expiro | 5919b3301c691a4f85cd72e1bff979c6bff321e3b3a34ef960ec732ad13c5492

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/01/2025, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
Size

628KB
MD5

6eac0c2f52faa502f81dc57a054bb460
SHA1

7df9b2a9b86a77e805c47d74ccb9aed6a800ba7a
SHA256

5919b3301c691a4f85cd72e1bff979c6bff321e3b3a34ef960ec732ad13c5492
SHA512

db04a7d36ae782e78e45b57da7c8167bd08962ddb1b7a69c410cf8d62a73d78716f14dfeccc0f4c66cc363cfd6a23120a4e87eb91027f2ab3facab815a7271f9
SSDEEP

12288:HWph2x7BblnwG8zSv+9v/+4+/4900eLuRalXMj2QGSSNwROFVfciggimlhrkhml:HWX29bnwGoH/+4MD0eLuYlZQGSS2ROF7

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2112-23-0x0000000001000000-0x000000000125B000-memory.dmp	family_expiro1
behavioral1/memory/2732-85-0x0000000010000000-0x0000000010258000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
2732	mscorsvw.exe
480	Process not Found
2728	mscorsvw.exe
2236	mscorsvw.exe
1756	mscorsvw.exe
2520	elevation_service.exe
1772	IEEtwCollector.exe
936	mscorsvw.exe
1664	mscorsvw.exe
920	mscorsvw.exe
2120	mscorsvw.exe
2056	mscorsvw.exe
2284	mscorsvw.exe
1600	mscorsvw.exe
2328	mscorsvw.exe
2768	mscorsvw.exe
3068	mscorsvw.exe
2388	mscorsvw.exe
2928	mscorsvw.exe
1312	mscorsvw.exe
864	mscorsvw.exe
1472	mscorsvw.exe
2156	mscorsvw.exe
1636	mscorsvw.exe
1560	mscorsvw.exe
1188	mscorsvw.exe
1664	mscorsvw.exe
2284	mscorsvw.exe
2292	mscorsvw.exe
2696	mscorsvw.exe
1680	mscorsvw.exe
2660	mscorsvw.exe
2684	mscorsvw.exe
2016	mscorsvw.exe
2776	mscorsvw.exe
2312	mscorsvw.exe
1708	mscorsvw.exe
2444	mscorsvw.exe
1940	mscorsvw.exe
1128	mscorsvw.exe
1700	mscorsvw.exe
860	mscorsvw.exe
1596	mscorsvw.exe
2916	mscorsvw.exe
320	mscorsvw.exe
2672	mscorsvw.exe
2168	mscorsvw.exe
2404	mscorsvw.exe
2408	mscorsvw.exe
2792	mscorsvw.exe
2848	mscorsvw.exe
856	mscorsvw.exe
1868	mscorsvw.exe
532	mscorsvw.exe
1984	mscorsvw.exe
1788	mscorsvw.exe
2428	mscorsvw.exe
900	mscorsvw.exe
2296	mscorsvw.exe
1600	mscorsvw.exe
804	mscorsvw.exe
2764	mscorsvw.exe
2308	mscorsvw.exe
2480	mscorsvw.exe

