expiro | f47ca6f4ac15343f6f087d6dcdda8729b403f65004c2a14944fa0a3ca839f79d

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
Size

780KB
MD5

77dee8b1b368b860d694420325d37ddf
SHA1

4056aa8fdcc535d39201429caef1364aac338bdf
SHA256

f47ca6f4ac15343f6f087d6dcdda8729b403f65004c2a14944fa0a3ca839f79d
SHA512

9325721e1482f544785dfceeeb61c37faedd406e40fc6d3ac8d2830499d805c20dcc93e7225f83ea3de831dba881ca06ea4f1d5befe4be0968be90af906e856c
SSDEEP

12288:JJ7THB9DS/Eg8KWWBnUdtoThEkQOSxpqLlWanPk0xlASzSwtuAFIrH4W:bz/D/6BxmkDspqLlTnTxj5WrH4W

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2364-2-0x0000000001000000-0x0000000001283000-memory.dmp	family_expiro1
behavioral1/memory/1832-54-0x0000000010000000-0x0000000010258000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
1832	mscorsvw.exe
476	Process not Found
2868	mscorsvw.exe
2716	mscorsvw.exe
2768	mscorsvw.exe
1628	elevation_service.exe
2832	IEEtwCollector.exe
1916	mscorsvw.exe
772	mscorsvw.exe
320	mscorsvw.exe
1088	mscorsvw.exe
528	mscorsvw.exe
3036	mscorsvw.exe
2196	mscorsvw.exe
2932	mscorsvw.exe
992	mscorsvw.exe
1264	mscorsvw.exe
1852	mscorsvw.exe
2716	mscorsvw.exe
1844	mscorsvw.exe
2724	mscorsvw.exe
3004	mscorsvw.exe
1580	mscorsvw.exe
2532	mscorsvw.exe
1120	mscorsvw.exe
2312	mscorsvw.exe
1512	mscorsvw.exe
2452	mscorsvw.exe
2276	mscorsvw.exe
2004	mscorsvw.exe
348	mscorsvw.exe
1560	mscorsvw.exe
2504	mscorsvw.exe
2328	mscorsvw.exe
2904	mscorsvw.exe
1288	mscorsvw.exe
1252	mscorsvw.exe
1352	mscorsvw.exe
864	mscorsvw.exe
268	mscorsvw.exe
2968	mscorsvw.exe
1672	mscorsvw.exe
236	mscorsvw.exe
1468	mscorsvw.exe
1032	mscorsvw.exe
2944	mscorsvw.exe
2916	mscorsvw.exe
1432	mscorsvw.exe
2328	mscorsvw.exe
2704	mscorsvw.exe
2744	mscorsvw.exe
2928	mscorsvw.exe
1700	mscorsvw.exe
2156	mscorsvw.exe
3068	mscorsvw.exe
1176	mscorsvw.exe
1196	mscorsvw.exe
536	mscorsvw.exe
1500	mscorsvw.exe
2012	mscorsvw.exe
1076	mscorsvw.exe
1524	mscorsvw.exe
1672	mscorsvw.exe
1512	mscorsvw.exe

