expiro | 7a2f7b0ea747b6d3d8aff4cd3ffc73f1b96eb177b54c97528dfafa72a71a2941

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
Size

635KB
MD5

6ca5505f322f8c6759c5e891d2bd3ec2
SHA1

0fe3f7104b39f4ba8d83cc061b6a72daa6600e55
SHA256

7a2f7b0ea747b6d3d8aff4cd3ffc73f1b96eb177b54c97528dfafa72a71a2941
SHA512

177a63d3b74add8b5be5428dc16bbfeb267ac3199f489745c1cb2a928402c0407c543a6afb07c1eb936ce1c96bef9b279144a0954f4a7c9ee6d38698384d8263
SSDEEP

12288:7fjA+bhgvqBsC9SMNako58dEZNeaf9CuAhdX/nomc2zmEGTaQ:TXyusC9SYvo5xG7iVTa

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2248-2-0x0000000001000000-0x00000000011CB000-memory.dmp	family_expiro1
behavioral1/memory/2264-54-0x0000000010000000-0x00000000101B7000-memory.dmp	family_expiro1

Executes dropped EXE 64 IoCs

pid	Process
2264	mscorsvw.exe
472	Process not Found
2172	mscorsvw.exe
2632	mscorsvw.exe
1884	mscorsvw.exe
1440	elevation_service.exe
580	IEEtwCollector.exe
2988	mscorsvw.exe
2316	mscorsvw.exe
2736	mscorsvw.exe
1008	mscorsvw.exe
1836	mscorsvw.exe
2816	mscorsvw.exe
1972	mscorsvw.exe
2420	mscorsvw.exe
1992	mscorsvw.exe
1880	mscorsvw.exe
892	mscorsvw.exe
2492	mscorsvw.exe
2824	mscorsvw.exe
2872	mscorsvw.exe
2568	mscorsvw.exe
2264	mscorsvw.exe
2884	mscorsvw.exe
2936	mscorsvw.exe
2880	mscorsvw.exe
2856	mscorsvw.exe
2852	mscorsvw.exe
2036	mscorsvw.exe
2996	mscorsvw.exe
1068	mscorsvw.exe
2080	mscorsvw.exe
2524	mscorsvw.exe
904	mscorsvw.exe
684	mscorsvw.exe
2324	mscorsvw.exe
2112	mscorsvw.exe
2236	mscorsvw.exe
1476	mscorsvw.exe
1668	mscorsvw.exe
1800	mscorsvw.exe
2240	mscorsvw.exe
1732	mscorsvw.exe
1316	mscorsvw.exe
1780	mscorsvw.exe
2316	mscorsvw.exe
2444	mscorsvw.exe
1704	mscorsvw.exe
2452	mscorsvw.exe
2504	mscorsvw.exe
2692	mscorsvw.exe
704	mscorsvw.exe
3064	mscorsvw.exe
3036	mscorsvw.exe
2760	mscorsvw.exe
2264	mscorsvw.exe
2604	mscorsvw.exe
2920	mscorsvw.exe
3040	mscorsvw.exe
2608	mscorsvw.exe
1800	mscorsvw.exe
1636	mscorsvw.exe
1568	mscorsvw.exe
2736	mscorsvw.exe