Loads dropped DLL 64 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1600	mscorsvw.exe
1600	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2388	mscorsvw.exe
2388	mscorsvw.exe
1312	mscorsvw.exe
1312	mscorsvw.exe
1472	mscorsvw.exe
1472	mscorsvw.exe
1636	mscorsvw.exe
1636	mscorsvw.exe
1188	mscorsvw.exe
1188	mscorsvw.exe
2284	mscorsvw.exe
2284	mscorsvw.exe
2696	mscorsvw.exe
2696	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
2016	mscorsvw.exe
2016	mscorsvw.exe
2312	mscorsvw.exe
2312	mscorsvw.exe
2444	mscorsvw.exe
2444	mscorsvw.exe
1128	mscorsvw.exe
1128	mscorsvw.exe
860	mscorsvw.exe
860	mscorsvw.exe
2916	mscorsvw.exe
2916	mscorsvw.exe
2792	mscorsvw.exe
2792	mscorsvw.exe
2848	mscorsvw.exe
2848	mscorsvw.exe
1868	mscorsvw.exe
1868	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2492	mscorsvw.exe
2492	mscorsvw.exe
2208	mscorsvw.exe
2208	mscorsvw.exe
2292	mscorsvw.exe
2292	mscorsvw.exe
2648	mscorsvw.exe
2648	mscorsvw.exe
316	mscorsvw.exe
316	mscorsvw.exe
2308	mscorsvw.exe
2308	mscorsvw.exe
1772	mscorsvw.exe
1772	mscorsvw.exe
2680	mscorsvw.exe
2680	mscorsvw.exe
2312	mscorsvw.exe
2312	mscorsvw.exe
2500	mscorsvw.exe
2500	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4177215427-74451935-3209572229-1000	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4177215427-74451935-3209572229-1000\EnableNotifications = "0"	elevation_service.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\Z:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\M:	elevation_service.exe
File opened (read-only)	\??\T:	elevation_service.exe
File opened (read-only)	\??\I:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\P:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\S:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\H:	elevation_service.exe
File opened (read-only)	\??\L:	elevation_service.exe
File opened (read-only)	\??\N:	elevation_service.exe
File opened (read-only)	\??\P:	elevation_service.exe
File opened (read-only)	\??\N:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\E:	elevation_service.exe
File opened (read-only)	\??\G:	elevation_service.exe
File opened (read-only)	\??\R:	elevation_service.exe
File opened (read-only)	\??\Z:	elevation_service.exe
File opened (read-only)	\??\M:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\O:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\Q:	elevation_service.exe
File opened (read-only)	\??\R:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\J:	elevation_service.exe
File opened (read-only)	\??\G:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\H:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\J:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\T:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\S:	elevation_service.exe
File opened (read-only)	\??\V:	elevation_service.exe
File opened (read-only)	\??\X:	elevation_service.exe
File opened (read-only)	\??\V:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\W:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\K:	elevation_service.exe
File opened (read-only)	\??\I:	elevation_service.exe
File opened (read-only)	\??\O:	elevation_service.exe
File opened (read-only)	\??\U:	elevation_service.exe
File opened (read-only)	\??\W:	elevation_service.exe
File opened (read-only)	\??\Y:	elevation_service.exe
File opened (read-only)	\??\E:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\L:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\Q:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\K:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\X:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\Y:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\gnokkhbg.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	elevation_service.exe
File created	\??\c:\windows\SysWOW64\acbfnhcn.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\fmmhncdo.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\SysWOW64\deanbfbp.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\vds.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\locator.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\moiidloh.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\fkkoqone.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\gaboelki.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\lmhmofih.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\fblgdohd.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\SysWOW64\jfphqale.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\idngegnj.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\wbem\pldjmpkl.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\bfaehkap.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\epgjkaff.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	elevation_service.exe
File created	\??\c:\windows\system32\gdgaohql.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\klcpglpb.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\gmoggjie.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\feqkbkgm.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\odhlcpkf.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Internet Explorer\ildcagbf.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\DVD Maker\knqknjlo.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\7-Zip\nnknaeep.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dgilkpmn.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\program files (x86)\microsoft office\office14\lmlmjaal.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gkjggimm.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\gdaoemja.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\program files\windows media player\bcjebfnf.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\klonohhl.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\llopmkim.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kfefgkli.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\7-Zip\nklemblo.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\cpkcoelj.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	elevation_service.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6E1E.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP79E1.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index161.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\lkoiopnh.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6BCD.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index160.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index162.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index165.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBD3.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index162.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index165.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\joglabkp.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	elevation_service.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCEF3.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP290.tmp\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2112	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2520	elevation_service.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 936	1756	mscorsvw.exe	38
PID 1756 wrote to memory of 936	1756	mscorsvw.exe	38
PID 1756 wrote to memory of 936	1756	mscorsvw.exe	38
PID 1756 wrote to memory of 1664	1756	mscorsvw.exe	39
PID 1756 wrote to memory of 1664	1756	mscorsvw.exe	39
PID 1756 wrote to memory of 1664	1756	mscorsvw.exe	39
PID 1756 wrote to memory of 920	1756	mscorsvw.exe	41
PID 1756 wrote to memory of 920	1756	mscorsvw.exe	41
PID 1756 wrote to memory of 920	1756	mscorsvw.exe	41
PID 1756 wrote to memory of 2120	1756	mscorsvw.exe	42
PID 1756 wrote to memory of 2120	1756	mscorsvw.exe	42
PID 1756 wrote to memory of 2120	1756	mscorsvw.exe	42
PID 1756 wrote to memory of 2056	1756	mscorsvw.exe	43
PID 1756 wrote to memory of 2056	1756	mscorsvw.exe	43
PID 1756 wrote to memory of 2056	1756	mscorsvw.exe	43
PID 1756 wrote to memory of 2284	1756	mscorsvw.exe	44
PID 1756 wrote to memory of 2284	1756	mscorsvw.exe	44
PID 1756 wrote to memory of 2284	1756	mscorsvw.exe	44
PID 1756 wrote to memory of 1600	1756	mscorsvw.exe	45
PID 1756 wrote to memory of 1600	1756	mscorsvw.exe	45
PID 1756 wrote to memory of 1600	1756	mscorsvw.exe	45
PID 1756 wrote to memory of 2328	1756	mscorsvw.exe	46
PID 1756 wrote to memory of 2328	1756	mscorsvw.exe	46
PID 1756 wrote to memory of 2328	1756	mscorsvw.exe	46
PID 1756 wrote to memory of 2768	1756	mscorsvw.exe	47
PID 1756 wrote to memory of 2768	1756	mscorsvw.exe	47
PID 1756 wrote to memory of 2768	1756	mscorsvw.exe	47
PID 1756 wrote to memory of 3068	1756	mscorsvw.exe	48
PID 1756 wrote to memory of 3068	1756	mscorsvw.exe	48
PID 1756 wrote to memory of 3068	1756	mscorsvw.exe	48
PID 1756 wrote to memory of 2388	1756	mscorsvw.exe	49
PID 1756 wrote to memory of 2388	1756	mscorsvw.exe	49
PID 1756 wrote to memory of 2388	1756	mscorsvw.exe	49
PID 1756 wrote to memory of 2928	1756	mscorsvw.exe	50
PID 1756 wrote to memory of 2928	1756	mscorsvw.exe	50
PID 1756 wrote to memory of 2928	1756	mscorsvw.exe	50
PID 1756 wrote to memory of 1312	1756	mscorsvw.exe	51
PID 1756 wrote to memory of 1312	1756	mscorsvw.exe	51
PID 1756 wrote to memory of 1312	1756	mscorsvw.exe	51
PID 1756 wrote to memory of 864	1756	mscorsvw.exe	52
PID 1756 wrote to memory of 864	1756	mscorsvw.exe	52
PID 1756 wrote to memory of 864	1756	mscorsvw.exe	52
PID 1756 wrote to memory of 1472	1756	mscorsvw.exe	53
PID 1756 wrote to memory of 1472	1756	mscorsvw.exe	53
PID 1756 wrote to memory of 1472	1756	mscorsvw.exe	53
PID 1756 wrote to memory of 2156	1756	mscorsvw.exe	54
PID 1756 wrote to memory of 2156	1756	mscorsvw.exe	54
PID 1756 wrote to memory of 2156	1756	mscorsvw.exe	54
PID 1756 wrote to memory of 1636	1756	mscorsvw.exe	55
PID 1756 wrote to memory of 1636	1756	mscorsvw.exe	55
PID 1756 wrote to memory of 1636	1756	mscorsvw.exe	55
PID 1756 wrote to memory of 1560	1756	mscorsvw.exe	56
PID 1756 wrote to memory of 1560	1756	mscorsvw.exe	56
PID 1756 wrote to memory of 1560	1756	mscorsvw.exe	56
PID 1756 wrote to memory of 1188	1756	mscorsvw.exe	57
PID 1756 wrote to memory of 1188	1756	mscorsvw.exe	57
PID 1756 wrote to memory of 1188	1756	mscorsvw.exe	57
PID 1756 wrote to memory of 1664	1756	mscorsvw.exe	58
PID 1756 wrote to memory of 1664	1756	mscorsvw.exe	58
PID 1756 wrote to memory of 1664	1756	mscorsvw.exe	58
PID 1756 wrote to memory of 2284	1756	mscorsvw.exe	59
PID 1756 wrote to memory of 2284	1756	mscorsvw.exe	59
PID 1756 wrote to memory of 2284	1756	mscorsvw.exe	59
PID 1756 wrote to memory of 2292	1756	mscorsvw.exe	60