Loads dropped DLL 56 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2196	mscorsvw.exe
2196	mscorsvw.exe
992	mscorsvw.exe
992	mscorsvw.exe
1852	mscorsvw.exe
1852	mscorsvw.exe
1844	mscorsvw.exe
1844	mscorsvw.exe
3004	mscorsvw.exe
3004	mscorsvw.exe
2532	mscorsvw.exe
2532	mscorsvw.exe
2312	mscorsvw.exe
2312	mscorsvw.exe
2452	mscorsvw.exe
2452	mscorsvw.exe
2004	mscorsvw.exe
2004	mscorsvw.exe
1560	mscorsvw.exe
1560	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
1288	mscorsvw.exe
1288	mscorsvw.exe
1352	mscorsvw.exe
1352	mscorsvw.exe
268	mscorsvw.exe
268	mscorsvw.exe
1672	mscorsvw.exe
1672	mscorsvw.exe
1468	mscorsvw.exe
1468	mscorsvw.exe
2704	mscorsvw.exe
2704	mscorsvw.exe
2744	mscorsvw.exe
2744	mscorsvw.exe
1700	mscorsvw.exe
1700	mscorsvw.exe
1588	mscorsvw.exe
1588	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
2100	mscorsvw.exe
2100	mscorsvw.exe
2844	mscorsvw.exe
2844	mscorsvw.exe
700	mscorsvw.exe
700	mscorsvw.exe
2204	mscorsvw.exe
2204	mscorsvw.exe
2092	mscorsvw.exe
2092	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2872745919-2748461613-2989606286-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2872745919-2748461613-2989606286-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\K:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\Z:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\N:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\Q:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\U:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\J:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\W:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\Y:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\X:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\I:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\P:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\T:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\H:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\R:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\V:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\G:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\O:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\E:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\L:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\M:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened (read-only)	\??\S:	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\windows\system32\gdbebepj.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\windows\system32\apdkoadn.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\windows\system32\mcapniaa.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File created	\??\c:\windows\system32\mhekponf.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\windows\system32\wbem\ddnhlomo.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\khndneff.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\windows\system32\iihgmjmm.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\windows\SysWOW64\ddifkmgn.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\windows\SysWOW64\mdgeifgo.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\gopbpchf.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\windows\system32\ahadddhi.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\windows\system32\gednjlep.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\windows\system32\anehqofe.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\windows\system32\hkdkgjpe.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\windows\system32\mfbcljbl.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\jiianoje.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\hbicjdke.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\klonohhl.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ighnagcm.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\qcogljfn.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\idddgalc.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File created	C:\Program Files\7-Zip\nklemblo.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	\??\c:\program files\windows media player\aoaaekhh.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\gakpqfhp.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\Internet Explorer\bpqlfpga.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\Google\Chrome\Application\bhlnifll.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\7-Zip\dklkkafp.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\gdaoemja.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\gmoggjie.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\qfemblig.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\eqiodbdg.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	\??\c:\windows\servicing\hmjcjcnp.tmp	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC523.tmp\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	\??\c:\windows\servicing\nglnnpnf.tmp	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP388E.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4CAA.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4338.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP452B.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3266.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3572.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3F51.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3D5E.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2364	JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 1916	2768	mscorsvw.exe	37
PID 2768 wrote to memory of 1916	2768	mscorsvw.exe	37
PID 2768 wrote to memory of 1916	2768	mscorsvw.exe	37
PID 2768 wrote to memory of 772	2768	mscorsvw.exe	39
PID 2768 wrote to memory of 772	2768	mscorsvw.exe	39
PID 2768 wrote to memory of 772	2768	mscorsvw.exe	39
PID 2768 wrote to memory of 320	2768	mscorsvw.exe	40
PID 2768 wrote to memory of 320	2768	mscorsvw.exe	40
PID 2768 wrote to memory of 320	2768	mscorsvw.exe	40
PID 2768 wrote to memory of 1088	2768	mscorsvw.exe	41
PID 2768 wrote to memory of 1088	2768	mscorsvw.exe	41
PID 2768 wrote to memory of 1088	2768	mscorsvw.exe	41
PID 2768 wrote to memory of 528	2768	mscorsvw.exe	42
PID 2768 wrote to memory of 528	2768	mscorsvw.exe	42
PID 2768 wrote to memory of 528	2768	mscorsvw.exe	42
PID 2768 wrote to memory of 3036	2768	mscorsvw.exe	43
PID 2768 wrote to memory of 3036	2768	mscorsvw.exe	43
PID 2768 wrote to memory of 3036	2768	mscorsvw.exe	43
PID 2768 wrote to memory of 2196	2768	mscorsvw.exe	44
PID 2768 wrote to memory of 2196	2768	mscorsvw.exe	44
PID 2768 wrote to memory of 2196	2768	mscorsvw.exe	44
PID 2768 wrote to memory of 2932	2768	mscorsvw.exe	45
PID 2768 wrote to memory of 2932	2768	mscorsvw.exe	45
PID 2768 wrote to memory of 2932	2768	mscorsvw.exe	45
PID 2768 wrote to memory of 992	2768	mscorsvw.exe	46
PID 2768 wrote to memory of 992	2768	mscorsvw.exe	46
PID 2768 wrote to memory of 992	2768	mscorsvw.exe	46
PID 2768 wrote to memory of 1264	2768	mscorsvw.exe	47
PID 2768 wrote to memory of 1264	2768	mscorsvw.exe	47
PID 2768 wrote to memory of 1264	2768	mscorsvw.exe	47
PID 2768 wrote to memory of 1852	2768	mscorsvw.exe	48
PID 2768 wrote to memory of 1852	2768	mscorsvw.exe	48
PID 2768 wrote to memory of 1852	2768	mscorsvw.exe	48
PID 2768 wrote to memory of 2716	2768	mscorsvw.exe	49
PID 2768 wrote to memory of 2716	2768	mscorsvw.exe	49
PID 2768 wrote to memory of 2716	2768	mscorsvw.exe	49
PID 2768 wrote to memory of 1844	2768	mscorsvw.exe	50
PID 2768 wrote to memory of 1844	2768	mscorsvw.exe	50
PID 2768 wrote to memory of 1844	2768	mscorsvw.exe	50
PID 2768 wrote to memory of 2724	2768	mscorsvw.exe	51
PID 2768 wrote to memory of 2724	2768	mscorsvw.exe	51
PID 2768 wrote to memory of 2724	2768	mscorsvw.exe	51
PID 2768 wrote to memory of 3004	2768	mscorsvw.exe	52
PID 2768 wrote to memory of 3004	2768	mscorsvw.exe	52
PID 2768 wrote to memory of 3004	2768	mscorsvw.exe	52
PID 2768 wrote to memory of 1580	2768	mscorsvw.exe	53
PID 2768 wrote to memory of 1580	2768	mscorsvw.exe	53
PID 2768 wrote to memory of 1580	2768	mscorsvw.exe	53
PID 2768 wrote to memory of 2532	2768	mscorsvw.exe	54
PID 2768 wrote to memory of 2532	2768	mscorsvw.exe	54
PID 2768 wrote to memory of 2532	2768	mscorsvw.exe	54
PID 2768 wrote to memory of 1120	2768	mscorsvw.exe	55
PID 2768 wrote to memory of 1120	2768	mscorsvw.exe	55
PID 2768 wrote to memory of 1120	2768	mscorsvw.exe	55
PID 2768 wrote to memory of 2312	2768	mscorsvw.exe	56
PID 2768 wrote to memory of 2312	2768	mscorsvw.exe	56
PID 2768 wrote to memory of 2312	2768	mscorsvw.exe	56
PID 2768 wrote to memory of 1512	2768	mscorsvw.exe	57
PID 2768 wrote to memory of 1512	2768	mscorsvw.exe	57
PID 2768 wrote to memory of 1512	2768	mscorsvw.exe	57
PID 2768 wrote to memory of 2452	2768	mscorsvw.exe	58
PID 2768 wrote to memory of 2452	2768	mscorsvw.exe	58
PID 2768 wrote to memory of 2452	2768	mscorsvw.exe	58
PID 2768 wrote to memory of 2276	2768	mscorsvw.exe	59

