expiro | 1c811173caa7fc16558b04b89cb9eac921da745cfd2c88a14633a47bdb6ff12d

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
Size

555KB
MD5

6c5480888b8b4f86298d76c5e024c560
SHA1

46f321cffbc3f4a5690812a0ca082a4a7a9b11a9
SHA256

1c811173caa7fc16558b04b89cb9eac921da745cfd2c88a14633a47bdb6ff12d
SHA512

6fa8d35f92cd0545fa8e7e7015c2230af318d9477336a4a283bc6a93cdb3c2ff6b2cddd37ca56b1c18c4939aabf883b19729dc03442fbc672d892fd207b40658
SSDEEP

12288:TbRRaMMMMM2MMMMM/4pCki40Quwbjbv6+ka61COUAS9Z9oNOtNA1Y:TbRRaMMMMM2MMMMM/44khduwbjbv6+Df

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2196-2-0x0000000001000000-0x00000000011B0000-memory.dmp	family_expiro1
behavioral1/memory/2484-54-0x0000000010000000-0x00000000101AF000-memory.dmp	family_expiro1

Executes dropped EXE 64 IoCs

pid	Process
2484	mscorsvw.exe
476	Process not Found
2948	mscorsvw.exe
2656	mscorsvw.exe
2792	mscorsvw.exe
980	elevation_service.exe
1484	IEEtwCollector.exe
2152	mscorsvw.exe
1712	mscorsvw.exe
2860	mscorsvw.exe
1664	mscorsvw.exe
1808	mscorsvw.exe
2432	mscorsvw.exe
2184	mscorsvw.exe
996	mscorsvw.exe
916	mscorsvw.exe
3032	mscorsvw.exe
2316	mscorsvw.exe
1580	mscorsvw.exe
1700	mscorsvw.exe
2904	mscorsvw.exe
2384	mscorsvw.exe
2800	mscorsvw.exe
1420	mscorsvw.exe
1332	mscorsvw.exe
2832	mscorsvw.exe
1860	mscorsvw.exe
2408	mscorsvw.exe
1956	mscorsvw.exe
3056	mscorsvw.exe
2376	mscorsvw.exe
2064	mscorsvw.exe
564	mscorsvw.exe
2172	mscorsvw.exe
804	mscorsvw.exe
1740	mscorsvw.exe
1044	mscorsvw.exe
2776	mscorsvw.exe
2740	mscorsvw.exe
2052	mscorsvw.exe
2944	mscorsvw.exe
1416	mscorsvw.exe
2264	mscorsvw.exe
1672	mscorsvw.exe
2056	mscorsvw.exe
2528	mscorsvw.exe
2284	mscorsvw.exe
2192	mscorsvw.exe
1884	mscorsvw.exe
2908	mscorsvw.exe
2920	mscorsvw.exe
2732	mscorsvw.exe
2116	mscorsvw.exe
2976	mscorsvw.exe
1180	mscorsvw.exe
1028	mscorsvw.exe
2988	mscorsvw.exe
2016	mscorsvw.exe
2708	mscorsvw.exe
2096	mscorsvw.exe
2260	mscorsvw.exe
2504	mscorsvw.exe
2408	mscorsvw.exe
2596	mscorsvw.exe