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	elevation_service.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 20c -NGENProcess 214 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 15c -InterruptEvent 1a4 -NGENProcess 184 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 234 -NGENProcess 1f8 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 238 -NGENProcess 224 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 184 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 1f8 -Pipe 150 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 184 -NGENProcess 1f8 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 24c -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 240 -NGENProcess 244 -Pipe 15c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 1f8 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f8 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 25c -NGENProcess 244 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 24c -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 26c -NGENProcess 254 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 254 -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 26c -NGENProcess 27c -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 280 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c8 -NGENProcess 2c0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 2ac -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 2c0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2c0 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2cc -NGENProcess 2a4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e8 -NGENProcess 2a4 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2c0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2a4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2c0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2a4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 300 -NGENProcess 2fc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2ec -NGENProcess 2a4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 30c -NGENProcess 2f8 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2ec -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2a4 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2ec -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2a4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2f8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2ec -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2a4 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 320 -NGENProcess 2f8 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 318 -NGENProcess 330 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 338 -NGENProcess 2a4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2f8 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 33c -NGENProcess 338 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 338 -NGENProcess 320 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 348 -NGENProcess 318 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 328 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 320 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 328 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 320 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 318 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 328 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 320 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:3008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 318 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 328 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 320 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:1792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 318 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 328 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 320 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 318 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 328 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:3064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 320 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 318 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 328 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 320 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 318 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 328 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 320 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 318 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 328 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 320 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 318 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 328 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 320 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 320 -NGENProcess 3b4 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 3c4 -NGENProcess 328 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 328 -NGENProcess 3bc -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 3cc -NGENProcess 3b4 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3b4 -NGENProcess 3c4 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3d4 -NGENProcess 3bc -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3bc -NGENProcess 3cc -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3dc -NGENProcess 3c4 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3c4 -NGENProcess 3d4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3e4 -NGENProcess 3cc -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3e0 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3d4 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3cc -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3e0 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:1304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3d4 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3cc -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3e0 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3f0 -NGENProcess 3d4 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3ec -NGENProcess 194 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 408 -NGENProcess 3e0 -Pipe 198 -Comment "NGen Worker Process"
  2⤵
  PID:972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3d4 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 194 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 3e0 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 3d4 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 194 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 3e0 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 3d4 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 194 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 194 -NGENProcess 420 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 194 -InterruptEvent 430 -NGENProcess 3d4 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 194 -NGENProcess 434 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 194 -InterruptEvent 424 -NGENProcess 3d4 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 438 -NGENProcess 41c -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 434 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:1360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 3d4 -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 41c -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 41c -NGENProcess 43c -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:1320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 44c -NGENProcess 3d4 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 3d4 -NGENProcess 444 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:1472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 454 -NGENProcess 43c -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 458 -NGENProcess 450 -Pipe 194 -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 45c -NGENProcess 444 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 444 -NGENProcess 454 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 464 -NGENProcess 450 -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 450 -NGENProcess 45c -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  PID:492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 46c -NGENProcess 454 -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:1188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 454 -NGENProcess 464 -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 474 -NGENProcess 45c -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 45c -NGENProcess 46c -Pipe 470 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 46c -NGENProcess 45c -Pipe 47c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 45c -NGENProcess 464 -Pipe 478 -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 484 -NGENProcess 450 -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 488 -NGENProcess 480 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 48c -NGENProcess 464 -Pipe 474 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 464 -NGENProcess 484 -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 494 -NGENProcess 480 -Pipe 46c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 480 -NGENProcess 48c -Pipe 490 -Comment "NGen Worker Process"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 49c -NGENProcess 484 -Pipe 488 -Comment "NGen Worker Process"
  2⤵
  PID:1712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2520