Loads dropped DLL 52 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
1972	mscorsvw.exe
1972	mscorsvw.exe
1992	mscorsvw.exe
1992	mscorsvw.exe
892	mscorsvw.exe
892	mscorsvw.exe
2824	mscorsvw.exe
2824	mscorsvw.exe
2568	mscorsvw.exe
2568	mscorsvw.exe
2884	mscorsvw.exe
2884	mscorsvw.exe
2880	mscorsvw.exe
2880	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2996	mscorsvw.exe
2996	mscorsvw.exe
2080	mscorsvw.exe
2080	mscorsvw.exe
904	mscorsvw.exe
904	mscorsvw.exe
2324	mscorsvw.exe
2324	mscorsvw.exe
2236	mscorsvw.exe
2236	mscorsvw.exe
1668	mscorsvw.exe
1668	mscorsvw.exe
2240	mscorsvw.exe
2240	mscorsvw.exe
1316	mscorsvw.exe
1316	mscorsvw.exe
2504	mscorsvw.exe
2504	mscorsvw.exe
2692	mscorsvw.exe
2692	mscorsvw.exe
3064	mscorsvw.exe
3064	mscorsvw.exe
2456	mscorsvw.exe
2456	mscorsvw.exe
2408	mscorsvw.exe
2408	mscorsvw.exe
1644	mscorsvw.exe
1644	mscorsvw.exe
2088	mscorsvw.exe
2088	mscorsvw.exe
2136	mscorsvw.exe
2136	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3551809350-4263495960-1443967649-1000\EnableNotifications = "0"	mscorsvw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3551809350-4263495960-1443967649-1000	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\X:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\Y:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\K:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\U:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\P:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\V:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\H:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\O:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\W:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\G:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\T:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\J:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\M:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\Q:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\Z:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\I:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\N:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\E:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\S:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\L:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\dllhost.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\alg.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\ui0detect.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\vds.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ieetwcollector.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\msiexec.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\wbengine.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\snmptrap.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File created	\??\c:\windows\system32\fxssvc.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File created	\??\c:\windows\system32\msdtc.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\vssvc.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Internet Explorer\iexplore.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\7-Zip\7zG.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Internet Explorer\ielowutil.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPEA20.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP146B.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2848.tmp\Microsoft.Office.Tools.Word.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9F8A.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA709.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC726.tmp\stdole.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP92AE.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB51C.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB7CB.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2248	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe

Suspicious use of SetWindowsHookAW 1 IoCs

pid	Process
2248	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2988	1884	mscorsvw.exe	38
PID 1884 wrote to memory of 2988	1884	mscorsvw.exe	38
PID 1884 wrote to memory of 2988	1884	mscorsvw.exe	38
PID 1884 wrote to memory of 2316	1884	mscorsvw.exe	39
PID 1884 wrote to memory of 2316	1884	mscorsvw.exe	39
PID 1884 wrote to memory of 2316	1884	mscorsvw.exe	39
PID 1884 wrote to memory of 2736	1884	mscorsvw.exe	40
PID 1884 wrote to memory of 2736	1884	mscorsvw.exe	40
PID 1884 wrote to memory of 2736	1884	mscorsvw.exe	40
PID 1884 wrote to memory of 1008	1884	mscorsvw.exe	41
PID 1884 wrote to memory of 1008	1884	mscorsvw.exe	41
PID 1884 wrote to memory of 1008	1884	mscorsvw.exe	41
PID 1884 wrote to memory of 1836	1884	mscorsvw.exe	42
PID 1884 wrote to memory of 1836	1884	mscorsvw.exe	42
PID 1884 wrote to memory of 1836	1884	mscorsvw.exe	42
PID 1884 wrote to memory of 2816	1884	mscorsvw.exe	43
PID 1884 wrote to memory of 2816	1884	mscorsvw.exe	43
PID 1884 wrote to memory of 2816	1884	mscorsvw.exe	43
PID 1884 wrote to memory of 1972	1884	mscorsvw.exe	44
PID 1884 wrote to memory of 1972	1884	mscorsvw.exe	44
PID 1884 wrote to memory of 1972	1884	mscorsvw.exe	44
PID 1884 wrote to memory of 2420	1884	mscorsvw.exe	45
PID 1884 wrote to memory of 2420	1884	mscorsvw.exe	45
PID 1884 wrote to memory of 2420	1884	mscorsvw.exe	45
PID 1884 wrote to memory of 1992	1884	mscorsvw.exe	46
PID 1884 wrote to memory of 1992	1884	mscorsvw.exe	46
PID 1884 wrote to memory of 1992	1884	mscorsvw.exe	46
PID 1884 wrote to memory of 1880	1884	mscorsvw.exe	47
PID 1884 wrote to memory of 1880	1884	mscorsvw.exe	47
PID 1884 wrote to memory of 1880	1884	mscorsvw.exe	47
PID 1884 wrote to memory of 892	1884	mscorsvw.exe	48
PID 1884 wrote to memory of 892	1884	mscorsvw.exe	48
PID 1884 wrote to memory of 892	1884	mscorsvw.exe	48
PID 1884 wrote to memory of 2492	1884	mscorsvw.exe	49
PID 1884 wrote to memory of 2492	1884	mscorsvw.exe	49
PID 1884 wrote to memory of 2492	1884	mscorsvw.exe	49
PID 1884 wrote to memory of 2824	1884	mscorsvw.exe	50
PID 1884 wrote to memory of 2824	1884	mscorsvw.exe	50
PID 1884 wrote to memory of 2824	1884	mscorsvw.exe	50
PID 1884 wrote to memory of 2872	1884	mscorsvw.exe	51
PID 1884 wrote to memory of 2872	1884	mscorsvw.exe	51
PID 1884 wrote to memory of 2872	1884	mscorsvw.exe	51
PID 1884 wrote to memory of 2568	1884	mscorsvw.exe	52
PID 1884 wrote to memory of 2568	1884	mscorsvw.exe	52
PID 1884 wrote to memory of 2568	1884	mscorsvw.exe	52
PID 1884 wrote to memory of 2264	1884	mscorsvw.exe	53
PID 1884 wrote to memory of 2264	1884	mscorsvw.exe	53
PID 1884 wrote to memory of 2264	1884	mscorsvw.exe	53
PID 1884 wrote to memory of 2884	1884	mscorsvw.exe	54
PID 1884 wrote to memory of 2884	1884	mscorsvw.exe	54
PID 1884 wrote to memory of 2884	1884	mscorsvw.exe	54
PID 1884 wrote to memory of 2936	1884	mscorsvw.exe	55
PID 1884 wrote to memory of 2936	1884	mscorsvw.exe	55
PID 1884 wrote to memory of 2936	1884	mscorsvw.exe	55
PID 1884 wrote to memory of 2880	1884	mscorsvw.exe	56
PID 1884 wrote to memory of 2880	1884	mscorsvw.exe	56
PID 1884 wrote to memory of 2880	1884	mscorsvw.exe	56
PID 1884 wrote to memory of 2856	1884	mscorsvw.exe	57
PID 1884 wrote to memory of 2856	1884	mscorsvw.exe	57
PID 1884 wrote to memory of 2856	1884	mscorsvw.exe	57
PID 1884 wrote to memory of 2852	1884	mscorsvw.exe	58
PID 1884 wrote to memory of 2852	1884	mscorsvw.exe	58
PID 1884 wrote to memory of 2852	1884	mscorsvw.exe	58
PID 1884 wrote to memory of 2036	1884	mscorsvw.exe	59