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77dee8b1b368b860d694420325d37ddf.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1832

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 15c -NGENProcess 160 -Pipe 1a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 15c -NGENProcess 160 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 1e8 -NGENProcess 208 -Pipe 158 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 254 -NGENProcess 250 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 228 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 208 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 254 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 160 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 160 -NGENProcess 264 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 160 -InterruptEvent 278 -NGENProcess 254 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 280 -NGENProcess 250 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 250 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 250 -NGENProcess 280 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 280 -NGENProcess 254 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 290 -NGENProcess 14c -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 14c -NGENProcess 250 -Pipe 160 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 298 -NGENProcess 254 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 254 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 280 -NGENProcess 250 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 250 -NGENProcess 298 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 280 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 280 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 280 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 298 -NGENProcess 2b0 -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c4 -NGENProcess 284 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d8 -NGENProcess 280 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 280 -NGENProcess 2b0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2e0 -NGENProcess 284 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 284 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2e8 -NGENProcess 2b0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2b0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f4 -NGENProcess 284 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 1cc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2d0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f8 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 30c -NGENProcess 1cc -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2a8 -NGENProcess 304 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 314 -NGENProcess 1cc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 1cc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2a8 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 324 -NGENProcess 2cc -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 32c -NGENProcess 1cc -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2f8 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2cc -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 1cc -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2f8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2cc -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 338 -NGENProcess 344 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 330 -NGENProcess 2cc -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 34c -NGENProcess 340 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 338 -NGENProcess 350 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 344 -NGENProcess 340 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 354 -NGENProcess 34c -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 350 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 340 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 354 -NGENProcess 360 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 338 -NGENProcess 340 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 350 -NGENProcess 35c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 35c -NGENProcess 354 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 370 -NGENProcess 340 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 354 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 340 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 374 -NGENProcess 380 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 35c -NGENProcess 340 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 384 -NGENProcess 37c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 38c -NGENProcess 380 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 370 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 37c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 380 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 370 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 37c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 398 -NGENProcess 3a4 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 390 -NGENProcess 37c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 38c -NGENProcess 370 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3b0 -NGENProcess 380 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 3a4 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 370 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 380 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3a4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 370 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3b0 -NGENProcess 380 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3c8 -NGENProcess 3b8 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3d0 -NGENProcess 370 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3a4 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3b8 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3c4 -NGENProcess 370 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3dc -NGENProcess 3c8 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3e4 -NGENProcess 3dc -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 3c0 -NGENProcess 3dc -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 2c0 -NGENProcess 1fc -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 1fc -NGENProcess 370 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 3d8 -NGENProcess 3dc -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:2844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 370 -NGENProcess 3dc -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 3f4 -NGENProcess 3e0 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 2c0 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 2c0 -NGENProcess 370 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3c0 -NGENProcess 404 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3ec -NGENProcess 370 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:3008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 40c -NGENProcess 2c0 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 3f4 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 370 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 2c0 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 3f4 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 370 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 40c -NGENProcess 2c0 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 1fc -NGENProcess 414 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 428 -NGENProcess 418 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 370 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 414 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 418 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 370 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 444 -NGENProcess 414 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 428 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:1660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 42c -NGENProcess 370 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 44c -NGENProcess 434 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 434 -NGENProcess 448 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 458 -NGENProcess 414 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 44c -NGENProcess 460 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 370 -NGENProcess 414 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:2984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 438 -NGENProcess 458 -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:1556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 464 -NGENProcess 444 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 414 -NGENProcess 438 -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  PID:1632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 470 -NGENProcess 44c -Pipe 46c -Comment "NGen Worker Process"
  2⤵
  PID:576