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

Filesize
694KB

MD5
f888e43a7c72a5162ac20381ad63b98a

SHA1
8f62ba864aaa347e168c68a85450c1d71bf6af37

SHA256
d784b68ccde22fe26c1de1e567f46139cec9b208e38145af0b17dc75be2c13f2

SHA512
2c94345109849852610e313fcb0710c51b197d856afc5ee1ef5186a6841140b1e2d433d6ce6e612c8abc453c60d63c0bf310364126c2c8c4930ab8d60bd8a424

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
66d613ac38af1fe382e7343923ed5636

SHA1
7753df3089390cdbb079c7269a56d84d04d3eaeb

SHA256
850544f29123e3ecc5de376500df0d084848643e0703cc6fde17567f24c0dce4

SHA512
93359e50c02722f2a732075fd0737cf3ea92edbc1b96df6428080b5fdf4e5c40fd29d5e2521d33cceac3430822ffe6632504a14bc91a00f736ccf2042c156166

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp

Filesize
4.8MB

MD5
96c7a8213b3c70d39a1ccd9f45c865d5

SHA1
eaafa38118f8379dac24e3754c2d9d228a9a2247

SHA256
a07e0df51c742a65af898d60b4feafc11304b8cfc1d5a65b2c167357207779b4

SHA512
d54e28a51674902ca84cbfb75e29e733dffa066a7e97e4b5a23ab6741a03b031c83180874b0cc2af8d4dd51671fb5f9c46c6bdebf0e4ce1092b5bc25a1b24bc9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9fff7c7e1199a1c5b2ceb8a0ad4af40f

SHA1
73ad07dcb18c9db2a59eb9b8f78dff19d6555965

SHA256
b118b3508c390303fa1921fdedf0cc0c98785f9246a0c91e8c395dba9f2ccd0a

SHA512
5081956d74d8390f22bdab4c3999c341bf35d7780033afce42d24979290f77603fbac0bdc5e1378bcc7617ac3b260a5873ca612e07413aefd89934e9f4723e86

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
dae9efb4ad66cb13ca43265c1e466a2b

SHA1
1b2a34287fb5733fdc5a88ac474511ee3767212d

SHA256
8f27a50646818d0ac24094c6bf330d21ba28cf7aaca62e294328e126ee8b48aa

SHA512
a4a8e84a9b8bdc0cf714884204f5cd7771e383c57d72bed8128e710f3f62f66e7c85921956f9804bfcb1401ecc67dbc8d240fb83a00efb0f37d13ad874fd46e4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
623b2f2be31f55f7b2cfccecfcbecd4b

SHA1
e4ef08af776aa3daa72f6132ab827724f9ddddb2

SHA256
10ced2b2bf813dd9a79d6faa3e0e0b335f9de3f7f0a33c50b1a33f70f866f540

SHA512
662977162357a9a5de4b78f5d038e4304d7a9520b68f3c0bc097bdb4326a681c6e18e5683a3655e34f76166f61224e5fd2fb0c86c62413333f1670fbd486e4c1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
4KB

MD5
d897d2956dc7e0ed8ae94977d23e677c

SHA1
63993326c1ee08eef76cdd86f6e5e79142dc3279

SHA256
6ec249c2dd7663dccd9e661d6a433826d52eb65328b58a6070353e0be533daf8

SHA512
0684ef0994c3bcb868f20a8728324ef2c208d2afc83d077e8ecfb0e2b3deb37b998499a0e8cf346117e2482e68d9ed7aa423a9cace5233b43b64f631e27d6090

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
1763452ead3c70500742d57f2d462667

SHA1
33980d1a97a5386b9cda1387e80704436ebd4e69

SHA256
ab3c1e211ef889bf18eb26086aca3a347abe48a0e4262cdccc1fcc5ac22aabe8

SHA512
2b74dc1f81cfd794bfeeef164243b62352413dbd3cc9fcac7c2b4d0985297c25e134c29b29de5021be18fb10df7f8606440b3e8e02576f5e281c3bdde3f0e804

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a1272b770f12ee02bfca3ccfa0006ce2

SHA1
d753ecc783d76db88fcb0124799c59145678aaf4

SHA256
d8387d9008ce99cacae967ec15654958a27f837bc3ee34ba0ad6b5562d1b382b

SHA512
021739e58244b8068bbb4440424b6293991cf56f505b37d2b5dceacf741488c2ef44bca4a36ae6c0e3c620d5f3b19c6c4f6b9872fee86407b38cb25fd53b1401

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
f919c4800927a29355b3214635d4a590

SHA1
a8a75f68a3195b43b50d0f2b5b3f575e9a20fff9

SHA256
eebd5b336bf97f057b58f5112ce4a78d7ea1aac1bf76011e8cb40b8f9acd1730

SHA512
af3e920bcd4ba9efde9c1c871536a4218fb34f5487fe810baea7656fcc8f504d92a397c194358bc2b8afa3eb5d2f4ea1a880ae34346e0932b7f1b58f5ef68e3c

Download Submit
C:\Windows\Temp\CabCE47.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarCF14.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\19c2b79f666960d7a242a04c5d76f114\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll

Filesize
227KB

MD5
4ec89a4e8fe1b5b9916ace8dbabc0418

SHA1
dafec0baada7f2fa425978a5816fe852053fb1fc

SHA256
6c4f0f9775fbaf81122cba659cdd5449974810c772d51e152fc20016211988e0

SHA512
648704c9808193a045035858b68f7e98981da8c1c98f07e04afacb1b181beeb0bf7df9f42a563636093aff05f01f0c7faacdde0561e9e8776e914611f9f43b34

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\36c5a9d83dfb1b6b1c0202fb505c9daf\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll

