expiro | 7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223d

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
Size

635KB
MD5

79fe1ca4d124971e6b872d5d6acd25f0
SHA1

eca06b23d460392695fbea380a6e4ed69ea14d55
SHA256

7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223d
SHA512

7e37f5cff2d86b325d3acb44b1a6821c94a221a70fa9ac81369fd8b22aeea3df5e6e652ba46618f7b06393045b09e7d8c7c676334c14666f27b9c1a0cf2dcf61
SSDEEP

12288:WDB+kxedc++Zvwx4jZVvPr+WmCqeDkqZ7K0Y7hbM:WDB+kxeqPZvwujZVn8eDhXYNb

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 3 IoCs

backdoor

resource	yara_rule
behavioral1/memory/804-0-0x0000000001000000-0x00000000011BA000-memory.dmp	family_expiro1
behavioral1/memory/804-2-0x0000000001000000-0x00000000011BA000-memory.dmp	family_expiro1
behavioral1/memory/1684-54-0x0000000010000000-0x00000000101A9000-memory.dmp	family_expiro1

Executes dropped EXE 64 IoCs

pid	Process
1684	mscorsvw.exe
480	Process not Found
2912	mscorsvw.exe
2816	mscorsvw.exe
2800	mscorsvw.exe
1228	elevation_service.exe
996	IEEtwCollector.exe
2032	mscorsvw.exe
1448	mscorsvw.exe
1828	mscorsvw.exe
2700	mscorsvw.exe
3040	mscorsvw.exe
2156	mscorsvw.exe
1600	mscorsvw.exe
2120	mscorsvw.exe
1512	mscorsvw.exe
2332	mscorsvw.exe
1980	mscorsvw.exe
1632	mscorsvw.exe
1976	mscorsvw.exe
2748	mscorsvw.exe
548	mscorsvw.exe
2428	mscorsvw.exe
2204	mscorsvw.exe
1792	mscorsvw.exe
1532	mscorsvw.exe
2964	mscorsvw.exe
1748	mscorsvw.exe
1176	mscorsvw.exe
1656	mscorsvw.exe
1216	mscorsvw.exe
780	mscorsvw.exe
2328	mscorsvw.exe
2396	mscorsvw.exe
2484	mscorsvw.exe
1624	mscorsvw.exe
1940	mscorsvw.exe
1524	mscorsvw.exe
2920	mscorsvw.exe
2796	mscorsvw.exe
2856	mscorsvw.exe
2288	mscorsvw.exe
1032	mscorsvw.exe
640	mscorsvw.exe
1644	mscorsvw.exe
2436	mscorsvw.exe
2464	mscorsvw.exe
2024	mscorsvw.exe
2140	mscorsvw.exe
2400	mscorsvw.exe
1976	mscorsvw.exe
3028	mscorsvw.exe
1524	mscorsvw.exe
2880	mscorsvw.exe
2040	mscorsvw.exe
2296	mscorsvw.exe
2680	mscorsvw.exe
2448	mscorsvw.exe
1888	mscorsvw.exe
1264	mscorsvw.exe
2320	mscorsvw.exe
2080	mscorsvw.exe
2600	mscorsvw.exe
1348	mscorsvw.exe