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

Filesize
694KB

MD5
9cfd04e059e354fcab67a1c9cacd8a34

SHA1
a81a5ad1d49b5d44bbfe4f8679e00a66a5fbf4c9

SHA256
84dd47cdb8c7fa65d63f530f68f171024712a4ac156d32c228e7b3107c17947b

SHA512
4f1fe6cfc2ba2465bc3fef27c8c596ef1157bf7d6fe989fa60565b3693cd5ca369752aabac511ad1ea75f2c3253ba1fbaca7902695f8a8b234f2d605268ea32a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
9f51970c61c055730c9ee232479fa0b9

SHA1
26565c877d9ca4349c866f6acdef8d25b697c0d3

SHA256
0dc5c6bac881d9e99de43b12a114a5e2d554ed5fb6eca133683e87dc93919c9c

SHA512
f4c155f54d794fa515e896c125c64c619e56a588a8cc5a3e118e97cd95b4b917c24def1de7c54912eac1a6a04396dbea1fcb53fc768f13d2c29bb406a9a3baf0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp

Filesize
4.8MB

MD5
609efc922339a8e05d813fb4748454eb

SHA1
f4c47e9c4e785d5b2fff9f00b8f98f1e3c196044

SHA256
a498f21be7f261b98412d7e64a58277e76127e92e1cde1c0e0288d8e6855ea81

SHA512
62fab8e8328b66c2cffc248fdf2f594ef3d003c2ff309080541dbeb0d5e88c5f988fa8780ddf212640ada14a6b3c0e3c80956962e1d548acb88a83a83d142b0c

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
a8df0fd0ab61877951c27352d251f245

SHA1
e1a77325f1e3cbe7ac06b5b25400bac35d7fca78

SHA256
ece1441f2129593539c7b5c1e43c0d1566c4708f4b11c6c072ce5b3b20a5767f

SHA512
f632228346d12e34bcc6078e2774e2d4c25959c1e6ffee11501271f00ca3925dfaa79e2088b377562cd9dc9c4be473f352ca46c4b931ecbf77842c1f91960b50

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
3da8afaf2057fb7af6c1c394501c889f

SHA1
431b5f7bd9b7d0fba8d141f23fe77cfedc9b5a83

SHA256
93b217c6dd0ba1d10ba07720d9a78a85701f6d440d40527fbc93eaf25d738c3f

SHA512
d5588ddd2b813bfb0e7542a26785265d24a7e1dd1ce2b88b1a5e4607a532a1571c091e7a436802b0c4419546175d1b6f6cd5af4cf1bea462373ad8225cf93f88

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
6a0bbe2dcef31863965f3a42e0900ae5

SHA1
4d52ccadec8c562403b367bdf1750db1eccd04c8

SHA256
0aedab43ea19d4ae2eee4154251cde09e555bd2a1bd23b82e4e034a919416958

SHA512
da0a7d4df42e0feeed7d63258979f7125f76243afab440a64ed504106f788930fb270ccd8611c73600038f37c03035f7f220d987b9ca81ae18c0e87639f689ba

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
a707777bbe878039ad1e9b85fe0fcbbf

SHA1
b26d8d82b512b16f281df8250b9159551299ba52

SHA256
0b3c152272ef092affc3d7b057c9b8d7a3449cc201b3f0c0c18ba93faa38675c

SHA512
69548fcf7f1718be7502d499ce4d80cdba41f53f37ff40a4624f11d35b1c73a62b9e5b0fb1127a2326670528bb489de503fd5b7a318cd01cbe82c6117837cde7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
c0e0a978f77befda54d39cc8debd8633

SHA1
f09c427ef5d87f611a22729daf076b96c403c3da

SHA256
186e6f589151bfa3ab745beeb9bedfa444490a9e329576cc60b21863799efda1

SHA512
cb926a99cdd42eddb32c2748108a6d86e8b9edb013375ce49083a0ea7665c945c5c942c6db061010c3fab10ad35f3b10420f54303b0bbcc606cb12d55890ea1f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
310e3f0400a4979fcd2b022457c1b4f4