Filesize
221KB

MD5
78c5a493778f578ef5517fe161162819

SHA1
faf377bdc739623fb5f111d51af97e8c78f11525

SHA256
aa332098d4073a4c4a654d16ec5fd0b6e2b1f284890057e164204d756095dd93

SHA512
6a905ef75d2eb909cd30c3916110f6b41a849ff4ed9f4c19e4d5f85ccf05d9b9dd009b351003386778801909d2628ce4c6cd9b1a54e3a0cd1ab9c5496f35cf50

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
91KB

MD5
adc5887e89bc56694a193d92898d3518

SHA1
267f14c45a86d50ad627c6cb00626049e9c1ee20

SHA256
edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b

SHA512
bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.8MB

MD5
04a6857c04546270358d14398fde209e

SHA1
596a3e11ac6c303c679edfd6c30aa71e8eaf8a23

SHA256
8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285

SHA512
4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5c90eb1665bbffb0fcb2ada742905895\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
00ffa2e838f1c7f4601b6c1b77118ff7

SHA1
24f671ed7b540d15f04d7ded687c0c232cb4e78a

SHA256
1ce15323f6c9b83406a7c4bfd8f0b9d898659ce456efb0037412e7705f09b8d3

SHA512
0007369802ce8df682db4bb8f550f649eabcb2b56be4ed4284780bd577e2b962387ee6457cbed897e493a8463d4478dddd9b6ffde038c6846ce249e61c10efd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6348aa5d2bd39c221a41286e95c18b97\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
381KB

MD5
0811b25e0449e04f782127bc6f8ac5e3

SHA1
dc1766e20ee338b12fa80e3ce0052ef97ddf9e20

SHA256
20d8234901a58ec8ec24f2ce7048ac9e1e7381e3eae10cfeb1e002001d2c8b6c

SHA512
a3a07aa4263175688019597b0829b090ad3b8ff43c554b8c89e16b48de86fddab4be6217bce24ccce9cad0c98df1240a7068c8b55778d836c34d5326cbd9c8a6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\74054b5793bfb8c8c0753b4d4aead8e3\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

Filesize
947KB

MD5
b1aa17d171be82960213057ca35815a9

SHA1
6c68a8a2c524ddbe04395dfa613378bb311aa314

SHA256
c632156c276f9189d0f53addcc1043006d86188e3b74d9c4042ab2110b6cfd4e

SHA512
6f042aec9c74da86d15322d4300d93e4a9e69ad3555b302d42d7629dfa060209898b4569a380e9da1a785ddb53a6e0cc0f7543606f17ee467277990971c2fc1a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\813f212bde63aa5ef818ba41e3c4096a\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
9ce2594761c04ec4b8023735dde3af6f

SHA1
b859a59cd0088c86b1f673c7610542fa63f4e917

SHA256
6051e6dc524c08811a0eb864466a6addeeab33f080440a7bd5d68c59bdd1715d

SHA512
ce5c3d628c3c24a85f56c4d10368ad5590b188c2f43b0d5337650c66db50a4d0ae87a2292fce1bd7ae55578c2a30b7ad91ecb437ca694a404033aafb3a6f6f93

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a8141e9e81e2c3bbf457e4980d4c2847\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
483KB

MD5
aae5a97685a809d0a0f661f9319f8a12

SHA1
b5fdd4ec4cc057fccc868de4f4910be89e23e48a

SHA256
c26eea914017a12af65dc7ebcbbf86d5a620de60f57e3660057163613f2b0233

SHA512
d95c0635c587fe40e2c33cabf14e2893be49df06aebf2d40f4c0623f649e9abbd73a95cc5e3740db3b15df07406e36b1534781e63ee485e54671cfb21d3317fb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ad7d01564f0056d2476f6ae5d257356b\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll

Filesize
436KB

MD5
748bed51a810c033b91c660b5776ab95

SHA1
ec2616fb01949fb9fe4b0eea707f7095b69aa9e4

SHA256
45ee38adadeb1586532e8dd4baba14740ccb0801c2e21318c35268543e0ddef7

SHA512
dc0cce4c633b8e43d8f6d565fcfc73d79bfea375a79ae5057af6d3cc1b62f929e34c95bcfe2f7d378ec7f421fafdd9ab73cff454df0934e2d2f45a52580e9df0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\da4fb595b7b5712865da0eaa3f1e8a2e\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
99255690595521ec422f8abe77fc643f

SHA1
381914ac3011d2d485de4257408a51f7230b5d11

SHA256
2b086c778028f09ad3d224fbead3e5ab47eb10d373b9c955111a2414ef07e9f2

SHA512
a1ce2b97ee7ed93f8b19288fa18a2d69455cd6ce8eedcbdd42400bf3f5bcee02f1d88a0abb02eb513ee5567c5b8a82fdb5387e7c9d77b9eb28a224e2a2e3e7e9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\daa561280ac1119d9c2694442212aaea\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

Filesize
487KB

MD5
aefa28d036740086ae52d157f245200a

SHA1
d502f55fa76c3cdb69c8ab97321cd9b9a4b68e55

SHA256
75127c1e3a30e544413d7eb24fd726bacf8c3a3951ddba1fc990ad00a7f1cc49

SHA512
3943c099644525fc2b3a50f843cc1612a003d4f92a9187b2fcecaaf90b33071bced0db4608a91bb59c6bf5d1f6f4eb158881bf78cced0597b7bc3045d9b66ee3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e4f7e0308f0bc90ce19bd5e2dbb0d634\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
253cf04205ef4bdf7ee8ed702e844b52