Loads dropped DLL 52 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2184	mscorsvw.exe
2184	mscorsvw.exe
916	mscorsvw.exe
916	mscorsvw.exe
2316	mscorsvw.exe
2316	mscorsvw.exe
1700	mscorsvw.exe
1700	mscorsvw.exe
2384	mscorsvw.exe
2384	mscorsvw.exe
1420	mscorsvw.exe
1420	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2408	mscorsvw.exe
2408	mscorsvw.exe
3056	mscorsvw.exe
3056	mscorsvw.exe
2064	mscorsvw.exe
2064	mscorsvw.exe
2172	mscorsvw.exe
2172	mscorsvw.exe
1740	mscorsvw.exe
1740	mscorsvw.exe
2776	mscorsvw.exe
2776	mscorsvw.exe
2052	mscorsvw.exe
2052	mscorsvw.exe
1416	mscorsvw.exe
1416	mscorsvw.exe
1672	mscorsvw.exe
1672	mscorsvw.exe
2908	mscorsvw.exe
2908	mscorsvw.exe
2920	mscorsvw.exe
2920	mscorsvw.exe
2116	mscorsvw.exe
2116	mscorsvw.exe
1720	mscorsvw.exe
1720	mscorsvw.exe
1872	mscorsvw.exe
1872	mscorsvw.exe
1396	mscorsvw.exe
1396	mscorsvw.exe
2844	mscorsvw.exe
2844	mscorsvw.exe
1708	mscorsvw.exe
1708	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2872745919-2748461613-2989606286-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2872745919-2748461613-2989606286-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\L:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\Z:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\H:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\J:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\N:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\S:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\V:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\X:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\G:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\O:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\W:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\Y:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\K:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\E:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\M:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\T:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\U:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\I:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\P:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\Q:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\R:	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\ieetwcollector.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	\??\c:\windows\system32\wbengine.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	\??\c:\windows\system32\alg.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	\??\c:\windows\system32\snmptrap.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	\??\c:\windows\system32\msiexec.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	\??\c:\windows\system32\vssvc.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	\??\c:\windows\system32\vds.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	\??\c:\windows\system32\fxssvc.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	\??\c:\windows\system32\msdtc.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Internet Explorer\ieinstal.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Internet Explorer\iexplore.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\7-Zip\7z.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\7-Zip\7zG.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8508.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6A67.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP81EC.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9A0E.tmp\ehiActivScp.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2196	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2196	JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2152	2792	mscorsvw.exe	38
PID 2792 wrote to memory of 2152	2792	mscorsvw.exe	38
PID 2792 wrote to memory of 2152	2792	mscorsvw.exe	38
PID 2792 wrote to memory of 1712	2792	mscorsvw.exe	39
PID 2792 wrote to memory of 1712	2792	mscorsvw.exe	39
PID 2792 wrote to memory of 1712	2792	mscorsvw.exe	39
PID 2792 wrote to memory of 2860	2792	mscorsvw.exe	40
PID 2792 wrote to memory of 2860	2792	mscorsvw.exe	40
PID 2792 wrote to memory of 2860	2792	mscorsvw.exe	40
PID 2792 wrote to memory of 1664	2792	mscorsvw.exe	41
PID 2792 wrote to memory of 1664	2792	mscorsvw.exe	41
PID 2792 wrote to memory of 1664	2792	mscorsvw.exe	41
PID 2792 wrote to memory of 1808	2792	mscorsvw.exe	42
PID 2792 wrote to memory of 1808	2792	mscorsvw.exe	42
PID 2792 wrote to memory of 1808	2792	mscorsvw.exe	42
PID 2792 wrote to memory of 2432	2792	mscorsvw.exe	43
PID 2792 wrote to memory of 2432	2792	mscorsvw.exe	43
PID 2792 wrote to memory of 2432	2792	mscorsvw.exe	43
PID 2792 wrote to memory of 2184	2792	mscorsvw.exe	44
PID 2792 wrote to memory of 2184	2792	mscorsvw.exe	44
PID 2792 wrote to memory of 2184	2792	mscorsvw.exe	44
PID 2792 wrote to memory of 996	2792	mscorsvw.exe	45
PID 2792 wrote to memory of 996	2792	mscorsvw.exe	45
PID 2792 wrote to memory of 996	2792	mscorsvw.exe	45
PID 2792 wrote to memory of 916	2792	mscorsvw.exe	46
PID 2792 wrote to memory of 916	2792	mscorsvw.exe	46
PID 2792 wrote to memory of 916	2792	mscorsvw.exe	46
PID 2792 wrote to memory of 3032	2792	mscorsvw.exe	47
PID 2792 wrote to memory of 3032	2792	mscorsvw.exe	47
PID 2792 wrote to memory of 3032	2792	mscorsvw.exe	47
PID 2792 wrote to memory of 2316	2792	mscorsvw.exe	48
PID 2792 wrote to memory of 2316	2792	mscorsvw.exe	48
PID 2792 wrote to memory of 2316	2792	mscorsvw.exe	48
PID 2792 wrote to memory of 1580	2792	mscorsvw.exe	49
PID 2792 wrote to memory of 1580	2792	mscorsvw.exe	49
PID 2792 wrote to memory of 1580	2792	mscorsvw.exe	49
PID 2792 wrote to memory of 1700	2792	mscorsvw.exe	50
PID 2792 wrote to memory of 1700	2792	mscorsvw.exe	50
PID 2792 wrote to memory of 1700	2792	mscorsvw.exe	50
PID 2792 wrote to memory of 2904	2792	mscorsvw.exe	51
PID 2792 wrote to memory of 2904	2792	mscorsvw.exe	51
PID 2792 wrote to memory of 2904	2792	mscorsvw.exe	51
PID 2792 wrote to memory of 2384	2792	mscorsvw.exe	52
PID 2792 wrote to memory of 2384	2792	mscorsvw.exe	52
PID 2792 wrote to memory of 2384	2792	mscorsvw.exe	52
PID 2792 wrote to memory of 2800	2792	mscorsvw.exe	53
PID 2792 wrote to memory of 2800	2792	mscorsvw.exe	53
PID 2792 wrote to memory of 2800	2792	mscorsvw.exe	53
PID 2792 wrote to memory of 1420	2792	mscorsvw.exe	54
PID 2792 wrote to memory of 1420	2792	mscorsvw.exe	54
PID 2792 wrote to memory of 1420	2792	mscorsvw.exe	54
PID 2792 wrote to memory of 1332	2792	mscorsvw.exe	55
PID 2792 wrote to memory of 1332	2792	mscorsvw.exe	55
PID 2792 wrote to memory of 1332	2792	mscorsvw.exe	55
PID 2792 wrote to memory of 2832	2792	mscorsvw.exe	56
PID 2792 wrote to memory of 2832	2792	mscorsvw.exe	56
PID 2792 wrote to memory of 2832	2792	mscorsvw.exe	56
PID 2792 wrote to memory of 1860	2792	mscorsvw.exe	57
PID 2792 wrote to memory of 1860	2792	mscorsvw.exe	57
PID 2792 wrote to memory of 1860	2792	mscorsvw.exe	57
PID 2792 wrote to memory of 2408	2792	mscorsvw.exe	58
PID 2792 wrote to memory of 2408	2792	mscorsvw.exe	58
PID 2792 wrote to memory of 2408	2792	mscorsvw.exe	58
PID 2792 wrote to memory of 1956	2792	mscorsvw.exe	59