SHA1
d7386f01a92dad4dcc7efba94bb19925a2436ca8

SHA256
19742dc90f2a888c5f84013362bf3cf311d63261415defb1b56c2f796241d67a

SHA512
b223551227b0cc280fe9578d6dcac75b0a7033e4e6141529f53b31f8a9cd1864d1a57237721dd2f68ed35a7533136ec989a46164437a13b2e08fe3447034c66f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
93c90ebb78b65b3dfbebe78eb39753f0

SHA1
12d603be4efa14f5baeadab9a7b6d8cb234d5e5c

SHA256
427b3ae3eeebce3819fba16caa4ffa7ce7f1b40f65bf875eb3eaa7b0a8af90fb

SHA512
e5b6a044297b7ff4359f8bb802bbe20d94ca15b056e1f8cd10f26d322f499e6aec6877e0b811da1a91fc76ad8f605a83aba29bbcdf81c34672dd046f1a6a624a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
da108369914bebc938fe2e0194fde77b

SHA1
8b94400570227cd6373c85ef6201d2c3af3dc640

SHA256
5cd77e80bcee221bef5dfea2740cad13dc1856099cb3a10cb968601f08919b10

SHA512
7a1f5c1530eb458185c338c2752013ef2b76416b97ad580edd6126f700488eba97418dd1c6cca217831df462fdd4edf234deabd0859cd53b85d59019a5e70835

Download Submit
C:\Windows\Temp\Cab9B07.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar9CFD.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1488e19fc9d8cf68b69c1c972ab7b8a0\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
dfbe348a94f5be3a61ae8159f888f9ee

SHA1
29612b8ca213b14d79748e3ff6ecde84d348bad6

SHA256
864ed39fed2f4acbc7798216a52b08d10026f503c64c75c79b0cccc3fb3f8812

SHA512
693ebfd05b2bd6a6a108c41e05aaf10f9caad9e2b44370bcbb086a7890f44e0576971d156afe4c87c20b11273d2a29dae81384b7d8267ed81f21f3f7d2af84a1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3f9493e19bbeefed0152640dae7fa921\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
5a46ea07f5e2f59e7b53b81764244049

SHA1
85d6cbd72b23e55f80d5a307166a68b6631c0f0f

SHA256
4ec4dd70781dfc8a9988a8e3b3d2ba4298c949a0bfedac8a9e96056af55563cd

SHA512
575907d1bf4b0769ada7848578f596b3816b2e7d1b44af36d6b38e1a4eb19dd463f4ac23f8048cfa13ae1c52d1f2f55c5e8f1759c7747e76e4c495ac8d05af1b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
91KB

MD5
adc5887e89bc56694a193d92898d3518

SHA1
267f14c45a86d50ad627c6cb00626049e9c1ee20

SHA256
edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b

SHA512
bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.8MB

MD5
04a6857c04546270358d14398fde209e

SHA1
596a3e11ac6c303c679edfd6c30aa71e8eaf8a23

SHA256
8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285

SHA512
4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\8871da7bbc3c9b6139ac87248205ec11\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
da7ec314408b05afecc32d38d7e2f67f

SHA1
55e36f0b7285b1e3044c8ab882a62cb09295f361

SHA256
61a64543acc446b91ae4db11ce50d7df66907fb6a57eeec5a02f333e80effdc2

SHA512
524923531a2492a9308889a211d629e6abbe495e62c94eab7705ee11b0659cb04127efc584873fe2ed56679107480d973a93bd7e06a640e883f1e1f7caf3f793

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a62e291b31bc1c2c498a76ac44eb595f\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
4990d483ed67f8efee08ad98e18d11c0

SHA1
7c5ad14d0f122eb55d429210ee14a6bd51ae25c8

SHA256
fe65b66584d82486180ab9b3df0acb3bdac6a5af6ae2a864a53e351ad5f827d8

SHA512
9084ecdf9c848573e40c0ffc5f7463ae703dd7b276746bf8cdb83f3f362f174c9457d73eea6a086f3a5a77a0ef7adb8429e8a33261b244a7364952c8bfcefeb2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
694KB

MD5
8cb0371c640af2881f3bdc547b53df37

SHA1
859b4c76a727f7715a369d9786fa1b1781ea60dd

SHA256
4848c54558dc467cc2ded8d450ecb779a7c92967c6f7867f77e1f2fa25f1dd2a

SHA512
77b2f15a03621c26ee8b4ce217cb7e87410ce532ef7b1150107e360d981d47b6e90148dd1299daaee79b3320903c466486ad196878eb999fb54cdc1afd62e884

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
f185d3041b70320da3220dae6a950444

SHA1
ebcb095dc7208e303b58fccafa5fb4e5882465ec

SHA256
b5672536098fa9a2d8df78f41f7178c383307026e2178968bf1c710df70a27e8

SHA512
be1c165b84561f3928c2fd83212e42720e301dd3aee87a109a6604431bc4305adf50688cb3c13c261837236a9417bbf8a85408a3f6cdd1f5b68b5501b4891bb0