Loads dropped DLL 56 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1600	mscorsvw.exe
1600	mscorsvw.exe
1512	mscorsvw.exe
1512	mscorsvw.exe
1980	mscorsvw.exe
1980	mscorsvw.exe
1976	mscorsvw.exe
1976	mscorsvw.exe
548	mscorsvw.exe
548	mscorsvw.exe
2204	mscorsvw.exe
2204	mscorsvw.exe
1532	mscorsvw.exe
1532	mscorsvw.exe
1748	mscorsvw.exe
1748	mscorsvw.exe
1656	mscorsvw.exe
1656	mscorsvw.exe
780	mscorsvw.exe
780	mscorsvw.exe
2396	mscorsvw.exe
2396	mscorsvw.exe
1624	mscorsvw.exe
1624	mscorsvw.exe
1524	mscorsvw.exe
1524	mscorsvw.exe
2796	mscorsvw.exe
2796	mscorsvw.exe
2288	mscorsvw.exe
2288	mscorsvw.exe
640	mscorsvw.exe
640	mscorsvw.exe
2400	mscorsvw.exe
2400	mscorsvw.exe
1976	mscorsvw.exe
1976	mscorsvw.exe
1524	mscorsvw.exe
1524	mscorsvw.exe
952	mscorsvw.exe
952	mscorsvw.exe
2656	mscorsvw.exe
2656	mscorsvw.exe
592	mscorsvw.exe
592	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
1856	mscorsvw.exe
1856	mscorsvw.exe
2272	mscorsvw.exe
2272	mscorsvw.exe
1652	mscorsvw.exe
1652	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-312935884-697965778-3955649944-1000	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-312935884-697965778-3955649944-1000\EnableNotifications = "0"	elevation_service.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\Y:	elevation_service.exe
File opened (read-only)	\??\K:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\P:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\R:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\G:	elevation_service.exe
File opened (read-only)	\??\T:	elevation_service.exe
File opened (read-only)	\??\S:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\W:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\L:	elevation_service.exe
File opened (read-only)	\??\R:	elevation_service.exe
File opened (read-only)	\??\U:	elevation_service.exe
File opened (read-only)	\??\V:	elevation_service.exe
File opened (read-only)	\??\J:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\L:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\O:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\U:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\M:	elevation_service.exe
File opened (read-only)	\??\P:	elevation_service.exe
File opened (read-only)	\??\Q:	elevation_service.exe
File opened (read-only)	\??\I:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\V:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\X:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\H:	elevation_service.exe
File opened (read-only)	\??\O:	elevation_service.exe
File opened (read-only)	\??\T:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\N:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\Q:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\Z:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\N:	elevation_service.exe
File opened (read-only)	\??\S:	elevation_service.exe
File opened (read-only)	\??\G:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\H:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\Z:	elevation_service.exe
File opened (read-only)	\??\E:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\E:	elevation_service.exe
File opened (read-only)	\??\I:	elevation_service.exe
File opened (read-only)	\??\K:	elevation_service.exe
File opened (read-only)	\??\X:	elevation_service.exe
File opened (read-only)	\??\J:	elevation_service.exe
File opened (read-only)	\??\W:	elevation_service.exe
File opened (read-only)	\??\M:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	elevation_service.exe
File created	\??\c:\windows\system32\msdtc.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\alg.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	elevation_service.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\snmptrap.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\vds.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\msiexec.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\wbengine.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\vssvc.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\locator.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	elevation_service.exe
File created	\??\c:\windows\system32\alg.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	elevation_service.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\fxssvc.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\DVD Maker\DVDMaker.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	elevation_service.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\7-Zip\7zG.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	elevation_service.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	elevation_service.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC562.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF306.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	elevation_service.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD04A.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP84BA.tmp\ehiActivScp.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCA32.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8288.tmp\stdole.dll	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4DD2.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP44EC.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe
1228	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	804	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1228	elevation_service.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe
Token: SeShutdownPrivilege	2800	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2032	2800	mscorsvw.exe	38
PID 2800 wrote to memory of 2032	2800	mscorsvw.exe	38
PID 2800 wrote to memory of 2032	2800	mscorsvw.exe	38
PID 2800 wrote to memory of 1448	2800	mscorsvw.exe	39
PID 2800 wrote to memory of 1448	2800	mscorsvw.exe	39
PID 2800 wrote to memory of 1448	2800	mscorsvw.exe	39
PID 2800 wrote to memory of 1828	2800	mscorsvw.exe	40
PID 2800 wrote to memory of 1828	2800	mscorsvw.exe	40
PID 2800 wrote to memory of 1828	2800	mscorsvw.exe	40
PID 2800 wrote to memory of 2700	2800	mscorsvw.exe	41
PID 2800 wrote to memory of 2700	2800	mscorsvw.exe	41
PID 2800 wrote to memory of 2700	2800	mscorsvw.exe	41
PID 2800 wrote to memory of 3040	2800	mscorsvw.exe	42
PID 2800 wrote to memory of 3040	2800	mscorsvw.exe	42
PID 2800 wrote to memory of 3040	2800	mscorsvw.exe	42
PID 2800 wrote to memory of 2156	2800	mscorsvw.exe	43
PID 2800 wrote to memory of 2156	2800	mscorsvw.exe	43
PID 2800 wrote to memory of 2156	2800	mscorsvw.exe	43
PID 2800 wrote to memory of 1600	2800	mscorsvw.exe	44
PID 2800 wrote to memory of 1600	2800	mscorsvw.exe	44
PID 2800 wrote to memory of 1600	2800	mscorsvw.exe	44
PID 2800 wrote to memory of 2120	2800	mscorsvw.exe	45
PID 2800 wrote to memory of 2120	2800	mscorsvw.exe	45
PID 2800 wrote to memory of 2120	2800	mscorsvw.exe	45
PID 2800 wrote to memory of 1512	2800	mscorsvw.exe	46
PID 2800 wrote to memory of 1512	2800	mscorsvw.exe	46
PID 2800 wrote to memory of 1512	2800	mscorsvw.exe	46
PID 2800 wrote to memory of 2332	2800	mscorsvw.exe	47
PID 2800 wrote to memory of 2332	2800	mscorsvw.exe	47
PID 2800 wrote to memory of 2332	2800	mscorsvw.exe	47
PID 2800 wrote to memory of 1980	2800	mscorsvw.exe	48
PID 2800 wrote to memory of 1980	2800	mscorsvw.exe	48
PID 2800 wrote to memory of 1980	2800	mscorsvw.exe	48
PID 2800 wrote to memory of 1632	2800	mscorsvw.exe	49
PID 2800 wrote to memory of 1632	2800	mscorsvw.exe	49
PID 2800 wrote to memory of 1632	2800	mscorsvw.exe	49
PID 2800 wrote to memory of 1976	2800	mscorsvw.exe	50
PID 2800 wrote to memory of 1976	2800	mscorsvw.exe	50
PID 2800 wrote to memory of 1976	2800	mscorsvw.exe	50
PID 2800 wrote to memory of 2748	2800	mscorsvw.exe	51
PID 2800 wrote to memory of 2748	2800	mscorsvw.exe	51
PID 2800 wrote to memory of 2748	2800	mscorsvw.exe	51
PID 2800 wrote to memory of 548	2800	mscorsvw.exe	52
PID 2800 wrote to memory of 548	2800	mscorsvw.exe	52
PID 2800 wrote to memory of 548	2800	mscorsvw.exe	52
PID 2800 wrote to memory of 2428	2800	mscorsvw.exe	53
PID 2800 wrote to memory of 2428	2800	mscorsvw.exe	53
PID 2800 wrote to memory of 2428	2800	mscorsvw.exe	53
PID 2800 wrote to memory of 2204	2800	mscorsvw.exe	54
PID 2800 wrote to memory of 2204	2800	mscorsvw.exe	54
PID 2800 wrote to memory of 2204	2800	mscorsvw.exe	54
PID 2800 wrote to memory of 1792	2800	mscorsvw.exe	55
PID 2800 wrote to memory of 1792	2800	mscorsvw.exe	55
PID 2800 wrote to memory of 1792	2800	mscorsvw.exe	55
PID 2800 wrote to memory of 1532	2800	mscorsvw.exe	56
PID 2800 wrote to memory of 1532	2800	mscorsvw.exe	56
PID 2800 wrote to memory of 1532	2800	mscorsvw.exe	56
PID 2800 wrote to memory of 2964	2800	mscorsvw.exe	57
PID 2800 wrote to memory of 2964	2800	mscorsvw.exe	57
PID 2800 wrote to memory of 2964	2800	mscorsvw.exe	57
PID 2800 wrote to memory of 1748	2800	mscorsvw.exe	58
PID 2800 wrote to memory of 1748	2800	mscorsvw.exe	58
PID 2800 wrote to memory of 1748	2800	mscorsvw.exe	58
PID 2800 wrote to memory of 1176	2800	mscorsvw.exe	59