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5480888b8b4f86298d76c5e024c560.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 164 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 164 -NGENProcess 168 -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 160 -InterruptEvent 1fc -NGENProcess 1b4 -Pipe 154 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 260 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 230 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1b4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 248 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1b4 -NGENProcess 248 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 278 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 26c -Pipe 160 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 248 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 248 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 288 -NGENProcess 26c -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 26c -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 290 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 280 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 264 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2a4 -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 280 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 280 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2b0 -NGENProcess 288 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 288 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2b8 -NGENProcess 264 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 264 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2d0 -NGENProcess 2b0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d8 -NGENProcess 2b8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2b8 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2e0 -NGENProcess 2c0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f4 -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 300 -NGENProcess 2d8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 31c -NGENProcess 2d8 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2d8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 318 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2f4 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2d8 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 320 -NGENProcess 318 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 338 -NGENProcess 328 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2d8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 328 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2d8 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 328 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2d8 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 318 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 328 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2d8 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 318 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 328 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2d8 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 318 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 318 -NGENProcess 368 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 378 -NGENProcess 2d8 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 374 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 368 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 2d8 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 374 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 368 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 2d8 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 374 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 368 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 2d8 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 374 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 368 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 2d8 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 374 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:3064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 368 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 2d8 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3a0 -NGENProcess 374 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 3bc -NGENProcess 3a0 -Pipe f8 -Comment "NGen Worker Process"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3a8 -NGENProcess 3b0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 2f4 -NGENProcess 3b8 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 3c0 -NGENProcess 3a0 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3b0 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3b8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3a0 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3b0 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3dc -NGENProcess 3b8 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3c0 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3b0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3b8 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3c0 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3c0 -NGENProcess 3e4 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3f4 -NGENProcess 3b8 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3b8 -NGENProcess 3ec -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3fc -NGENProcess 3e4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3f4 -NGENProcess 404 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:1416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3c0 -NGENProcess 3e4 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 408 -NGENProcess 3fc -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3fc -NGENProcess 3f4 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 3f4 -NGENProcess 3fc -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 41c -NGENProcess 3e0 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 3c0 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:1124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 3fc -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3e0 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 3c0 -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 3fc -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 3e0 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 3c0 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 3fc -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 3e0 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 3e0 -NGENProcess 434 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:2804