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
773KB

MD5
8051cceae1197fe7404ae831962c59e4

SHA1
0e69e6fbbdf28f3ce156f7d671bc4199a565cc73

SHA256
996bbb2b8dc7d0170d7ad08fd51aa8b4ba21f00fa74b27f59eafe0de8a8effac

SHA512
80046ba0f5e013497a5673bc7326c7e2d79d620b50cc0c0aaa2c872aa1ceb5faca490ae3f32b687661f73ba8c5e30306f78f21a59626cc44704cbd7b5b1908d9

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
5e83f5bbddb134022daf603d68b86120

SHA1
241f6a29676c1c3976c03c7930a8796b0b508c25

SHA256
67ccd83ce7a90735b0223aa13e5030222932bd8c185b691cfa0bd7208673a891

SHA512
21ea3b60da26d262ebfa2521f741475e3a4fb101c8b1b10fc5a2cb6d518260e4bb29382b9c57321aeb9890e00d863337912fce904abc5ad6416a69b14b153cc9

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
32d3b72ac2db8c9fb32a10b507b5662d

SHA1
dcf2176b12dbd2a176e1a5fd8a8e7d4698525af5

SHA256
a0ffd36b8b354d08adf2a5a25053258e9d45890d5e74134423c49cda386d94a0

SHA512
7499bf6778324d51293d1a5f554a5e65e518964755a01229ce64c1c770dda8514de6634ed2d874dd1190d73de4a83cf14ca26b1c25d4354fc7a3bece3975069e

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
679KB

MD5
9c41eb652e575c41292898875676fcac

SHA1
3c2da2ac39ea7f1431a2629d4fd6a6805cc93fb3

SHA256
c01abe670aa9038cc421bf121fc9221b28e74dece31cea48021f527a5f60a14d

SHA512
475a317f4740bf0419d4987fe69c5e93b88f218ab67156646441f73f08aab5861afbc8e6208dacd5d70e9e08be8da3a58d0fd5cfecb6ce160bdff0ca8e79d7d1

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
591KB

MD5
89966bc0b6b11a46819f820d8f559314

SHA1
875e2ad2ab63808ca72b537d99413da7ef52a6d1

SHA256
61e3138b1329b80c310d9f5389598cb6d4694ac0b995e498557c045ccd71f22f

SHA512
cf227727ffc450fa51c7a0b66c60880e6a12cfe57f99371288e51037834e02ee25cfd6813e54ae59c56c55499ca8c5e709a8b30864501b5ff940962b6165b586

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
632KB

MD5
44178104b6943e69fa9eab304ac8a80e

SHA1
1dfbdb12a0a65560984dc4a329c5a0137aa402b8

SHA256
c5d5886b288b5641f1753d4da7aadd5871f08f278953564d1905f1689b061bd1

SHA512
f39783b1d49586b00940e72a147c64ecb0eded73ea752d6ab1158645803c0a653c562a6e7afa615e997b68d618f3a524c1bc916e20467521858ef893ff416ecc

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
758d8d5baf437a1a077bb247e6d12ad7

SHA1
0a4cb8c30f0d6cbd2dfb428a3fafb1e5dcce88ff

SHA256
537769743a0490ba3a56957505ea84bdd4e71fa45e0f14e2ea5528f77c5abaf8

SHA512
d870dd3c9086843ba644cf5837c084c40813501bc0fb8ccf0ab8dd4e293236494dffedfe82979056d1da0bdbb7765ff7d9ef5484b5cd152a80e2758a4e0e12de

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
693KB

MD5
9100c024b1b50c2d9441cafb8b1595af

SHA1
28349db85fcffd8737dad6d87f6c92f595396b7a

SHA256
d4b41cbdde61dcc1e4b7c563326c427d3f5a67456191ff16ec2b98c304b76549

SHA512
2f4aa6b9897afb845efa27e71e75e9acf5e15cfa07beaf6930735a3f9fb84539f48f74f59a2cd8feb5c43c8c780a17b1ef62f17d3c5f7ad38a1b51dd637692fc

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
683KB

MD5
1f20f4a8431198e843d0818a7dfb75ac

SHA1
06787f6d61fe691b79f6825732f06101b6fbc611

SHA256
f196c4327d38b64d3cc205468b40a636d81e2c9b5b7fa104264aa694b1168eba

SHA512
a9d5127bd3b30ff7869570dfab3a2dbf8dd966465e06dfba69f4f530524709b31c9aa0cb8a5256dfeb3e9365c52e2632bbf55ab24c5ef7e5a7f0b5cdcd36b3fb