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1684

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 160 -NGENProcess 164 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 184 -NGENProcess 1e4 -Pipe 15c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 230 -NGENProcess 214 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 234 -NGENProcess 200 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 238 -NGENProcess 1e4 -Pipe 17c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 214 -Pipe 150 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e4 -NGENProcess 214 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 248 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 23c -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 250 -NGENProcess 214 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 214 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 240 -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 23c -NGENProcess 250 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 240 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 250 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 250 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 270 -NGENProcess 240 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 268 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 29c -NGENProcess 20c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 20c -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 2a0 -NGENProcess 290 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 290 -NGENProcess 29c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a8 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 280 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 280 -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b8 -NGENProcess 1e4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 1e4 -NGENProcess 280 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 2c0 -NGENProcess 290 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2c4 -NGENProcess 2bc -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c4 -NGENProcess 2c0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2a8 -NGENProcess 2bc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2d0 -NGENProcess 1e4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 1e4 -NGENProcess 2c4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 2c4 -NGENProcess 2cc -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2dc -NGENProcess 2d4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 1e4 -NGENProcess 2e4 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 2a8 -NGENProcess 2d4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2e8 -NGENProcess 2dc -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2f4 -NGENProcess 2f0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 1e4 -NGENProcess 2dc -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 300 -NGENProcess 2ec -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2f0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2dc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2ec -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2dc -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2ec -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f0 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2dc -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:3008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2ec -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2f0 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2dc -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 32c -NGENProcess 328 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 318 -NGENProcess 2dc -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 338 -NGENProcess 324 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 328 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 328 -NGENProcess 318 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 344 -NGENProcess 324 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 340 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 318 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 324 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 340 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 318 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 324 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 340 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 318 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 324 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 340 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 318 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 324 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 374 -NGENProcess 370 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 360 -NGENProcess 324 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 380 -NGENProcess 36c -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 370 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 324 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 370 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 324 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 370 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 39c -NGENProcess 398 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 388 -NGENProcess 370 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3a8 -NGENProcess 394 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 398 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 370 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 394 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 398 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 398 -NGENProcess 3b0 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3c0 -NGENProcess 394 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 394 -NGENProcess 3b8 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3c8 -NGENProcess 3b0 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3b0 -NGENProcess 3c0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3d0 -NGENProcess 3b8 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3cc -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3cc -NGENProcess 3b0 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 388 -NGENProcess 3b8 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3dc -NGENProcess 3d0 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3b0 -Pipe 148 -Comment "NGen Worker Process"
  2⤵
  PID:1052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3b8 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3d0 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3f0 -NGENProcess 3b0 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3d8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:1940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3d0 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3b0 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3d8 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 388 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3b0 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 3d8 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:1316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 388 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 3b0 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 3b0 -NGENProcess 40c -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 404 -NGENProcess 41c -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 424 -NGENProcess 414 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 40c -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 40c -NGENProcess 404 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 430 -NGENProcess 414 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 40c -NGENProcess 42c -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:1888

