba3fb42e73b3

SHA256
40ec78b46124085027fdf81020e81d07773e86e099cf1666678736a2be216e0c

SHA512
4dfec0ffb6263a428f5c8e6a6fc223e4b3c611de01b7fad8887ee26517c4f13d8ed5cfb2834f09216b053ed29de84207f1bea92908458f1b187dc9ab732a72c8

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
522KB

MD5
67f2dadd202749f1333a047ef911ed6a

SHA1
713151ba2a80022d1e8dd7fb29abd8bceebb298e

SHA256
148c31b41f77108a49c76ec1e538983a5b07985d2b10b876c7cc3c44e23e9849

SHA512
7dc2fd8cb3ea3a4fde4a07c1f60f946768084acf58773d4773a11f7cfb9a22fb0c821f0a2f1cae8c631c20c563e163ab9790055558dd4525747b16907658c251

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
548KB

MD5
6318c37f646226d127d700d75d896a85

SHA1
cc2db49d965b3ad8d9d4da011b969e9ec6ee9699

SHA256
ec3e8e7a61e19867d58694967fb09f2869a1840be624dc9801db58814e2991aa

SHA512
fa11657217dafadbb564a47f52a6ed29840d6769efe713b50ad509d2ab9bb38e03c582bf42cd900a0f053e04eb22a17deee821d469eb0036459e931d36f8a0cb

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.0MB

MD5
bbc7e9942f27f8662f3f24404983f416

SHA1
46c8ba01aebcb79c182b83fcd85e336063a363c6

SHA256
b16e9ff0aacd3d7efd28e2d2c4916e67a1d967e45a0c4708075fd443d5fb4325

SHA512
23226e78680616263693e178fa1fdea132683a49b730052957dc7b0f8d5e4c3c92522047c602d88097a2731226541e12893217ae4856ec1f6b38577364597b17

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.0MB

MD5
b9d5868be8171e29acdd9ed583f7dde4

SHA1
f8cf7cb0a1c78ca5692cefb8ee20cc8afcb8341e

SHA256
076e966540a70ca03e27dbef83664af98bde11639837f8fe041f450dfa3c6436

SHA512
225dbb7ea3443cff2b60feabb3b457356deba6f933522e251827673303f95958ecc4f2555c14d214f6af75729e48006020d7a464bcbcac8dc86a74156ed004ca

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
706KB

MD5
62ffbea5b9b430538c3c24d004e78a26

SHA1
5c8166a06f4aa319b7a26280b3dda023159eea33

SHA256
74e98eba4630c4bc9e04d246dceb4aa80c7d710b9e579b7730a2c2e18a774405

SHA512
f4fabed0b7a4b92c78cde0d010cdf7f09c798872ff1b306a298afab54cd001aa0eaabbe16173caa69ee5fc38d3d295f8fc27f6ba178477e49d26adbb1e755238

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
1.9MB

MD5
be7b97283c1e94e009a6f272aac67e41

SHA1
4eb4f1ef74537eb35cfa1a8267eb57544d40d08f

SHA256
c438dc20de92cd56dc3c290f67c52da1a8e16e6f82d6747aca00dc9f1c9eb51e

SHA512
18ac33ed44b8b2b51d7f6eee0f5d2fad14bf6e7bcaac79dc3f1cdc5a0c065d803e3230c1f989a35d59f5f55ba40ed613d88af1dcc9b9a0493866c75a1bb972b1

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2063dc97b8fb9b0a75e184db7109ffbe

SHA1
00c9554b9795edf819281138d96cc33f290dfded

SHA256
083611d7bfc2cf68712b2c66d48e29a21a1dc0b6a3d43b8db3b4f6969154d5a7

SHA512
8de14733a2d919e05d086930d299b08028e728d5c87d9e07ec85d1d235e6fa86670ad4409dcd6183ccd6b81752ebf0d73d2535653c4a3f44ede2ff3f1ce36319

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
590KB

MD5
fd220334a4b197ae69a53d3166e9f02a

SHA1
b7c089c66a9901119946d0b0c68a6314c78e61bb

SHA256
3fae53d2ecb597afe5a8f77716990fb335fb25c414004adc53f5fbcf56dea73e

SHA512
3c4a5d2a5304d87a6f9cfb5d39f515e0a4ec8d4a3f160eaf2a39983206ada0d8648ecee5ea43c0dd07cef19a590d854c61e588a75d2287aaba899d0994950173

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
618KB

MD5
8310f40276b16b76591140f1f8f81ef3

SHA1
60b2336fb45ad5ae59a63fd255633ba6732ccaf7

SHA256
2a6823458dafae3b05e95aed72ab737ee4b32adcd5a3492841278aa756e4f7d1

SHA512
290c8a0dd26d8bc5a5f59fe0fec154aefb6ec184290338feb7d25ad5154473cfb7f03973592cf5bc98f7de1277148ed43f03bb0e1d959109b0e358b88479d089

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
617KB

MD5
e009b8f80227f704ef05f6044a1db323

SHA1
1898af704b9621894d58a0c77aec777512ddcd42

SHA256
30c2d9a432314cf29a86338f39509e56a6e89792c4b7393c0ae1904aafaa7911

SHA512
cce83cf908bc1fbb6a7eebafbf991b71887cb7f35ef567f50935bbe865ff6a9c226a7c0b0553cdbb96e05e4fc99d4187d60db142b9375e339c526d6e4a66069b