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.1MB

MD5
fd0a861f6b23575efccaf4bf7359b1b3

SHA1
c15d84dc3b83ea37369d2577a84bb68ad13bcd6f

SHA256
7eb5872f9b901c32308fccf8eef5807923255b045c211fbbffc2715c52a654ad

SHA512
5de3a0b9f560a4da09c314fe906463de3da0700425f56bf4581910d0d2edf6fda7e714e931605dcbda9f6e0db08e54440fe49b689442d88ade6d7a9a25d37270

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
569KB

MD5
60bd03cf2b880f168565ab63a81eca78

SHA1
c6b6f41dcd856b348280aef585343f65bb742864

SHA256
bc6b9bfde3621a9ae728d259011e10c7bce5052644f034cf0a1d865da31e2179

SHA512
ea76608b886feb98320f7d3eb25d4a27b704ee22700838315d94592da81756345ad06c54be301f8058fe1cbdd5ee97c6ab353cb3c1b2177ef486425fbdfa7937

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
595KB

MD5
007d758f91a75d8dac025c27ad06fcd5

SHA1
aa181e55f0b2f89041460a748a3f784c366b219a

SHA256
aa54cb1a33a1abac4d701c66c228ba79a08dbcad0cdc1270f0b8a68cd8b17d9d

SHA512
1dc3cbe722e101310373ca932c787ce456de33c56c67446a6aa257925d8e64f6c2215f3f5a4696eddd618c33c1985b3d06a20a496fa284aacfbe7dd6ed348195

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
526a470fb1c2019335019f4d93449ea5

SHA1
4580e730b4e80bab056b4b92614382f3d4a3f074

SHA256
eaa3c362c7f40252b8560c0838ce2583c70f46e8711a09e94e293e390803b8f3

SHA512
cde86a7b9652bcd545657b42b36ea85de7b3cf117c552499d3f2df81480787ebff0b74ecbe54fa03900881b447eef8a49a896f458218b711eb0576df750411ab

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
df463b16ccacc6020597b65c8c1216e9

SHA1
b94f9af0a27d7a5327c4d4a8b8819c78dc810876

SHA256
2c8cc3d023d3a10a80eaf35d6110a452cc34e02b73616ae3a17fdc8854f35530

SHA512
4f3d1af16140766f54eeabe66786a39c61bd705c62a2b7260a0fc33862cc60bcc33552509c5391daabda2b77a11aa456b6f93892544d72eb94b2090104f7fc35

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
753KB

MD5
06ccbb676b3ef564666eee48b8c05931

SHA1
8bd033519c661139bd6051517971621164990df8

SHA256
28b8260742536cfe78f4cae0cfb47f0260de4aaaa3e5ed360a7add304989f330

SHA512
a02a251e9610b53cfbcbb8d70aa361e97e231fb4a98a032d80c0d95e32e0ae0e3aa8a3296863119acc163d759a31ad5648af55c54808e09f431dfcde8e9b42e5

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
486998e7a75ad1db249b919ec432a5b7

SHA1
4a38a5e8a0725e9ebaffa187bd6f273260399bed

SHA256
a97da07e1814176e4eb8ba2a9ce5c62afa8c6b7cca2b8faa45b398c587e49234

SHA512
54f95e5427ddfb64a1d6cdff1c675852d8264483a54546dc50dfea392d03f6fda55ee6d00efda5b503e773119cdd6c6189fc5d337e34988dbf7172ff48049228

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
248000f15869139643eb8ecb65951f4e

SHA1
8b0d46ee4a93bb1f97d463c27842e0d2c8a30fbb

SHA256
8e48f512d267431551128a8ea7c3ddd5101345e1b68ee5a8051636891bfb6ddb

SHA512
5e5a3422051cd9b31667164d0221d6f76b0d351ba7cb0355bfd6fde4366127fd6dc9150f05ff364a837fab6cd2e77e28164e5b41bbee813ec7063dd7137eb90c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
666KB

MD5
0d099d9e81a93a9eb86c9faef8407ee9

SHA1
eecbf2e22e1b96b905e5b40bb53aae169169495a

SHA256
9e90b2f2397a22d3307b90f1002d46075d0f8df971372ec60beb5bf9f0df9716

SHA512
d1130fc14c64f7fd016966957aa8c79d2e73e4e273bae81d492295cddde8c57fcacc4c000fcdca1617c5b56f52a5da02236d9b1481e26e283af9070e5f645115

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2923.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2C3E.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2FB8.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3266.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3572.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
memory/320-332-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/528-337-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/772-188-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/772-186-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/992-376-0x0000000002FE0000-0x0000000003028000-memory.dmp

Filesize
288KB

Download
memory/992-378-0x0000000003070000-0x000000000308E000-memory.dmp

Filesize
120KB

Download
memory/992-396-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/992-386-0x000000001D160000-0x000000001D178000-memory.dmp