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
648KB

MD5
ad5297303f22667e1582cb65c05b3462

SHA1
a5b14b9fbe64035b0e48075972bdb930f721a3e8

SHA256
bfd98a073b84c6d345c24d6a960137f143372efeb2cdb5006c7a45e26316c8a8

SHA512
42373f9a757741020f03551c791c8dd5b5e8840ded36947976543d6103d5ba3a2cf072756a95d84d08192cf8f95184caf11b6773ab1a62888661132765d42ada

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
f52860cae876627fc55aae4e5c0e0cb6

SHA1
53137ba4d25d647ccc797726163ccbec14b497f6

SHA256
f2ae60a9d76d403d65549d0be86d865e9702a510ebf1b29d32e8d3f02c2c6473

SHA512
e763b119aecd0f90e48dbff77d197dbed0abc8b169ff4dc608c179ee0e5d9bdaec5f3d492b2eafff18ff24de120c6ad7acaa54ed72b2f522c4cf22e9d2e0b284

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir

Filesize
4.8MB

MD5
10a7e15a85133a713af02dbf8f589544

SHA1
50f3949abf7024dd30d9f5408cf8a8528c08f0a0

SHA256
340d4943e981604c2385b211f3d06b43c60e97bd492badda5266838d7c26a27a

SHA512
56766b2fdde680c5eb6d34694430d991eec898ae448ced9c5b10b68393d7b4dab68c6ba78ee12df78739b101d60606c64bb3f2c5b8733763b65e8dc720b7315b

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.2MB

MD5
6c238305fadc08dab9b2cb891a92d9a5

SHA1
f97ae3ff57ee0e0262fdd7b6eb3cdc9d7b594522

SHA256
be9e546e7b13b3c86ef55fc5cee9225d2d6f5c8c4713eaf4f7c469e976667d79

SHA512
d7fe44f14a071259aefc35630031653e5f8c00c61e7f950b35aa0c598a8cf2b0c33a13d04174ad74ab0c97cc60dcca7e85dd20fb7f51b530eb07e35a3d7c1140

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
590KB

MD5
95f88363fd95d6a1f0a498ded6742da9

SHA1
86bbc5552be4dcaae3fb2ac87e8f5d68e6522bf5

SHA256
000d5670842af9a45b442118ce7a894a8abef04ff9bd3b695ac6b06e19b0ed62

SHA512
aad18a2e16568b63d11dd47b558d7fc4c433ce3b39f914820dfda9e83f49b70943ff0a4845e8b0d779791e1513d3bc5f144137b71ded46bcba626747981f4453

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b36651f555581adc1f3b51dafcf1ed07

SHA1
19f1e5a6db9a4e6b9ab7d73cf476fd935b31efab

SHA256
31ca5c34a5ca178c06d850ab136095225bca6b0ffe0f09875e9f17b5c54aa74f

SHA512
4fb7b0d2c04b8ab7bb1bb174517e061bb694a29ee69caba3d3bbb030834b8d9c5afa9dafbf95f647923a43c803827b8e50c9cc415efdb86b6486414a599c01c3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
f421e4736e0210a8e413d39429d8a139