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:980

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
636KB

MD5
f7a8f30ec49232ffd3d35522cd09a5a5

SHA1
2ef395a5007607e7fe214e00e127064601b2a7d5

SHA256
c584774bb3c628f9bcddf5917060ab4d9ab261c8fa15d1e5224664c7b022d399

SHA512
88569b18849ad72bf9c0c3a77d6c0d36760eb7f6a6943e841c6fd11e309c7489c34ce127a3bc696b8f94a9a313774fd5163cecb8fb6935ed47a9426108d46244

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
fe300ace15cbff4c4a39eb5dfc7120ee

SHA1
1e3baa274df4ea553bd4a420034b46f0b8b72202

SHA256
35a4c80702dc8c1b12f532f2bc600ff1fd190fc0a24218834610a5a1766cfaa9

SHA512
785b1a4ff7b2ec2eb093f28b3c6616bd5755ef22431993d2fc47e049e87e83faf572da5cd1fd087b93cb955fdeea76717160ba11f020b8cc3e7e8318f7223547

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir

Filesize
4.8MB

MD5
0331ec582adfc5efc2838e01bb6976fe

SHA1
9b9c30f584058adc04b309c79b857f51354e01d5

SHA256
7836e194647416a36f64608ddc6f3320e767f8108c11bff35394d822f449a569

SHA512
79ef03ce998d2e98d9e8af25c7a81b3c4e49fa2d85ea2f17088ffe14787087a18637ce9da1ba93b31d520a7c357f1e2b8c07933220824ab0f4dcfa7957512ec6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
cd3cc98023382e3778b5de920d281f4c

SHA1
447bdbe98fc48fc899900bdb1700682f641c791b

SHA256
8a03e12ddbe0bb1ae0fa6f34c755b0bc25c283941fa091d7db08ad35dab2676b

SHA512
b5014b30faef124726108d0103dbe0f0551476a4c47f19a08d6af319d5bd07e89f0930c36f69ea263eb25a76e9808044f602f5e086133d2816b9ea73cf67cc22

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.2MB

MD5
f31808b10cfed6af4edb88254c63322a

SHA1
b07510fe341c62badbc06276b21f205900cf5a8a

SHA256
8535caccab0416a496f42994101ed4366045f168bcaed1b7bf4288d3d9a837a2

SHA512
174007ec00bb2ffea6984f5219f842eb6637a21eb5e885fd4ca8b4a53ea4ca5ff029115d9b25d5b1473b95617c9ba066bdffee033ccd1b1a76d743f29f646353

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
38e99024c8bc7ab27429f32325dea751

SHA1
4e5651b32d108d9561dd5cfc967935e625d58dd4

SHA256
726e16b04b934a71828ccdbef8948c3224f3dc13ebc646fce6b28d7a8cae2bc2

SHA512
5a2e8e5f234145695afc2132a2308187643e11f6793f90da698be46f3fb0e0f275b7481d64f3998fdf24e0d42ca11cc2a6e8a81ad54ceb621297e1da02e84e75

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
41dd2e7cdb8c06ac90a93004cc8a642d

SHA1
196e1d6123e4a65e5a828d71a1c25c4a027809c3

SHA256
645a795a7a576468b88051b5242705a95b6ffee184b87c065debedace320fa48

SHA512
0b6d543fd7b00848b8e9d5d5d9c6527666c926c7e71625d8bfb40a576bc0d845b1fabcb74d86d0f6a9b25006357898b0779dee5e19fe0cf6d4cdd185127919c8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
555KB

MD5
7406fb79789e7e43c675ba0816d84bcf

SHA1
bd5974edec5f978024bb090bc9c9a9271fe07534

SHA256
cd5255c53febf150768508fe9bb22e8c16e77a948f60006b35750305c9233d3b

SHA512
64f9df70d42353c71c19a748a779bb9e65c3a40246136f8fa889c39e25febac8ab1582be00aa04ae75b75a8b562229667db775e70b9f81e6acb226932f780ae8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
875c9e04323ed703c71a3752cc9efeb3

SHA1
e9b80b4b1a1f4f65fa4b02fd9f2a6a0f269b0eeb

SHA256
846fcd1a1bc09fb3d0ae3e5029a42127587dc114cf5b57fe35cacd04844c207d

SHA512
126af3cdff402a5813c03a51c7a1a0ed87220b80e273011341da552238fd19f6350764513fbd1ba25b431d19e1ebb9650512d73212595457e1fc18b9b68f24ae