Filesize
96KB

Download
memory/992-385-0x000000001D160000-0x000000001D178000-memory.dmp

Filesize
96KB

Download
memory/992-372-0x00000000007C0000-0x00000000007D8000-memory.dmp

Filesize
96KB

Download
memory/992-373-0x0000000002FA0000-0x0000000002FAC000-memory.dmp

Filesize
48KB

Download
memory/992-374-0x0000000002FB0000-0x0000000002FBE000-memory.dmp

Filesize
56KB

Download
memory/992-375-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

Filesize
88KB

Download
memory/992-377-0x0000000003050000-0x000000000306A000-memory.dmp

Filesize
104KB

Download
memory/1088-334-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1088-331-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1120-489-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1264-401-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1264-395-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1264-399-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/1264-397-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/1580-477-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1580-472-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1580-474-0x0000000003040000-0x000000000304E000-memory.dmp

Filesize
56KB

Download
memory/1628-183-0x0000000140000000-0x000000014041B000-memory.dmp

Filesize
4.1MB

Download
memory/1628-86-0x0000000140000000-0x000000014041B000-memory.dmp

Filesize
4.1MB

Download
memory/1832-54-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/1832-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/1832-21-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/1844-433-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/1844-450-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1844-434-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/1844-440-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/1844-439-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/1844-435-0x0000000003300000-0x0000000003314000-memory.dmp

Filesize
80KB

Download
memory/1852-407-0x00000000031C0000-0x00000000031DA000-memory.dmp

Filesize
104KB

Download
memory/1852-405-0x0000000002FC0000-0x0000000002FCE000-memory.dmp

Filesize
56KB

Download
memory/1852-404-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

Filesize
48KB

Download
memory/1852-403-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/1852-406-0x0000000002FD0000-0x0000000002FE6000-memory.dmp

Filesize
88KB

Download
memory/1852-413-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/1852-412-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/1852-408-0x000000001C540000-0x000000001C550000-memory.dmp

Filesize
64KB

Download
memory/1852-423-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1916-174-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1916-187-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2196-353-0x00000000030A0000-0x00000000030AE000-memory.dmp

Filesize
56KB

Download
memory/2196-346-0x0000000000800000-0x000000000080C000-memory.dmp

Filesize
48KB

Download
memory/2196-352-0x00000000030A0000-0x00000000030AE000-memory.dmp

Filesize
56KB

Download
memory/2196-348-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/2196-345-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/2196-347-0x0000000000810000-0x0000000000858000-memory.dmp

Filesize
288KB

Download
memory/2196-362-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2364-1-0x0000000001029000-0x000000000102A000-memory.dmp

Filesize
4KB

Download
memory/2364-0-0x0000000001000000-0x0000000001283000-memory.dmp

Filesize
2.5MB

Download
memory/2364-2-0x0000000001000000-0x0000000001283000-memory.dmp

Filesize
2.5MB

Download
memory/2532-481-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/2532-479-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/2532-490-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2532-476-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2716-427-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2716-422-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2716-425-0x0000000003060000-0x0000000003074000-memory.dmp

Filesize
80KB

Download
memory/2716-46-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2716-424-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2724-449-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2724-454-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2724-451-0x00000000008C0000-0x00000000008DA000-memory.dmp

Filesize
104KB

Download
memory/2724-452-0x0000000002F60000-0x0000000002F76000-memory.dmp

Filesize
88KB

Download
memory/2768-156-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2768-58-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/2768-57-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2832-247-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/2832-184-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/2832-93-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/2868-35-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2868-41-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2868-67-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/2932-367-0x000000001C510000-0x000000001C52A000-memory.dmp

Filesize
104KB

Download
memory/2932-364-0x0000000003040000-0x0000000003058000-memory.dmp

Filesize
96KB

Download
memory/2932-363-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2932-368-0x000000001C530000-0x000000001C54E000-memory.dmp

Filesize
120KB

Download
memory/2932-366-0x0000000003220000-0x000000000322E000-memory.dmp

Filesize
56KB

Download
memory/2932-370-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3004-473-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3004-455-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3004-463-0x0000000000980000-0x000000000099A000-memory.dmp

Filesize
104KB

Download
memory/3004-462-0x0000000000980000-0x000000000099A000-memory.dmp

Filesize
104KB

Download
memory/3004-458-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/3004-457-0x00000000007C0000-0x00000000007DA000-memory.dmp

Filesize
104KB

Download
memory/3036-343-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3036-336-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3036-339-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/3036-338-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/3036-340-0x0000000003090000-0x00000000030D8000-memory.dmp

Filesize
288KB

Download
memory/3036-341-0x00000000030E0000-0x00000000030F6000-memory.dmp

Filesize
88KB

Download