expiro | edd9591cdee85a13fd3da4a1b9220b87c7c1ec1be671bb6764591f0ccb950d6d

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
Size

678KB
MD5

d0da8135857c0fcf60dfe3876e78540e
SHA1

f3b45ff87192b2b2a9566e8555fe8cc7f388793d
SHA256

edd9591cdee85a13fd3da4a1b9220b87c7c1ec1be671bb6764591f0ccb950d6d
SHA512

268ea94b928b70f74b49a7f405ee7f00c181e37538ea128757c26836bdc9d8766e256f26415c51f2c35e5b2408ab48c6d181eb19c4665794f71648a5f8f368dd
SSDEEP

12288:TIdZTfS73Xv/D80qhuiCUE1dcFHhY5aIAEir8FbsPbT:TfLiCVGFBY0I2We

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2768-34-0x0000000010074000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2768-35-0x0000000010000000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2768-43-0x0000000010000000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2768-42-0x0000000010074000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/1284-287-0x000000013F040000-0x000000013F1A4000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2084	alg.exe
2692	aspnet_state.exe
2768	mscorsvw.exe
2520	mscorsvw.exe
572	mscorsvw.exe
2388	mscorsvw.exe
1704	mscorsvw.exe
788	mscorsvw.exe
984	mscorsvw.exe
1564	mscorsvw.exe
2460	mscorsvw.exe
1692	mscorsvw.exe
1292	mscorsvw.exe
2580	mscorsvw.exe
2716	mscorsvw.exe
2108	mscorsvw.exe
2600	mscorsvw.exe
2488	mscorsvw.exe
2324	mscorsvw.exe
876	mscorsvw.exe
2664	mscorsvw.exe
3052	mscorsvw.exe
2000	mscorsvw.exe
1992	mscorsvw.exe
1860	mscorsvw.exe
2360	mscorsvw.exe
2892	mscorsvw.exe
768	mscorsvw.exe
1980	mscorsvw.exe
2652	mscorsvw.exe
2312	mscorsvw.exe
2492	mscorsvw.exe
2940	mscorsvw.exe
620	mscorsvw.exe
852	mscorsvw.exe
1992	mscorsvw.exe
1860	mscorsvw.exe
3012	mscorsvw.exe
1336	mscorsvw.exe
900	mscorsvw.exe
1136	mscorsvw.exe
1628	mscorsvw.exe
2184	mscorsvw.exe
2984	mscorsvw.exe
824	mscorsvw.exe
1676	mscorsvw.exe
2176	mscorsvw.exe
2148	mscorsvw.exe
2684	mscorsvw.exe
2580	mscorsvw.exe
2716	mscorsvw.exe
1980	mscorsvw.exe
2652	mscorsvw.exe
2828	mscorsvw.exe
2024	mscorsvw.exe
2272	mscorsvw.exe
1988	mscorsvw.exe
2360	mscorsvw.exe
1744	mscorsvw.exe
740	mscorsvw.exe
2104	mscorsvw.exe
628	mscorsvw.exe
2060	mscorsvw.exe