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookAW
PID:2248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2264

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 15c -InterruptEvent 20c -NGENProcess 1c8 -Pipe 150 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 25c -NGENProcess 16c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 260 -NGENProcess 110 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 234 -NGENProcess 15c -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 268 -NGENProcess 264 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 15c -NGENProcess 264 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 15c -InterruptEvent 274 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 268 -NGENProcess 260 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 280 -NGENProcess 25c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 25c -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 268 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 268 -NGENProcess 210 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 268 -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 25c -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 298 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 210 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a0 -NGENProcess 164 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 164 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 2a8 -NGENProcess 210 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 210 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 164 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 15c -NGENProcess 2c0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 15c -InterruptEvent 2e0 -NGENProcess 268 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 268 -NGENProcess 2c8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2e8 -NGENProcess 2c0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2c0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2f0 -NGENProcess 2c8 -Pipe 15c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2c8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2e0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f4 -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 300 -NGENProcess 2c8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 31c -NGENProcess 2c8 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2c8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 318 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2f4 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2c8 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2f4 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2c8 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 340 -NGENProcess 33c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 330 -NGENProcess 2c8 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 348 -NGENProcess 338 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 33c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 338 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2c8 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 338 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 33c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2c8 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 338 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 33c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 33c -NGENProcess 368 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 378 -NGENProcess 338 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 374 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 368 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 338 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:1052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 374 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 368 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 338 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 374 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 368 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 338 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 374 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 368 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 338 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 374 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 368 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 338 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3ac -NGENProcess 3b8 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3a4 -NGENProcess 338 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 368 -NGENProcess 3b4 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3bc -NGENProcess 374 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 338 -Pipe 110 -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3b4 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 374 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 338 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3b4 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 374 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 338 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3b4 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 374 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 338 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 338 -NGENProcess 3dc -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 3ec -NGENProcess 374 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3e4 -NGENProcess 3f0 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e0 -NGENProcess 374 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 374 -NGENProcess 3d8 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3f8 -NGENProcess 3f0 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3f4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3f4 -NGENProcess 374 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 410 -NGENProcess 3dc -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 40c -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 374 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 3dc -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 40c -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 374 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3dc -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:1340