SHA1
fd4bb885f18c7607c027e25b624bc87a377b8723

SHA256
b281394d3b60231ba0dd745a64bf9c48240f40236d5ac5155b46d4cf7af0e063

SHA512
770b1465f6f023155ca32c785d9d88b1714bf85f6ed87d1aa2fdd78d3ac0baaff7a737ef38521411e34e837ca8a12d4d102e0452794de6e9a9528e047721e6a3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
694KB

MD5
f93cf286f006f459863fc7b4ea3cfc45

SHA1
41c233c5f4728e8e7b21028371fcf4071c9541bc

SHA256
1eb77bd96eca22c1ca650671a806c66f64c9fc8be09e3d310433d7de068f21b6

SHA512
0667b594163a7c2e3dcd7ddd72ab2b3701203c98b80568a7bb4da6be095ca9c518fb761a388f79db2b081ff7e78f40a6c6434783fb9457bc309c2431a91be135

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
8e607802d776430c076393934dacb0e4

SHA1
8f611855dcdad16cfe02c45224f0897b84a4db36

SHA256
6b5cad4b81ae9d4c76762c64652eccaced06afd50a85351a16f140af568b83f1

SHA512
9477651cf3daa4005fd8abad8d2c8f3fbda699d8a0c14d77be7db7a083fa27f84b85a93941352abf913b206f3e38a0aed89474f3b71b35da34153041ad1fea91

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
773KB

MD5
108ffa3aa1722e6d835e9a3a29e09b39

SHA1
64b3d7b8b3be1f4fa387014abe5e78e8ab3e8dd1

SHA256
51bbd987374a9fb5bbabb5cd8043fc7b4a4dd97d159c638193934a0d38c4aba3

SHA512
b7417040a3f77e69fa9a18d2b8369af7db9f6a329f6e1b3491b18d87c76ef0b1af9a1e7d0ecf8340008796720e1955e222358dc6b4c70d226bd5fd8db5603d2a

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
4134855f4337def21ec4e28c52a52c6d

SHA1
08ac3d9fd9e9f3188d61d4a3707507a23e14a006

SHA256
a9cda98c189c063989015abe6f853a191b41dd1f0f6d2639e0f8696cbf40ab8b

SHA512
4df2c2853fe9ead71e4cf3febd375f8af68b1b48ce121b34f5b5ae2524c6ffe3526d816588e908e3d06fbc69d276883a0e6f467cb7021a8884261ff8144ebd33

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
52063b48eb5701a349c320d68424f4cc

SHA1
3abba2ffec2c01a911b13ec30d5173303e6d6dca

SHA256
8ac357e7104ac3f02eb243fbca3a950f97c8adcf58a08aa9c5d9e49ba7ba9e3c

SHA512
dfcaac652715bbd9fcd20e5fb714bc1b719dc08b1425ce50833cfbe89af7ecbcb08cba4363885b023c9a1c34b83e8e2a2ac31b50c84be1a8ba789f316bac3784

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
679KB

MD5
548cb48a7a024137f41080ec9975a7d3

SHA1
6e197b9a3e927950cbb76fb50fb133be02f92ad7

SHA256
6c04e6e7c3ff5b6ea5b75c281317154ea052fc7bd6381d3c410fc46f5b3d7fff

SHA512
b84d5b14c6482301870a3d73d1064b51f9c3d516b729d39c40eda975e579562aff63acd1dd49f8345c9c0112399d17b96ff2d833552c6f469a6301cb67160827

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
591KB

MD5
9d658a65e101fef19ac7260304c82e91

SHA1
92b844f374b0c6894a81fabef7da2e2812702401

SHA256
0e30815bc6074b2a0d2cc3440140bd84dbfde9835e603e2d4d6c80e697ed1a87

SHA512
08a25f447fac367e04fec0df8cfdd7b0757ce3511d2b3b4df894cb1aa300250dae28816391a3040d52b13d221aad1f69f4b99463c482a7bae44a72998ada25ac

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
632KB

MD5
1c9007e91c675c2ab0c9412450b06f92

SHA1
601c8473d75c22d277bc0d0905de7b04e34acc60

SHA256
a474e974c75568306798f28fd04d7adf178f6ccf240343935d97d0f6378f0f90

SHA512
d9e0a2cea1ef13f23a4549a15136017d2046f3f2ab5fe1f40291d4d09febbe80584cea8b64eccadaeecc22291be8de0970e3b550fea10393465a920c93b442df

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
6c771ab874fde7bc17c8d64a0654f7fa

SHA1
a7940aaa552b07b609c95a872acfc760e6ebe343

SHA256
ba6fe38e5d1163c0b54f1893318054d7228859461f3af2944e97e9c9db902e54

SHA512
704430297d806866d51ec4994a991dbbf7ef51688749b084db830e5ca32e1f9acfaeabba80a377fe19f49bca8bb317b9cdd1232df5d78bfff3ec53a668d9a764

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
693KB

MD5
713ff9d8900f5efa31267ba7419f85e9

SHA1
548df5eb646e13d9ef7d1e28e21ad062f3ee4154

SHA256
3b01f5ec3ed0bd6a5558ae994bb882d1ec6f8f558ea17f3f1cfdfc38fb53b4b3

SHA512
faa0e323ac9d79d12eaadc9af8696f54958716df8f7226eb030b47dc58c16716f7f2a33f7f18f6fe65df631b4e89872491af9caa80233cf18d97fff3f8cdfec6