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
586KB

MD5
d8fca3572351ee14374fec86bfeca09b

SHA1
6b47eb1897d483e7fd793a44cb77bd4b6758a458

SHA256
c8a5dc045299961aef93fb7fb5df27b06fb16df4ac77e0ed78bbaa4fbc6ef5f5

SHA512
953bcc2251a702a26835a4d9469b2190d660d4b1e15197cbb0c1e321ca6a0c3a4e9df5b7195f40af7a5c0fde2d30535ccc52b52c1b6a4ea510a50709dd96ff5f

Download Submit
C:\Windows\Temp\CabDDA2.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarDF78.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\0050d8a121f81a486a36a79ae70d7318\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
b433a0360eb3e6bc691df3a48e068304

SHA1
b479ba9e4cb2c05d33e017e664b54c3d73356a59

SHA256
ee63c73c3e214c1a094e4372f991f5c0dde0e9f57332e47b882318ae07887799

SHA512
60ab92cbdc275fc061522cd9dbabc7f121cffc661319e9132da9e0d52485adf9b44211e4cfa6548b715979c38ca995c9a57b1cb7359de88f72ffa82406ad8610

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\7a84b9a1791ff0010824babd1bff1e8a\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
fe7e6368bd0908c17603c712328907bb

SHA1
0c908464ba79d9bbbb7991a29ae43fe73b50b970

SHA256
68636399d570365e04d4036e756879baf7ad87627ba819e1f2a116d8fb625343

SHA512
b95362cc161f736300fdb53e77b9131805a6c8495ee13092be1d4c44fc99d13f582caee9beb550cd0a63421f912271b2de481a9fc4c75f4f88b787e49ad545e2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\c6b80022aa6c4b553f43280aa8d0074f\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
84a32e8e00a0511cf709b760f05fdcd5

SHA1
fc80d3fdf98e3ca10e9a9638ea4e6c19284730a9

SHA256
ee3d9d9b721b8262fc4dab7c8a5e80c2f21ba1bbf1c2b329511d54405bd84eb2

SHA512
e473bb662614fb45533ce50fd0e82a43a4948a577f50ca862be29c8b5e7f80977cbb555537ea0e95404eafddd8279dab06028a25d9a1a027256ffb547be7459a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d8da243013234a6a9856450f89a82951\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
d0e640283f6a7a2facf82306b7389d9b

SHA1
5de09608320e7bb5a50c8a7846e0ce4dededb005

SHA256
d1f989f0ec9d5a81f9e4b9027a170128b7c0053f51962e66c8e86bc53aa374e5

SHA512
545788697899bec6e60e6ee8e21c62de44b37a707d6a7f4a1bad2746d2cdc023587345ecc15974707a6d7dd9a26a9edcbfe6b56712fce434353c17f94a924fbf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
636KB

MD5
c7550a9a5091a951e99d7c4582606ffa

SHA1
a352d915ace977265f20da0199ffca6d1ccc6f0d

SHA256
cadbe98953b3f540af28b22400efbb87cc26c88f878ac87595385ca46f274c57

SHA512
066f3770ea200ad70dea74b036e52abccad95d75db5c0e1cd727f43feaa185b626e387cf148b2258171c42becdfddc145084834035ba3379332e74de748c6982

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.0MB

MD5
241190f73b39f0b591a2c4d004ba23ad

SHA1
400d5ce21a900b8bebcd2f2b691f07c7dde397a2

SHA256
e30467c9aef77b0d02fb602fde41aeb1fed6baf4de0446fe0f24f7ae4cfe8c06

SHA512
66b72103408c676381ae0c331ab39524b1da2829b1515c9953c5a657c26083330c54a7b9166a2de936a91a2d5d0ac03e2c128d2b316a48e5c4ba57773d33aa7c

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
711KB

MD5
4bd64204666adf40e9d24b51e0e2478f

SHA1
f7eb6b0b0077b748b475b9179c0cf762845e71c3

SHA256
b675b415458bc4b64e3b3e90ed183e96916535fc1ef3644cae7e237889577127

SHA512
4e1df2b8c9e3d6800d9dd035c1a7b81ff2ba3c76bad2aeffef61d7dabb1a477f9cac0a7629b47d770c7e2111fb5f7a4be7c29a7bd05d259025ce51746aaa3a2b