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
640KB

MD5
749bcd0228bfc359c4c335d1df317d36

SHA1
4a3bf245a3b9035c21ae4b5d50de2f08060b3fe8

SHA256
6d6c806efcd770184802fa42f6fb16c7223d5f92de4965273c1757442c3b08fb

SHA512
02bffc40095d7a19eba66eb2d0595ad0c00e96a7852eeed22a623e717b419a75fcb42c9eb7427e5b4b7b9e5af6be14034aa9ee6805b31104d79c25fd3a458fbc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
b3e47d63992f5284fe41626117cc1140

SHA1
0ff1ae99d3aae224eb26526e09b1f19e8f3cc8f9

SHA256
3615d739e428ecb66d6e84ecc548a3418de6d047848685f0cad0fc0e02306c43

SHA512
ee25657620d4a9fa461095d6e9bd8879666fd957b528437e354fd65415bfb4aff43fd89bb6d1ccbeb3b0a5cbe9f457999a5334b4cd95388952f3bd773eeb4a9c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir

Filesize
4.8MB

MD5
5251f2f7eee03e7975816b3998086924

SHA1
758b11fd26958a34f918cb60b29a891985d0915f

SHA256
5442e3000a43c9b92f27a1e10ac5164e7dce11c0dada97c839bb3aafac2d180e

SHA512
5011f82a06de67f6d0788f77c958efdc16a05d735d6ae10d83889f139a782690657dbfcc4e94612454feb35fa390a58e9ac2c780a9bea219fe62b71460066e17

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.2MB

MD5
fe57382d585c776515e04df1ebe0ca1c

SHA1
9aaec584de594fc6da9fac68defbfb6f68bee776

SHA256
201512442c52f14ea3631718fe58663a7d3964487ef961b3eba903465ef600d3

SHA512
58b847cb5be0c65222a9770fef87c5c75e4367c5788d8701cbd6c772b0e273f4aaca59b2b63d2e0d20d4d957a4437272a7fa1666f1c2c9b2b00125d0b8d0ef32

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
582KB

MD5
bacf214d659ff3829b9091a960302318

SHA1
ba87ebf333e5214ff61636049768f037bcf89dc8

SHA256
563caf5473bd52d8e1243d71f6bddd49ee2745dd9e1abe7213d40b5b0015b514

SHA512
f1cd6eeb4688f5da4a6d902bfb8cb91e52ab7f551043bb5dc10c73004207b0aa01df08bb5c3d8d778cce8c4e088c59e22b2947bb897628e6cd1e14e04e2047ee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
73bd846b46d7334f45718ccec890a797

SHA1
d3a3dbd6dd9e95fa15c060ea9695c46d95f2a732

SHA256
b9e42efddb1f4ce8597a010eaf8045ef7633ae54b07fdec7d8466c63286799a0

SHA512
fa4d89e81ec6bed8cbe095c19c4abed84185c79d25c625bad6632a4b7300755876331115cea8d903bd22b9f165e7fe72d305003b6446d7ec9685d9b714e87a55

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
610KB

MD5
5a72606fec17bb0921d15cc86fb525d1

SHA1
c1b99975041e228834e5bd21a097705e52fb58ee

SHA256
0a27e9483680bdf0ef4e1ade1c1061080a5be5bdea2075fff40769a82cc6474f

SHA512
e9459a62f19a410f644c05a844e7fa05a059f6ffe3ccbc2ea718d693bb2c92977e1cfab209c31310e068b622b1e45769b62856920a3f7d6343e18a473a953e3c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
771994981beeb6c490ae4a76036aa26b

SHA1
76adeeadccbf1399f8a031e4d1dfa90ab953b67f

SHA256
1d51189d1e7f343c7eca234ab99f60f1e6ce501eacd4455b61f1694793d84a26

SHA512
6d38f10e84ddbdc178de256854a671fafb5d1d832693545da9f34108f850e78d70ed49edcbb2130eaf194a98fe860ba9c56a633585871c0f974bf7907ccf79dd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
559KB

MD5
0871cc4394a28b58e49a298c1b3c39e5

SHA1
37405fbb9f612d20da3b45e9790b785037a86dd2

SHA256
632216c6dd422df3c17e667f5033db950f85ec7e1c9ab5ff2e4717f2e479e5ae

SHA512
7128449e5c05e5ed0572450bc840f27d4a3398d3781ffa1a6dd060d42d6323436a07904e1d691c35d4026050efd434dd47296fd918418c328dc18cab631feb30