SHA1
6cc10b2a4d88cc340cac280f70ad78c5070e4ce9

SHA256
c7b772ab3e37d24066008ae68d027562304aef7c096352e5da845788b76ba488

SHA512
ede96760447948e024f5a7ec996bfe329ecdceb2f5e876208a35a7769926f551ef6059b882284c97499c9bba8df99d9834d75c5a7f408c2245fe3fbe46541525

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
567KB

MD5
f120af44e6311cb0a4d9a334ad9e9a48

SHA1
3195112f343ab04e4ab0b631a15e383c6eae1ee4

SHA256
ddcd291a139f9aaf63f9c19fc3a7de37355be64d4c96bca5ae1a91a8e314c8e0

SHA512
66b1011a5eb2ade8493c1fa96d17e3914dc0048d58198047e471324002397bd885a1440f2e2bdffbc47e3e09220bb71087fc885364db1248c637ef9fdd103282

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
63be1cd734489bf1f1ced0d305939c39

SHA1
0d135d2b65e8f6bb73c04c7dc3051a0115d79b4e

SHA256
5b745d8dcb991c868751458c8ffe62a8722cace19ce44618a708ef435e37a868

SHA512
8787e31e099bee5166ab01fa57af9993b60e17ba95e6df1ce5f841ce98ccb84d54f8c3d0df304ec8ab4e8ce3ae7b64e74a2d3438d8f64e9763007fde63db9772

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
598KB

MD5
a2f9c788875ef593db6952fc00a17ffd

SHA1
9e30d0d98051ca22e2cb820959f1b0ff0f5370df

SHA256
db26f0ba5f681b5b49c81bd0044d813bcc881680c55fa4cbec1e84c0a622d8f6

SHA512
28df4509adf537d497f8b193662fc04a023e5d01a715f394ba37e6ee2399e019aa5a729f6f77e3700f5cd72e9c00da8edc06e7234fb868af8d17e69f93f77e48

Download Submit
C:\Windows\Temp\CabC41A.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarC5D1.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1c7e2f4b9993b5f85ece4e27ed55913c\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
79de7c83400c47a5f5de820cea2f8796

SHA1
394bac70f5f525d23189e480be0eaf40e136345a

SHA256
4a480cfeb92f9739bf00fc4b0d6bc512bff3357e392a06ab37381b7cac18621b

SHA512
31e26910c4a89cee7105c4d3d5e2345cecfa3ceac5a4d948d25659991099390ff498a82b76b98ba66a996de9f2b3cec6ef76bd64219e2ee9d367a2187705d98a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
91KB

MD5
adc5887e89bc56694a193d92898d3518

SHA1
267f14c45a86d50ad627c6cb00626049e9c1ee20

SHA256
edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b

SHA512
bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.8MB

MD5
04a6857c04546270358d14398fde209e

SHA1
596a3e11ac6c303c679edfd6c30aa71e8eaf8a23

SHA256
8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285

SHA512
4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\83745577f6bfdff7b688f09ac9c64c2e\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
746eb822f493ca1a604945fc0a5e326b

SHA1
575c379925ad4432fa0b324f43ec811687b49a62

SHA256
37696e054eed2f09b1ec117a64a523dd81409a0c7d1647aaea776e42071e1bb1

SHA512
ae215bfe793341591aafcc460ed0f401a225c255af1224f78a2051cb204f8daf00810bef6b15075478e006a209c8c8138432e0bb6b81d69d63f8b4ad0daa6f11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\947991545136453d6076a55a1f7a1d05\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
97513abe404b6cea65a60492dd28bfcd

SHA1
0db936e1a5277527d9b54787f1b0e46046d63e2c

SHA256
6fcd33ca0b159c812814949ec65a982c23b91b78a7a95fd736f14825b35fb3d0

SHA512
71db909626d14841688ce2c5552d5e1158395e69cd072deffdd58a784b3bb4e33bcf98ba6a2b5b973c7f3adf4fc3b38cbc47d309575f93b559984e5e11445998

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\be717e7274fd965be298268fdcc3513e\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
d78d7a524c134821f975e4cd6191e258

SHA1
315b85d88490e2c849beacd92069e065c8edfca0

SHA256
3dcf86bc6fe05f3a02861801b4845270a5e16a186ea404faac72a62d9f75ed9f

SHA512
90c1a1ccb8fbdcf6eb45e54717ab80fa3a24f7e1c6877a90b6dec628adce7deeab9bc24bdfa69450b28f93426074adf98a95dd61d6ac2b1e41990c26f5854c5e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
648KB