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
683KB

MD5
289ffed2f0237d033db06b4b8a7ec9a4

SHA1
14a528e9b9a95d8f7ec41d8ef003fd5e45d91315

SHA256
2fc01524c738a3384a7635d1a81f2b15e3ae28ee144f828f29a7d6aa12d6f429

SHA512
8c44b4789aea7ae2d97a7ea4535f0ba840d0e9699efdd75291c77889f29c08df436c1dd917b0961b1df186ee00fc71e0374af46d0a2147b4d3c3786d0f64a300

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.1MB

MD5
55eed4d453da3c85aa0b9742f81929b9

SHA1
f9a0eaeb5cc4d1bc6713c13fc509cb4b0bc35f48

SHA256
bcbd7d174e6343df5fa097d73eb8061b7de2030ed251198c04a9d6d94ff4cf66

SHA512
8e1753eee73b89fc12b7ebd3418c107772d9fe932c9bcc1ce9a4268d971145c67e5d6196f1c2db55a954241288eedfa24fa8c7170a6c1e4438bbcf3fd5890e9e

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
569KB

MD5
87ca09b245285252b0872a10174e63a6

SHA1
c526aa6a775274a2bb08119a031c1972ed5207d9

SHA256
8f1d2460f7502866e77ee28266bf8247b357a67270341891b771d0d05ba53a10

SHA512
782f04f3e7c23a472495cddef931f6a4656388ba492ddffd9a38b8deaa364420e33357534494769a439b354dea37dd4198fdc8f34b9d90356e07510668cf19b9

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
595KB

MD5
2fdfe10983b3e9cb7d5c0224982a3353

SHA1
4589083c554481ee5696f35bc988f19b170f2bc3

SHA256
22c563806e8e9202a94d79f3cc8f16567eb8d605396d8c4137d048b15d39abf4

SHA512
cd20a25b75ff545b2a41f25874bfb83adec57cbf7181e7827b80740c34f0c7d5c003bbcf8ce90a549ae7e37c0d3412c3c1705a529bff071c9080ae9430385fb4

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
3e3a4ed2853e77694f7ba55f9a226cd6

SHA1
7e94d4f1b501954018c75539c3aebd05af858333

SHA256
e9f17ff786702ae1c048f2479ebc80d51763f92102550d69c2e38d9531927965

SHA512
8929acc5755d9daf8e8ca4cfb3d7b1f0f0a1cdb8ee7f325a37a2e7c4ce826798541675377673b0bf8766d5ceabb8c77cd58b703be94fc444676125c3fe71ab6b

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
f67e45b5765117aa6f38b3a2e878cc06

SHA1
cba84265b0bccc6245e2bbc47457df49b24a2d7a

SHA256
97da8df836f82f9268adc2daabe1ed0f414157de0a5915430df99d668cfde8cc

SHA512
523a006965a1fd67f214a1a5f39b8ae888e942da92b2f2fbdb6a5a0ca9a481956e3f4b442c5ac4afdeb251c817c6bc7d955aa9e86df9f680abe30c81dcd82d8a

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
753KB

MD5
26521a965fe958c87d321f9b2626b857

SHA1
b9af156d4f706ced829206db46212c263bf04bb1

SHA256
5c3a3af44fe6736697c6b5f65a3148ff4b3a7920812ff94cceb5c64a0971b914

SHA512
a6f50cd2f633fae45c4322fef22046e3e0e645839cd4bc9f128b0e9ace2d35cb9f0338efc7c9899fe326954f1e60595f0b0a6787a0da0929102ad13648b37783

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
11934de8468b6122f9a7e6c82fc97261

SHA1
fc3aceecb1ab0d87bd2bcded08e624008909de09

SHA256
d1338dcdd58f9cd7e476dcf2bfbf8d6221c20983685629af9b49b9998090b1a4

SHA512
d2bb358a39de70e6736123d420f084fc68c4ae59a126578298e6a84dc563f514dac12aef69282fbd0d673f6aff1318d79b7fcc06a3b722d08affd699f6f60288

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
818f6a048b86092a07a70b27eeeba20c

SHA1
24c958cc7a0542f76f33d1f1367bb1953f70e7e3

SHA256
ed4b2c6450e0db56e074efe1b724a4bb18a271b48b2734b39739e74090cf4c9e

SHA512
7d1bf81ba39882d7c2a313587655580dc1962fbf716db721e4becdf9b740b07d47f6ca5afeaa25d6e9046372db41dc5fa7e16997d357440a9d51a6cfda00629b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
d7102d98906513e3399a9884f251ff44

SHA1
28d533dbce9a92f7faee0c14f057ef82182b86c8

SHA256
d933ba457ca4761f95dcfab1af7db87bbb0e2024f0398c2f70fc3bfa955550a8

SHA512
bc8db2a5c26ef0cd9d5954dba88254e9a8498889647a0fcecdafb7fa55a950ba02e0f9c9170a8c85e27dc7837be176fa55c48712eb03b0aac4a7e7fe34519f8c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
666KB

MD5
b5138d634bc804fa6a7d001fdae954d3

SHA1
a7cfef0c5c35af99a1c4f51adb2a9b83d2261e0e

SHA256
9e6101491683cf284ee500d92ab78032c8524d10f8f8a28e14f7209db7f1536f

SHA512
d7797a926ac62e08ac07dfac36a744f843647cec2ae6ff83527c38ebd675befc1a9a096d20996efbb377bd4994e68553db7b449ae7d33925b5e86b63c786be75

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6374.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP65D5.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP694E.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6BCD.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6E1E.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP707F.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
memory/864-475-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/864-473-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/864-472-0x00000000003C0000-0x00000000003DA000-memory.dmp