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4f7b9742c87c7e078d5258c2c7a38e6b

SHA1
ac42c5e4b78ded9498f4a6382b1bd71e6ce6a153

SHA256
733e8069e5a4fd56f6487cf251448b8fb145106ffd4ae2f3683c9983401db6da

SHA512
f4206c1c30c468f568386f9ddf532a6d1a7fe2ace71f730b11ac340284ee1ffac437c71dd91533e7689f52cc5d9ab3df30600687de8f9b125b7378e7fb86ef62

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
590KB

MD5
9762333acebd9eb9f10a9566725d1a96

SHA1
0d816c3a86d444f15a493d66944a1505c4f33881

SHA256
9072f9928bffab6f9bc054ea6b5d6ec7f2e849d0198ff453c5dadaf7cbb19f1d

SHA512
55e30c2653973c2df8e7ce555a957a4a0c71161317a9ba7fdb74d8b12e61bb1cc842211307bfb31fa141e02ba61ffd687936e9818da6429c2eab08cc52ebdfa5

Download Submit
C:\Windows\Temp\Cab1297.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar1538.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\25912a9eb39c8e09392f82d2b74dd297\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
4338bd1afcddca3c608e46fccaee5066

SHA1
a60931093691a7c9dc52efa830f3be62c8916a73

SHA256
b51a147ee4f56cda02a1d30b09ba8a98eff969f8134ccce6332aa46e03927236

SHA512
b607ec5ca102848d793abeba0fcd20a4238b78e269a8740d7bd7fb47ea6f52f91c4c7d623bc95d15bfda642e7318f4e656ad1bd159bdf01b1188ebac852ade43

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\652c94ff5a03f42836b304afd8bb6ed8\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
b630f67a6019751099d04b153a419ed2

SHA1
1c504d2df1bd3beddf0f16de371a5f59088da76a

SHA256
7fac31aa94b1d37284c1144b95f898d8de4bd1ca8937a381fd901fa7823bb4fb

SHA512
fe76aa17a42eb3fa572165f17e2fb4a24e7e5c4b2792d0dc3e6b40596435dddd91002800a0113640dd5a327383f2bbfc96dfeb9c074e614639b2af473649a8eb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6bda743a12cf17f978ae077cfdc8206b\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
c77064c8f1f0cdb2fd9150e81711296c

SHA1
62bd35b5724cf8364f8f39d1a695687b8d5cdd6e

SHA256
0e9fa4e7929bebb05432f0fff0db5cb1e7ce01f3ef14e0bbe5d5b9715f780399

SHA512
4285a04a9b1c02bbc1917db0f8fbeff7485042fb264dfa1f1b87fc1508425dcbfec68cb8b819a6103f60e48a709e2c6c02e0d8e7ab6286c2844e30961e8a2a08

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\93c6853912d4c3922fd3a1c34179acbc\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
b19963257a4ff13619c20d72d2c19a54

SHA1
aa45d958b81671f467f53bea99749e8afb765d22

SHA256
4c9fc7423f78fc1922165389d7e81d7872683ac21ef343fdd770894b428c9e66

SHA512
4571218165b74bebacdce2acfbf8ef169be45726d9dd562cc91e3d5af3cf7391357d9393231f740bf4c7147166033b24e1b4ed021092952c5c088620722b12cd

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
640KB

MD5
24cf8d305a395d67650e43b805f8e97c

SHA1
5c27b41f7e317c112e00f451079be2b974e160cf

SHA256
6c9c837868b4f1d25ecc82a075081012adbc21851582540d8a99fc54cbdd3a81

SHA512
748281d41d6c8778ac60e8efe35e647b9c849c4e09b38cc578f72d0aff42974d057c38ab26eb987b8acc2ce6c835e51b36e1ebcc4590bc9474f13b7bc2f9767f

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.0MB

MD5
ff88823f8f02175ceb1df3608df31f49

SHA1
5572b7f3bef1f4934dfa6e59b6f844f8f37ee20a

SHA256
c9cdf9d716e3fdcac95ec658a8675f89bd52beecbc79d05a686b186e70196bcc

SHA512
a4727ed15fd0a1b2e7e382ec51b6603e566d9e0e3a31f3e95ac146f3e33845cfd2afac749bb9790d0f98a01897d9c744b58d7c0be862ad06243383ebe4a164e6