MD5
b12974257ec2f954e4bbf1e23a6d3560

SHA1
072abade48b18f0898aafbd559bfbf42cc57e360

SHA256
c83ea8df4f621f795b561e4e8017ba9b6e3101f9b89d73449078f5cce35af0e1

SHA512
5e2b8c6ecf5d02728bda3665d4b14b9abf82969370cb6ed94c8774f14180123f5c8e472347c25241710b91c6a943f850eabb71c6a23a3c7e6dc7bda1fb030218

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.0MB

MD5
2b18baef0dd1c872ee8030474b40b74f

SHA1
a935017f67546533590c4b71aee4460e2090744a

SHA256
9bb10e607c723ed46920aa03c987c71c59db4a4393f94c693c5f1520e6a579f6

SHA512
3165ac6d72012f64bf90f032629cd319ece5aa727daff4658844a77db6331411f802dd3f27f11516c277bc1c95010904204c0d0c7580467203df783647202278

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
723KB

MD5
15247d219b8f75fd89a0bc7b61e8f145

SHA1
b23908e6d78c49876fdc82641d59243c44a6a4b9

SHA256
e1b4a38f7c4636b9d4252bb544e80d0a046ae537b8eb25363de6d2e1827ae1dd

SHA512
40335cc9f779b4073088a510faafc4ed377651e3b2d0a5075de15101fb293b4978447180ea463201cd751ce15b0ff6cd97e44b9172e7e069c0effa4c4c41fc60

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
632KB

MD5
e44fad36730e4b8d19e1e48d761688e4

SHA1
2a919e73cdde89812d933668607b0e0c11a24da0

SHA256
972e33c857cc85fdad908a24b9517b9fdca63d5bb2ee57d54e8f4d7b8e13badd

SHA512
93aa3f764e043c77164031728154f5439bab26eaaa07eaf5059e6918a6647339739d00223e8842d8b7aa5cb987a0c77aaa34b28672461388a2ca74309ca5cbeb

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
544KB

MD5
b2fe21444e88543eaace22f27919cbd8

SHA1
a9efa8b9cd75e86e8a32d5535c8b243cd0ff5e1f

SHA256
58221e54f3544613a168ca717b8cd8b6a6842e50418630f82d2e7bf6e196738e

SHA512
2f2ac71ab9ef2135e4328de31a625e058235bce078cb2eae8b8b39e7e8b10922c058072945e7e0a6372681ea21e7ef5c95ca87ce7d4e08b1abf5eced37391b53

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
585KB

MD5
23ee08865b509cdc70bbdebf3a192e13

SHA1
bc3284d88a00aba99a624e72a55679b7d829f49e

SHA256
eb57f0ba187f03581d173ad8ac37f25bc5e6513e02885c5106cf2a2ec85d2910

SHA512
4e7411b9b5014bb6444b4a67ab696b74165cddf101de43c6454fe9877c6a15827b2384e319e79697c2a5c68179253bc560022b583591c8070a114aa3af325e93

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
e44c740d7162f9f82f28228daa427dbb

SHA1
a7d8b1ada9ffd3c1ad699701458bbf9c7df9f647

SHA256
b9cb660676fb231101d124039234a0b5bdefaadf5f00dd89b10653c57cd3bc5f

SHA512
25ee28796cefdd56571b5525dd02898798d478e129d9173683f768ca33f924cd4dee9e45b4935f4e84f21353424e526b2fc99821f75a42320d0174eb2d5be13d

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
646KB

MD5
9cf38eeefc7bd67c612ba9f3c958c0a6

SHA1
9fc983022dc2e5e4c2d1c054f0a7a199fbcac451

SHA256
08caf673c112906dd9fc5ebca9085d466fcd42e3af58d97eb1f51b491ee2c2e4

SHA512
e81c166b08e0dd9975120a360bc69f2ca4e3d28f2398ab6c60acb3621049b8805d994ee57a84931fc2db6e4b38c4e6862b572de770f425fc0f2f4026e72c80be

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
633KB

MD5
5176819fa9486333cafce40f5c7419ed

SHA1
eab0fc11f9d1a0dbd541e750e94e55b19944c0b2

SHA256
321986219716c96e449490acc3befbf2eaea89d81881d9efc6f6914ca850fb5f

SHA512
5ae640b7a6776e19fd9ffd7e562ee304bd63b7607f850706689f389899be5e9da8bca2371cc4979169bf241dc0ba5d8b479e8580fd6495416a91b62158e876b6

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
522KB

MD5
07eccef854d101555c55a54d64cf6313

SHA1
2e082c7734659faf3301978859f5e7f842b4d26a

SHA256
8b971c12d8db72a5fe08abb03cc59cc45be77c5b583a0fbaf49077e17f9c4f36

SHA512
b0d8135b1851e3ecd9158a173aafd0ce262b907e13a34ca0d2a69c193582142ce8ac1b0fb0f019234a5ff9b690d5b98a467b34b5424ffcbf68454af3bf965743