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
620KB

MD5
deb7dcb3b793cd42b0c15971ef10f029

SHA1
bd32eaf0fbc78e29449d1f5c60a08e0a7297a2f2

SHA256
3ab327263f280c78ca2b911f38924ed5a114bdaadd98d45aa10d80a149e6d2c2

SHA512
0fc7f1ec1b96f79e904b7ffd986992056c3c994aa54df418552f34b511543266609e6e708d8db037949f057e89636a2fbf1926f0f669df8933aa8e14c635195b

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
532KB

MD5
a1c1d0bed5b356f067a81afc6d86c074

SHA1
92ff89ccbe24615d33ecd88a7bf8882903aaae6b

SHA256
c320ed54bdee9c14eecda5cb420df574ccf5369b20feed3ba8d3459d82a242f0

SHA512
69c371622b81334b0680a91559d9d81e19ee3fc1c96453f18c3b3dfe3fc1e9a897029996b7ed1036b08adf56a793a8c439e1a1857ce2b0ba5143216c2c3c44df

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
573KB

MD5
56884018bda2e24341f5dc1b1e98157b

SHA1
aad85804baf8f82639118357927d88cab89fba09

SHA256
8eb10e7bdb46a11357adb67b828b9aaeb142f45e546b737555983d6fd2339028

SHA512
744d9f37868794278f7e13c54c18cd8e640c0a2b514ed624f052fd63944cdda4682e96972c3925be9cdba91ce0a744d8b66e10a9a172a3fae8401bf88fef9852

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.1MB

MD5
cef961ad8670151a097b561947983d92

SHA1
4a0cd5df9b89854032235c1a99606546085d9aa6

SHA256
c4ce4f45b313363ec2ced605ab42bcd908e299bb92660121c39b8c20ecd6dbc8

SHA512
c73f45eef5e36d724699d8e6bbf6c7d718f0280f4f15d1d91e8f289cfb396fd3bf55d329fa554576db691efedf131fc86622c3092ce2a33c78267e0c4f2fecea

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
634KB

MD5
4d0a8743ab1655d35b461b88ff063fdd

SHA1
2ac93ddefacade8fc686ed3091d6fdacf4f60554

SHA256
631fdc0e3d3e3c2a95b166d5e8c969b819f0a10ef74d5b41e8356e778e0a2736

SHA512
510f4df7b882625bcb55b6eaeee7dc78c804dd57651ad3f27c50e7d8ef383b8392cc52068e4769a993f36e8b1d4ec66e4a99de0bed8e8ee8d5b11b255c4de532

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
621KB

MD5
003bd242fd976087553cda6c544f04fa

SHA1
848225e789d1cf0e2c47c737ffd356f6d06d663c

SHA256
6ca9d8a5631d9cfb053016eca36184238ddc18ddb252442ee8a8d875b2be4a05

SHA512
407f410aa48a036b2046721ed0965afe7942b29f5564aa937dd00b961984d9ba6865e57e1bd084db3133903239b7330364651cecb060bdf35484580752e942cd

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
510KB

MD5
8e26d00e2d256462e2e0c1972b4596f4

SHA1
7c4cdd7c33304e75b380ea07235f216615a4cbd0

SHA256
b5f523390f179d50fd49786c0a8fbd8606b0c734b7f9294e68434d626c42b8d9

SHA512
5c3177731df265de6ed0f16221a211c3cbc4b6450c1c22354fc8eea7450ee68e3d904e09379a371cf11a211e81787c13030dc05af39b87c51f34bba1ffcd73c4

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
536KB

MD5
292ed00376515d668863240ce15691e7

SHA1
48bdad87a0a521fdc106bc1b5440b515986f517d

SHA256
8dc1cfb1966a2972302b75a501de440b4129048ae788b429f4094c12caeb2d62

SHA512
a2c70f8ec19c2cb4ca05819becd1a6ff5836841c645792850eba52e9e6bbb125055a68f00d63dc57963478d3fd097562b2eff54423bffa25ff9ca59c377ab29a

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1017KB

MD5
bebc695f5ff075191d67569f532a36af

SHA1
dd623151076755a30a850652076a0954276b6b65

SHA256
7d824ff5b595ce0b103257ed0776484b82d98082a63404504ae97f5f5956d3b4

SHA512
bae10354209f24bb652dac640547e2efb63cb445b06ce9975f0c41a35205b3f5365f8ae9e549d957166b5f8efaf8845a106200853f2b7d8b3fcca81d505c041e