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
715KB

MD5
dc8074caa8839e8dd265673ebc41d47e

SHA1
d0c7baa302ef3e07b64fec59f9d5d1cec583b7fe

SHA256
f7126619bcf0a38a1ab6cba32b72ba27b68d4a774ba50a94c86946a7e41a0658

SHA512
a30a4348078e92610e30b522134cff5a1a91ef2502dfe5be47d704d41b3c17192c0fb19d302f7e3bcfb0dbf0e24e7f359d73200257030a4021b406f6c2ebbfdd

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
624KB

MD5
5cd6428e0b57d7a23e9dc5abc96c3690

SHA1
8d64f68870b50466bfc73114af1e4f95b6e48bcd

SHA256
4d0f93ac264c79fe531e7b88d719cde4c8235c662f714cd5fbe6e88285c4ab6f

SHA512
4fa4f0fdb85371579fd53606a90263831c9dc6cca07f7fcc26c37d318bc39a0782575e8931cc09026ed248c1f389f462fbc2b73178558e12b68eac9254e94390

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
536KB

MD5
4777712a626a4d78e5e72e5e7c2cb10b

SHA1
87dcfcd9e1282f4b8c6bdbe0d17ce72848f5488b

SHA256
b5d18d6541e303c573da08cf55e9a7435fb487f0a849c126e312e22a89cf5c0d

SHA512
ced82d34607c0c6135e4e78f831cb21e2c2ccad6e4d66b7c4c7aac922aebaaeca951a6b3845dfa0f392f641be97e9d4011a52cd333edfcdcdd81e9d741bf1d48

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
577KB

MD5
0b10a40db5d05efb7671a68ea5d271e9

SHA1
eec97f63e3eda4a45f351f41dfb6e3023f9d1bd1

SHA256
dc1aad76cc2cc2d5f37ce90fad1d05f601b15ad36ce87167b7fa630d5436256f

SHA512
53c36e1a930358af619b4e4ec570aa9e4087d893bcc97ca99d516c7f5764bc41b9d113e7468a9c7c6bfb24b9c29c0971b547f4e08beaba22de5f0c102d165de3

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.1MB

MD5
6bcc091e113ef96b06621d233f2e1cbe

SHA1
d6b216123e42015ffa93469439844fc6c8a7b3e3

SHA256
bd26d55d0bffdc7a0160be295fb842ed2937da50e28b87427b0b262ee2244484

SHA512
9eb2f2212df3ee8651982746ad1c6dd9feec0cf6204430a4552d333a9b4d48cfb57f9348c52bc7d803953e900f025ed38f5d8a3f3c9e9e3a3abbf61602335aa8

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
638KB

MD5
006042bb47d4dd7dab066cf302e2ce92

SHA1
8f12b456401dbf72337d989cc7938e5bc9189b34

SHA256
003c3184e97e31b2cfffe0be7c3f3be8a06c7c9c863309b907e252a041f7c34c

SHA512
a2cf5c8064d489e8fa14be63061bd375595319a527d4300ea6d5b502b66970c97ce855b895391c4a7612c97354cbe95f3e0cc9b05a9d44636ad2085478a2a78f

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
625KB

MD5
c7aae43a1b2569c93f224fcb70214c1b

SHA1
1cedf670db869dd2bd19ba091b6e09907a85e6e9

SHA256
07aa68aa5bbd77674a41a230958e9a066ba677dff67ce5d5216052914f79820f

SHA512
33438950655784de14af47513bbeae4d8bf83a5a5252adbaa719bc2e6861a75c00741ecf927b1d619c799b93b180c042691e0546ab0ac2fd34c10be249fde9b7

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
514KB

MD5
cfe0dc37638a8736203a49e4dc843b13

SHA1
97d9c28259350be998c85d2601dfcce334817489

SHA256
a926e40bc218abb8a4be8ff008fa3d42f13ae76d7a84a4d2a4a2f11f236777db

SHA512
8a4120f63ddb209174b1cc83fe8e073216b07b88c35de0d7864f7a661ad92ac738e5fea8fc568a8c98aee0d9108641f46e4736cf18ce880f1bdc3f18e0a794fb