Filesize
104KB

Download
memory/920-356-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/920-354-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/936-211-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/936-181-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1312-455-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1312-471-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1312-461-0x0000000003200000-0x000000000320C000-memory.dmp

Filesize
48KB

Download
memory/1312-462-0x0000000003200000-0x000000000320C000-memory.dmp

Filesize
48KB

Download
memory/1312-457-0x0000000000A90000-0x0000000000AA4000-memory.dmp

Filesize
80KB

Download
memory/1312-456-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/1472-483-0x0000000003370000-0x000000000338A000-memory.dmp

Filesize
104KB

Download
memory/1472-478-0x00000000007D0000-0x00000000007E6000-memory.dmp

Filesize
88KB

Download
memory/1472-491-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1472-482-0x0000000003370000-0x000000000338A000-memory.dmp

Filesize
104KB

Download
memory/1472-477-0x00000000007B0000-0x00000000007CA000-memory.dmp

Filesize
104KB

Download
memory/1560-513-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1560-512-0x00000000006E0000-0x00000000006F6000-memory.dmp

Filesize
88KB

Download
memory/1600-369-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/1600-386-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1600-377-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1600-376-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1600-370-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/1600-371-0x000000001C4E0000-0x000000001C528000-memory.dmp

Filesize
288KB

Download
memory/1600-372-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/1600-366-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1636-511-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1636-503-0x00000000030B0000-0x00000000030BE000-memory.dmp

Filesize
56KB

Download
memory/1636-500-0x00000000007B0000-0x00000000007BE000-memory.dmp

Filesize
56KB

Download
memory/1664-210-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1664-216-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1756-76-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1756-182-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1772-275-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/1772-209-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/1772-112-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/2056-360-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2112-1-0x0000000001002000-0x0000000001004000-memory.dmp

Filesize
8KB

Download
memory/2112-23-0x0000000001000000-0x000000000125B000-memory.dmp

Filesize
2.4MB

Download
memory/2112-0-0x0000000001000000-0x000000000125B000-memory.dmp

Filesize
2.4MB

Download
memory/2120-358-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2156-498-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2156-496-0x0000000003010000-0x000000000301E000-memory.dmp

Filesize
56KB

Download
memory/2236-66-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2284-364-0x0000000000770000-0x0000000000786000-memory.dmp

Filesize
88KB

Download
memory/2284-363-0x0000000000720000-0x0000000000768000-memory.dmp

Filesize
288KB

Download
memory/2284-367-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2284-362-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/2284-361-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2328-387-0x0000000000730000-0x0000000000748000-memory.dmp

Filesize
96KB

Download
memory/2328-389-0x0000000000760000-0x000000000076E000-memory.dmp

Filesize
56KB

Download
memory/2328-391-0x000000001C530000-0x000000001C54E000-memory.dmp

Filesize
120KB

Download
memory/2328-390-0x00000000030E0000-0x00000000030FA000-memory.dmp

Filesize
104KB

Download
memory/2328-394-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2388-431-0x0000000000920000-0x000000000092E000-memory.dmp

Filesize
56KB

Download
memory/2388-440-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2388-448-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2388-428-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/2388-429-0x00000000007C0000-0x00000000007D8000-memory.dmp

Filesize
96KB

Download
memory/2388-425-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2388-439-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2388-435-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/2388-430-0x0000000000800000-0x000000000080C000-memory.dmp

Filesize
48KB

Download
memory/2388-434-0x0000000003100000-0x000000000311A000-memory.dmp

Filesize
104KB

Download
memory/2388-432-0x00000000030E0000-0x00000000030F6000-memory.dmp

Filesize
88KB

Download
memory/2388-433-0x00000000032C0000-0x0000000003308000-memory.dmp

Filesize
288KB

Download
memory/2520-105-0x0000000140000000-0x000000014041B000-memory.dmp

Filesize
4.1MB

Download
memory/2520-201-0x0000000140000000-0x000000014041B000-memory.dmp

Filesize
4.1MB

Download
memory/2728-86-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2728-56-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2732-43-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2732-85-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/2732-42-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/2768-401-0x0000000003030000-0x000000000304A000-memory.dmp

Filesize
104KB

Download
memory/2768-402-0x0000000003050000-0x000000000306E000-memory.dmp

Filesize
120KB

Download
memory/2768-396-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/2768-400-0x0000000002FE0000-0x0000000003028000-memory.dmp

Filesize
288KB

Download
memory/2768-399-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

Filesize
88KB

Download
memory/2768-398-0x0000000000940000-0x000000000094E000-memory.dmp

Filesize
56KB

Download
memory/2768-397-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download
memory/2768-393-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2768-410-0x000000001D1C0000-0x000000001D1D8000-memory.dmp

Filesize
96KB

Download
memory/2768-409-0x000000001D1C0000-0x000000001D1D8000-memory.dmp

Filesize
96KB

Download
memory/2768-418-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2928-453-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2928-449-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2928-450-0x00000000008C0000-0x00000000008CE000-memory.dmp

Filesize
56KB

Download
memory/2928-451-0x00000000009F0000-0x0000000000A04000-memory.dmp

Filesize
80KB

Download
memory/3068-419-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/3068-426-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3068-423-0x00000000007D0000-0x00000000007DE000-memory.dmp

Filesize
56KB

Download
memory/3068-422-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/3068-421-0x0000000000790000-0x00000000007A6000-memory.dmp

Filesize
88KB

Download
memory/3068-420-0x00000000006D0000-0x00000000006EA000-memory.dmp

Filesize
104KB

Download