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.0MB

MD5
615e6bf4900b404b2cec026f5f5e13af

SHA1
cff263a02ac20d8c7443f2860e9c8b12ee6d4507

SHA256
728c1a3b5c59b1aaeb9a9758a669a7bc89773bc4bf7c2d98261ca0f790f96da7

SHA512
88fd20b5c46d0d2211b96379e050c1384bbf6e0df092e7f32a93410452973d87e026c2b51a461f09f1175f64f1c8f856981b6643ea1f672a9bbbcb828e99a90c

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
694KB

MD5
ffe317f63e6d5e78470254a7abca0c40

SHA1
fbea9383c27ab41cbcacf4158722f00b44e025e8

SHA256
255f9080dea8782fbe9461fbe7367739cb998867481a71c7b10d90bb7f38d3b9

SHA512
a4dcb78e4b88ab7dd21d190a4a2f23051855000dafa7b8f1e5d82d79977fe1466235faa8f1352684d3bc9507dd871fd5786a974adf74c6d79266910ea3b20eff

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
1.9MB

MD5
289e963a337d9a5ffda69d60935ac28a

SHA1
66ca97eccbfb4a9810e9729d06b482f4106e237a

SHA256
64aadc9e573d5d2951e961158b19385611af20b9748c4a4a255800b8fec1ca43

SHA512
7d9f4bdba2a2d6140d0da684c9f0d5615c4290eaf3f1d0644ee2f4d2d52b3381363354c321febc4fd2d3d24c2877a0837d9b51d958610edb4e265de771416dd2

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
578KB

MD5
e67deb20c96f65dba11098615413f635

SHA1
c040487c9d58cf66062d40f00ae8793f66399a29

SHA256
9e814397642bf9124bc0a99c57339541a302719dfa9b8313a08bb5bbb8d23bed

SHA512
bfd48b122d4c6ac1efb4d4786cb392b4cd862db305597e19b08a4da48493892ab2c8584be281daf0814ad12af3d06c49366871535827c3efff3031b65035d563

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
bdb3c4f7702879fd758894ba990bdf59

SHA1
e3beeaedbd1d9ddffdc095f5fc0f887dcb1142de

SHA256
0dd9156778d799ee314dfa5cdf1202fb5d9a04223711df9c27007ad530b279e9

SHA512
16bd975a1a1657483646d86c0e081b3bbfe5739311dfb51e4ecafeb56f2c8e5bf913757f8e8133ce1273777222ba878d4cd99dddbb2e8fcb0015206b1b2cc9cf

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
605KB

MD5
c799ce7d91911d281a0e3beada0b30ec

SHA1
e9d08d403baa28da78725aa7a71937dc44f89a32

SHA256
c319f06baaeb34b37db710de6e3f88ae2dc54165342e96a2ce19e03c1fd75e1b

SHA512
71c4c8ff38dbe7f6ce1e2b50701d2389fbd227b1d0dbbfdc7797dc90934b74a622c7656fbbcc33f5455928c9b203738e62a9f7e5f227347b2e025e4beb1fae6b

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5D9B.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP60C6.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP648D.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP674B.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6A67.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6D82.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
memory/916-345-0x0000000003160000-0x00000000031A8000-memory.dmp

Filesize
288KB

Download
memory/916-344-0x0000000000750000-0x0000000000766000-memory.dmp

Filesize
88KB

Download
memory/916-346-0x0000000000770000-0x000000000078A000-memory.dmp

Filesize
104KB

Download
memory/916-339-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/916-365-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/916-355-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/916-354-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/916-347-0x00000000009B0000-0x00000000009CE000-memory.dmp

Filesize
120KB

Download
memory/916-341-0x00000000006C0000-0x00000000006D8000-memory.dmp

Filesize
96KB

Download
memory/916-342-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/916-343-0x0000000000740000-0x000000000074E000-memory.dmp

Filesize
56KB

Download
memory/980-82-0x0000000140000000-0x0000000140377000-memory.dmp

Filesize
3.5MB

Download
memory/980-152-0x0000000140000000-0x0000000140377000-memory.dmp

Filesize
3.5MB

Download
memory/996-328-0x00000000006C0000-0x00000000006D8000-memory.dmp

Filesize
96KB

Download
memory/996-332-0x000000001C540000-0x000000001C55E000-memory.dmp

Filesize
120KB

Download
memory/996-331-0x000000001C520000-0x000000001C53A000-memory.dmp

Filesize
104KB

Download
memory/996-330-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/996-338-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1332-455-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1332-461-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1420-446-0x0000000003120000-0x000000000312E000-memory.dmp