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
540KB

MD5
b33831f6c01aa62aadaab83135821688

SHA1
71be54043b20f39025ccc6bc349ce19a4db2ed6a

SHA256
2b8dbd76a5a6052c5e6fdefd962dc503c591baa75bbf55ba5e720a600a7e57bb

SHA512
029d3a78fc17de4ec452a41cf6fba5cdf89dc1560e437e86af2d8868b60ee02fd543b3dd902faf503ca200ab673cd8be5d16e5d6d6415d07503f9c6b032285c6

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1021KB

MD5
13dcc5fab9fb635eb9c9bf6dba2c8e27

SHA1
9b98c1869f8dbdfa0aa1fdcd5f67d960abb56469

SHA256
7735448059da79f3ecab902900aa97fb2684b5b53c2f61bd71589162cdb48b8b

SHA512
c5b1e39382cd2b9b84cf24b7f708c92e031d05ae0e6669c0446f443133d4dada63251a2ac5efb67981b1a84ce7e2f6f64dc07b8fbeb017d3704f08862204fe62

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.0MB

MD5
2b3579448a1c42a82910d72789c3fdd3

SHA1
a6854de6cb89b50c30d7d6deca99271b62338bac

SHA256
bbbf000a7611f17e738c6f6e00797dc84d744a347ab88db7f9c7f0632170a6b9

SHA512
26e87993d37b19bffc9d1edd6cb86377605b1cd3bb3bf252f428577dd7b09f234e961ac2905ba46a6bc31b3e5092f301bec34f041bce78fa83e684c1b9e7d41e

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
698KB

MD5
d9b0154320e42194e1100ef0848b6775

SHA1
5d35cfca0806b089e7970b6b65a9d7016544ab0c

SHA256
bb0fd907e470d389417b6a0c87a0ffb862f266041a6959f168d1cd8e50b8d0f2

SHA512
090b6746c49f3e106262a3dbedc35114219f3032a61c0090cf2985aaf64be138e36ea61a4b3761ede70a5ab6e69a7e1f8ae28385f432f639196803da5141dd95

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
1.9MB

MD5
b3936f9a6e3256aa2f3cc6db826325a4

SHA1
cdb03c6b178adcd77a43413767aeca9155034e29

SHA256
00e9251a8bb4a760ddaf46826b0a2ae7d0ae07640e5bb99ff0c3b9702d16fabc

SHA512
a520a0345ead240f22d0ea2c0de2849a6845c7ad147039de9dbebc1d42b274e59e259e47f7e4900bc24888e57563edaacf192bb9b610ede606d4940dd37867c6

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
79fad45561718ce60c1220b7c3a8c1a7

SHA1
9b8b04ac8984ff9577982a5de02bf84cfa2cad76

SHA256
65bfd9f38baa3a862a4a0fa587768f3a52214bbbc071b06aadc8a24477c27517

SHA512
5c144fb125c2169e8b86b3b040e24d7a4ae7d6b1424da41bbbe3ece53ced83956eb87f0d0d861220b6776e5d65165582a28d7f5cb6d5f03eef122071067af836

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
609KB

MD5
d345cb4b634086cc0c1a5b10f88f7d97

SHA1
96ac5bcdbab3d2ac421c330863c1b9acfd75fd41

SHA256
dbeddbdb7c24eb1c5d7afa746d7eda66926f2fd86dc5eb4cff90c2e25ec5ed6b

SHA512
4c90830438297251fe463e77b0494bcb5e61ea01f7d6b94fdd47d414a594f742109561357e85421ff92846ff9d1e3a64e42e462ad40429c19705cdd63547b718

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8B5E.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8EB8.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP92AE.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9618.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9953.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9CDB.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
memory/580-89-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/580-173-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/580-224-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/892-390-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/892-381-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/892-380-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/892-376-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/892-375-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

Filesize
48KB

Download
memory/892-374-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/1008-303-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1008-300-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1440-164-0x0000000140000000-0x0000000140371000-memory.dmp

Filesize
3.4MB

Download
memory/1440-82-0x0000000140000000-0x0000000140371000-memory.dmp

Filesize
3.4MB

Download
memory/1836-306-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1880-372-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1880-368-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1880-370-0x0000000000800000-0x0000000000810000-memory.dmp

Filesize
64KB

Download
memory/1884-58-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/1884-150-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1884-57-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1972-332-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1972-321-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1972-322-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1972-316-0x0000000002FA0000-0x0000000002FE8000-memory.dmp