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP559F.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP587C.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5C05.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5EB3.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6171.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6420.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6671.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
memory/544-332-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/616-295-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/616-291-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/616-296-0x0000000003070000-0x0000000003084000-memory.dmp

Filesize
80KB

Download
memory/616-310-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/616-294-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/616-301-0x0000000003280000-0x000000000328C000-memory.dmp

Filesize
48KB

Download
memory/616-300-0x0000000003280000-0x000000000328C000-memory.dmp

Filesize
48KB

Download
memory/644-174-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/644-172-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1112-89-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1112-184-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1112-170-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1304-80-0x0000000140000000-0x000000014036B000-memory.dmp

Filesize
3.4MB

Download
memory/1304-168-0x0000000140000000-0x000000014036B000-memory.dmp

Filesize
3.4MB

Download
memory/1492-232-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1492-225-0x000000001C110000-0x000000001C128000-memory.dmp

Filesize
96KB

Download
memory/1492-227-0x000000001C470000-0x000000001C47E000-memory.dmp

Filesize
56KB

Download
memory/1492-228-0x000000001C510000-0x000000001C52A000-memory.dmp

Filesize
104KB

Download
memory/1492-229-0x000000001C530000-0x000000001C54E000-memory.dmp

Filesize
120KB

Download
memory/1492-224-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1732-1-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download
memory/1732-2-0x0000000000400000-0x00000000005C7000-memory.dmp

Filesize
1.8MB

Download
memory/1732-0-0x0000000000400000-0x00000000005C7000-memory.dmp

Filesize
1.8MB

Download
memory/1732-147-0x0000000000400000-0x00000000005C7000-memory.dmp

Filesize
1.8MB

Download
memory/1756-169-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1756-173-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1976-287-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1976-292-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1976-288-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/1976-289-0x000000001C530000-0x000000001C544000-memory.dmp

Filesize
80KB

Download
memory/2036-237-0x000000001C4A0000-0x000000001C4B6000-memory.dmp

Filesize
88KB

Download
memory/2036-247-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/2036-248-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/2036-235-0x0000000003120000-0x000000000312C000-memory.dmp

Filesize
48KB

Download
memory/2036-257-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2036-238-0x000000001C4C0000-0x000000001C508000-memory.dmp

Filesize
288KB

Download
memory/2036-239-0x000000001C510000-0x000000001C52A000-memory.dmp

Filesize
104KB

Download
memory/2036-236-0x000000001C490000-0x000000001C49E000-memory.dmp

Filesize
56KB

Download
memory/2036-231-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2036-240-0x000000001CA00000-0x000000001CA1E000-memory.dmp

Filesize
120KB

Download
memory/2036-234-0x0000000000730000-0x0000000000748000-memory.dmp

Filesize
96KB

Download
memory/2140-266-0x0000000003030000-0x000000000303C000-memory.dmp

Filesize
48KB

Download
memory/2140-263-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2140-270-0x000000001C4D0000-0x000000001C518000-memory.dmp

Filesize
288KB

Download
memory/2140-269-0x000000001C4B0000-0x000000001C4C6000-memory.dmp

Filesize
88KB

Download
memory/2140-268-0x000000001C4A0000-0x000000001C4AE000-memory.dmp

Filesize
56KB

Download
memory/2140-267-0x000000001C490000-0x000000001C49C000-memory.dmp

Filesize
48KB

Download
memory/2140-271-0x000000001C520000-0x000000001C53A000-memory.dmp

Filesize
104KB

Download
memory/2140-277-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2140-276-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2140-286-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2140-272-0x000000001C540000-0x000000001C550000-memory.dmp

Filesize
64KB

Download
memory/2180-259-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2180-264-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2180-258-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2180-261-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/2252-209-0x0000000000880000-0x0000000000896000-memory.dmp

Filesize
88KB

Download
memory/2252-203-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2252-206-0x00000000007B0000-0x00000000007BE000-memory.dmp

Filesize
56KB

Download
memory/2252-208-0x0000000000830000-0x0000000000878000-memory.dmp

Filesize
288KB

Download
memory/2252-223-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2252-214-0x0000000003330000-0x000000000333E000-memory.dmp

Filesize
56KB

Download
memory/2252-207-0x0000000000800000-0x000000000080C000-memory.dmp

Filesize
48KB

Download
memory/2252-213-0x0000000003330000-0x000000000333E000-memory.dmp

Filesize
56KB

Download
memory/2384-190-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2384-188-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2504-318-0x00000000006A0000-0x00000000006BA000-memory.dmp

Filesize
104KB

Download
memory/2504-331-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2504-319-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2504-315-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2504-323-0x000000001CCF0000-0x000000001CD0A000-memory.dmp

Filesize
104KB

Download
memory/2648-45-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2728-196-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2728-193-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2752-198-0x00000000007D0000-0x00000000007DE000-memory.dmp

Filesize
56KB

Download
memory/2752-199-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/2752-204-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2752-197-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2752-201-0x0000000000830000-0x0000000000846000-memory.dmp

Filesize
88KB

Download
memory/2752-200-0x000000001C4C0000-0x000000001C508000-memory.dmp

Filesize
288KB

Download
memory/2756-194-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2756-191-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2860-56-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/2860-148-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2860-55-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2884-82-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2884-34-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2884-33-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2948-66-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/2948-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2948-21-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/3048-312-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/3048-313-0x00000000003D0000-0x00000000003E6000-memory.dmp

Filesize
88KB

Download
memory/3048-311-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3048-316-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download