Filesize
56KB

Download
memory/1420-456-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1420-442-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/1484-89-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1484-220-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1484-169-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1580-396-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1580-394-0x000000001C530000-0x000000001C544000-memory.dmp

Filesize
80KB

Download
memory/1580-393-0x0000000002F30000-0x0000000002F3C000-memory.dmp

Filesize
48KB

Download
memory/1664-298-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-300-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1700-404-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/1700-414-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1700-405-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/1700-398-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/1700-399-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/1700-400-0x0000000000920000-0x0000000000934000-memory.dmp

Filesize
80KB

Download
memory/1712-175-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1712-181-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1808-302-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2152-151-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2152-176-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-317-0x000000001C780000-0x000000001C78E000-memory.dmp

Filesize
56KB

Download
memory/2184-327-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-310-0x0000000000A60000-0x0000000000A6E000-memory.dmp

Filesize
56KB

Download
memory/2184-318-0x000000001C780000-0x000000001C78E000-memory.dmp

Filesize
56KB

Download
memory/2184-311-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/2184-313-0x0000000002FF0000-0x0000000003006000-memory.dmp

Filesize
88KB

Download
memory/2184-312-0x0000000002FA0000-0x0000000002FE8000-memory.dmp

Filesize
288KB

Download
memory/2196-1-0x0000000001002000-0x0000000001003000-memory.dmp

Filesize
4KB

Download
memory/2196-2-0x0000000001000000-0x00000000011B0000-memory.dmp

Filesize
1.7MB

Download
memory/2196-0-0x0000000001000000-0x00000000011B0000-memory.dmp

Filesize
1.7MB

Download
memory/2316-375-0x0000000003260000-0x0000000003276000-memory.dmp

Filesize
88KB

Download
memory/2316-383-0x000000001C7D0000-0x000000001C7DC000-memory.dmp

Filesize
48KB

Download
memory/2316-376-0x0000000003280000-0x00000000032C8000-memory.dmp

Filesize
288KB

Download
memory/2316-373-0x0000000003240000-0x000000000324C000-memory.dmp

Filesize
48KB

Download
memory/2316-392-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2316-382-0x000000001C7D0000-0x000000001C7DC000-memory.dmp

Filesize
48KB

Download
memory/2316-377-0x00000000032D0000-0x00000000032EA000-memory.dmp

Filesize
104KB

Download
memory/2316-378-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/2316-372-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/2316-374-0x0000000003250000-0x000000000325E000-memory.dmp

Filesize
56KB

Download
memory/2384-421-0x00000000007C0000-0x00000000007DA000-memory.dmp

Filesize
104KB

Download
memory/2384-426-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2384-427-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2384-437-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2384-422-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2432-308-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2432-306-0x0000000002FF0000-0x0000000003006000-memory.dmp

Filesize
88KB

Download
memory/2432-303-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2432-304-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2432-305-0x0000000000820000-0x0000000000868000-memory.dmp

Filesize
288KB

Download
memory/2484-21-0x0000000010000000-0x00000000101AF000-memory.dmp

Filesize
1.7MB

Download
memory/2484-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2484-54-0x0000000010000000-0x00000000101AF000-memory.dmp

Filesize
1.7MB

Download
memory/2656-46-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2792-149-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2792-58-0x0000000140001000-0x0000000140003000-memory.dmp

Filesize
8KB

Download
memory/2792-57-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2800-438-0x0000000002F30000-0x0000000002F3E000-memory.dmp

Filesize
56KB

Download
memory/2800-436-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2800-439-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2832-464-0x0000000003040000-0x0000000003056000-memory.dmp

Filesize
88KB

Download
memory/2860-297-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2860-295-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2904-419-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2904-417-0x00000000006E0000-0x00000000006F6000-memory.dmp

Filesize
88KB

Download
memory/2904-415-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2904-416-0x00000000006C0000-0x00000000006DA000-memory.dmp

Filesize
104KB

Download
memory/2948-63-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/2948-36-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/2948-35-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/3032-366-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/3032-368-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3032-364-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3032-370-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download