Filesize
288KB

Download
memory/1972-317-0x0000000002FF0000-0x0000000003006000-memory.dmp

Filesize
88KB

Download
memory/1972-315-0x0000000000920000-0x000000000092C000-memory.dmp

Filesize
48KB

Download
memory/1972-314-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/1992-344-0x0000000002FF0000-0x0000000003038000-memory.dmp

Filesize
288KB

Download
memory/1992-358-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/1992-367-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1992-357-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/1992-346-0x000000001CA00000-0x000000001CA1E000-memory.dmp

Filesize
120KB

Download
memory/1992-341-0x00000000007C0000-0x00000000007D8000-memory.dmp

Filesize
96KB

Download
memory/1992-342-0x0000000002FC0000-0x0000000002FCE000-memory.dmp

Filesize
56KB

Download
memory/1992-343-0x0000000002FD0000-0x0000000002FE6000-memory.dmp

Filesize
88KB

Download
memory/1992-345-0x0000000003040000-0x000000000305A000-memory.dmp

Filesize
104KB

Download
memory/2172-35-0x0000000010000000-0x00000000101E1000-memory.dmp

Filesize
1.9MB

Download
memory/2172-63-0x0000000010000000-0x00000000101E1000-memory.dmp

Filesize
1.9MB

Download
memory/2172-42-0x0000000010000000-0x00000000101E1000-memory.dmp

Filesize
1.9MB

Download
memory/2248-0-0x0000000001000000-0x00000000011CB000-memory.dmp

Filesize
1.8MB

Download
memory/2248-1-0x0000000001008000-0x0000000001009000-memory.dmp

Filesize
4KB

Download
memory/2248-2-0x0000000001000000-0x00000000011CB000-memory.dmp

Filesize
1.8MB

Download
memory/2264-441-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2264-439-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/2264-438-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2264-54-0x0000000010000000-0x00000000101B7000-memory.dmp

Filesize
1.7MB

Download
memory/2264-21-0x0000000010000000-0x00000000101B7000-memory.dmp

Filesize
1.7MB

Download
memory/2264-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2316-181-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2316-175-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2420-335-0x00000000006E0000-0x00000000006EE000-memory.dmp

Filesize
56KB

Download
memory/2420-339-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2420-331-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2420-337-0x0000000003050000-0x000000000306E000-memory.dmp

Filesize
120KB

Download
memory/2420-336-0x0000000003030000-0x000000000304A000-memory.dmp

Filesize
104KB

Download
memory/2420-333-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/2492-395-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2492-393-0x00000000008E0000-0x00000000008F4000-memory.dmp

Filesize
80KB

Download
memory/2492-392-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2492-391-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2568-423-0x0000000003050000-0x0000000003066000-memory.dmp

Filesize
88KB

Download
memory/2568-428-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2568-427-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2568-437-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2568-422-0x0000000003030000-0x000000000304A000-memory.dmp

Filesize
104KB

Download
memory/2632-46-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2736-301-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2816-308-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2816-312-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2816-305-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2816-307-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2816-309-0x0000000000710000-0x0000000000758000-memory.dmp

Filesize
288KB

Download
memory/2816-310-0x0000000000760000-0x0000000000776000-memory.dmp

Filesize
88KB

Download
memory/2824-405-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/2824-399-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/2824-406-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/2824-398-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2824-396-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2824-401-0x000000001C550000-0x000000001C564000-memory.dmp

Filesize
80KB

Download
memory/2824-400-0x0000000002FC0000-0x0000000002FCE000-memory.dmp

Filesize
56KB

Download
memory/2824-416-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2856-475-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2872-420-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2872-417-0x000000001C140000-0x000000001C15A000-memory.dmp

Filesize
104KB

Download
memory/2872-418-0x000000001C470000-0x000000001C486000-memory.dmp

Filesize
88KB

Download
memory/2872-415-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2880-466-0x000000001C520000-0x000000001C536000-memory.dmp

Filesize
88KB

Download
memory/2880-467-0x000000001C520000-0x000000001C536000-memory.dmp

Filesize
88KB

Download
memory/2884-444-0x00000000007A0000-0x00000000007AE000-memory.dmp

Filesize
56KB

Download
memory/2884-448-0x0000000002FE0000-0x0000000002FEE000-memory.dmp

Filesize
56KB

Download
memory/2884-458-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2884-442-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2936-457-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2936-459-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2988-151-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2988-180-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download