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
548KB

MD5
c1fbfb961f8f5e73bf2e1c9bc48bd234

SHA1
6181200df151818d1fbc27bb8a6f627cf5f237ef

SHA256
8697c048ed13be8b1eb87127cc6083ef2c1b59e9a92fc344e60e69e89ca834fc

SHA512
08a2b14a867b8cccfb0bfa3aacad0d837efa3d49d86449d35b428c973e16cb288a7289c3fd21d97f30a9c15ca97808d4da6d57a3554af10223f5d5ba7bb64444

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.0MB

MD5
83662827545538fb051265dd67bd5b19

SHA1
73541323bd55afd4d0b69365597c793cb2e2f613

SHA256
d984867004378e3ede8b92d11fd10e81ea3c8fa7550d57b11f8a2d42ccca0e7f

SHA512
02bca8731ee0bac2ce643500f9c396603806eb09cd4deff0395e8c84e87bd3c1df8419954991171ff23db58f19d9591ffbf6d5100088cca6880d245e9df50484

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.0MB

MD5
3f6f5d40c9812f1012279f01ef518629

SHA1
ebe4a86a5ee23c8237e44ff1d5351a0685332569

SHA256
54b15ec5b91d211c8963163aa1a913a05731481d26a378169df46bc1792c5e16

SHA512
c14bddbf1c93916c1687217bfd18acb0c3f9ee9c30c74e14ff88d32a202143932ca855b6c7fbf843397efc7d7a4ca0294ed87dd1d4e0a2ed59ccd28c71b3765f

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
706KB

MD5
b065c90a63197a203c48695c1205ce51

SHA1
c1d0d1b1c17e3685801c843a0477a892aa1284ab

SHA256
1b82100748e1734ba2ca1e1e34ec60468ab77474e446752ab12b60b276765f25

SHA512
d641471c4698cdd95b7fe131b049f67f6258a463ef85450ac9d78d7f55968918b7645fc45ed3d4493b54a951bdb3ed959ddc549055253be49701c0791778b9ac

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
1.9MB

MD5
64f58e360344b4fd8ffeb7cc224cd2a3

SHA1
42d0bbf573aade284c164b99552901ffec05a7ef

SHA256
f5389437ecf7584cc8eff25d037479f8c2bc94ff6f8076921300d4bd369a57a2

SHA512
c2e579256d4520c729542318690a663820def274d0cf0b1473c14cecb38ef0cffc5f4c6a63349e19496d9b97404512de4cd544061e89e2d2a9a4220d8375588e

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b720bde7168778787dd5da94d102f8ed

SHA1
673e02724b0e206012c41577e686be563cbac0fa

SHA256
650bda0466093c8be9915411d690a0d19498b82e77a314460fc0193332f4fa97

SHA512
b92f62610b730f37f55b45df0617263c0f4b984be41bd1ea06329821f6b33ba22d0700fda10f0c451be096ebe210bb137be727c7efb6da2eae030db2ef291010

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
618KB

MD5
01b261464bc9afaecba66af15af3510e

SHA1
3a5ed5fe4a26a28d59ceb679773e01bbf04d9878

SHA256
8438c25243d76cb458cae3af95d71b7eaa538e060d361d9a8eda46b297e1af23

SHA512
505bcb9a405293996c3870a565226eff9f0857e979277df40078b21618c1185db7db3b1cdd8a0d8973f8e2b7f03ef035df33928ff14b5fdf9c40b19800227619

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
617KB

MD5
7b57b09930e5357a3c15426f447e5e5a

SHA1
012e638e2b53472fa2f4e7478bd9b6a38fa8d2d6

SHA256
b16f20f02cad659d44f060b17f34edc8f24b22aed528d1553cc200afe4ba5c76

SHA512
59368ba0e9cb9535097c94d81d0479c497eea01de35b43921d436b247edc5a7bc36b560661d97410fda7dc2bcbb171fb507d3c47aced1fcd40024d9c2e915bbd

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP421F.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP44EC.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4856.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4B14.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4DD2.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5090.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
memory/548-414-0x00000000007B0000-0x00000000007CA000-memory.dmp

Filesize
104KB

Download
memory/548-419-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/548-430-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/548-415-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/548-420-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/804-2-0x0000000001000000-0x00000000011BA000-memory.dmp

Filesize
1.7MB

Download
memory/804-0-0x0000000001000000-0x00000000011BA000-memory.dmp

Filesize
1.7MB

Download
memory/804-1-0x0000000001008000-0x0000000001009000-memory.dmp

Filesize
4KB

Download
memory/996-89-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/996-211-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/996-162-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1228-152-0x0000000140000000-0x000000014036B000-memory.dmp

Filesize
3.4MB

Download
memory/1228-82-0x0000000140000000-0x000000014036B000-memory.dmp

Filesize
3.4MB

Download
memory/1448-173-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1448-171-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1512-338-0x0000000002FC0000-0x0000000002FCE000-memory.dmp

Filesize
56KB

Download
memory/1512-358-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1512-340-0x0000000003040000-0x000000000305A000-memory.dmp

Filesize
104KB

Download
memory/1512-339-0x0000000002FD0000-0x0000000002FE6000-memory.dmp

Filesize
88KB

Download
memory/1512-337-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

Filesize
48KB

Download
memory/1512-336-0x0000000002F30000-0x0000000002F48000-memory.dmp

Filesize
96KB

Download
memory/1512-341-0x000000001CA10000-0x000000001CA2E000-memory.dmp

Filesize
120KB

Download
memory/1512-348-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/1512-349-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/1532-453-0x0000000003050000-0x0000000003066000-memory.dmp

Filesize
88KB

Download
memory/1532-461-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1600-311-0x0000000000820000-0x0000000000868000-memory.dmp

Filesize
288KB

Download
memory/1600-309-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/1600-327-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1600-317-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1600-312-0x0000000000890000-0x00000000008A6000-memory.dmp

Filesize
88KB

Download
memory/1600-310-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/1600-316-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1632-386-0x000000001C530000-0x000000001C544000-memory.dmp

Filesize
80KB

Download
memory/1632-388-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1632-385-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/1632-383-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1684-54-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/1684-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/1684-21-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/1792-450-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1792-448-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1828-289-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1828-282-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1976-392-0x0000000003010000-0x0000000003058000-memory.dmp

Filesize
288KB

Download
memory/1976-408-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1976-391-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/1976-390-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/1976-393-0x0000000003080000-0x0000000003094000-memory.dmp

Filesize
80KB

Download
memory/1976-398-0x0000000003280000-0x000000000328C000-memory.dmp

Filesize
48KB

Download
memory/1976-397-0x0000000003280000-0x000000000328C000-memory.dmp

Filesize
48KB

Download
memory/1980-368-0x0000000000750000-0x0000000000766000-memory.dmp

Filesize
88KB

Download
memory/1980-366-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/1980-369-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/1980-384-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1980-374-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/1980-367-0x0000000000740000-0x000000000074E000-memory.dmp

Filesize
56KB

Download
memory/1980-365-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1980-373-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/2032-172-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2032-151-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2120-330-0x0000000000920000-0x000000000092E000-memory.dmp

Filesize
56KB

Download
memory/2120-331-0x000000001C510000-0x000000001C52A000-memory.dmp

Filesize
104KB

Download
memory/2120-332-0x000000001C530000-0x000000001C54E000-memory.dmp

Filesize
120KB

Download
memory/2120-334-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2120-328-0x00000000007B0000-0x00000000007C8000-memory.dmp

Filesize
96KB

Download
memory/2120-326-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2156-299-0x00000000030F0000-0x00000000030FC000-memory.dmp

Filesize
48KB

Download
memory/2156-298-0x00000000009D0000-0x00000000009DE000-memory.dmp

Filesize
56KB

Download
memory/2156-300-0x000000001C4A0000-0x000000001C4E8000-memory.dmp

Filesize
288KB

Download
memory/2156-301-0x0000000003110000-0x0000000003126000-memory.dmp

Filesize
88KB

Download
memory/2156-303-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2204-439-0x0000000000980000-0x000000000098E000-memory.dmp

Filesize
56KB

Download
memory/2204-449-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2204-435-0x00000000007B0000-0x00000000007BE000-memory.dmp

Filesize
56KB

Download
memory/2332-359-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/2332-361-0x0000000003130000-0x0000000003140000-memory.dmp

Filesize
64KB

Download
memory/2332-363-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2428-431-0x00000000030B0000-0x00000000030BE000-memory.dmp

Filesize
56KB

Download
memory/2428-429-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2428-433-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2700-284-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2700-291-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2748-409-0x0000000002F50000-0x0000000002F6A000-memory.dmp

Filesize
104KB

Download
memory/2748-407-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2748-412-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2748-410-0x0000000002F70000-0x0000000002F86000-memory.dmp

Filesize
88KB

Download
memory/2800-150-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2800-58-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/2800-57-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2816-46-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2912-59-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2912-33-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2912-41-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2964-462-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/3040-297-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download