Loads dropped DLL 39 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
2940	mscorsvw.exe
2940	mscorsvw.exe
852	mscorsvw.exe
852	mscorsvw.exe
1860	mscorsvw.exe
1860	mscorsvw.exe
1336	mscorsvw.exe
1336	mscorsvw.exe
1136	mscorsvw.exe
1136	mscorsvw.exe
2184	mscorsvw.exe
2184	mscorsvw.exe
824	mscorsvw.exe
824	mscorsvw.exe
2176	mscorsvw.exe
2176	mscorsvw.exe
2684	mscorsvw.exe
2684	mscorsvw.exe
2716	mscorsvw.exe
2716	mscorsvw.exe
2652	mscorsvw.exe
2652	mscorsvw.exe
2024	mscorsvw.exe
2024	mscorsvw.exe
1988	mscorsvw.exe
1988	mscorsvw.exe
1744	mscorsvw.exe
1744	mscorsvw.exe
2104	mscorsvw.exe
2104	mscorsvw.exe
2060	mscorsvw.exe
2060	mscorsvw.exe
2256	mscorsvw.exe
2256	mscorsvw.exe
2516	mscorsvw.exe
2516	mscorsvw.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3290804112-2823094203-3137964600-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3290804112-2823094203-3137964600-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\N:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\M:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\T:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\Y:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\K:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\X:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\V:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\Z:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\P:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\U:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\W:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\O:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\G:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\J:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\L:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\Q:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\R:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened (read-only)	\??\S:	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	\??\c:\windows\system32\ddblgnpq.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	\??\c:\windows\system32\cgbpcjfh.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File created	\??\c:\windows\system32\feemkgoc.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	\??\c:\windows\system32\iqpfahbe.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	alg.exe
File created	\??\c:\windows\system32\lfepajlc.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	\??\c:\windows\system32\nekbkbeb.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File created	\??\c:\windows\system32\dfbcbiib.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	alg.exe
File created	\??\c:\windows\system32\agojkcfb.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	\??\c:\windows\system32\jaooallp.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File created	\??\c:\windows\syswow64\bohcqgob.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	\??\c:\windows\system32\wbem\icqbopkp.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	\??\c:\windows\system32\pkgmbkkc.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File created	\??\c:\windows\system32\kodglojb.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File created	\??\c:\windows\system32\ckgnhiij.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe

Drops file in Program Files directory 48 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\olemadei.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\jhggdbdi.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\bqjogmpo.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hhfjjgab.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nnbpngba.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\jkgaipki.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ddnfppgh.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	\??\c:\program files (x86)\microsoft office\office14\fafkkkeg.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\pijgofaf.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	alg.exe
File created	C:\Program Files\7-Zip\mgecidfd.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Program Files\7-Zip\hlepeenn.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\jfjkgccl.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\clmaedbq.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\occlljkq.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	\??\c:\program files\windows media player\fngbjann.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	\??\c:\program files (x86)\microsoft office\office14\mbnnkppo.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\kgacdccg.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pgildlkb.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\gjbgiiok.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Program Files\7-Zip\mnmjadqg.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mkkkimof.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	\??\c:\windows\ehome\efcbelpf.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5B59.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP65B5.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP68D1.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9109.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP57A2.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\ehhkojoj.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\ejbhaoij.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6F18.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7F1F.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\gnfhimkp.tmp	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe
2084	alg.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1284	JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2084	alg.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 2388	572	mscorsvw.exe	35
PID 572 wrote to memory of 2388	572	mscorsvw.exe	35
PID 572 wrote to memory of 2388	572	mscorsvw.exe	35
PID 572 wrote to memory of 2388	572	mscorsvw.exe	35
PID 572 wrote to memory of 1704	572	mscorsvw.exe	37
PID 572 wrote to memory of 1704	572	mscorsvw.exe	37
PID 572 wrote to memory of 1704	572	mscorsvw.exe	37
PID 572 wrote to memory of 1704	572	mscorsvw.exe	37
PID 572 wrote to memory of 788	572	mscorsvw.exe	38
PID 572 wrote to memory of 788	572	mscorsvw.exe	38
PID 572 wrote to memory of 788	572	mscorsvw.exe	38
PID 572 wrote to memory of 788	572	mscorsvw.exe	38
PID 572 wrote to memory of 984	572	mscorsvw.exe	39
PID 572 wrote to memory of 984	572	mscorsvw.exe	39
PID 572 wrote to memory of 984	572	mscorsvw.exe	39
PID 572 wrote to memory of 984	572	mscorsvw.exe	39
PID 572 wrote to memory of 1564	572	mscorsvw.exe	40
PID 572 wrote to memory of 1564	572	mscorsvw.exe	40
PID 572 wrote to memory of 1564	572	mscorsvw.exe	40
PID 572 wrote to memory of 1564	572	mscorsvw.exe	40
PID 572 wrote to memory of 2460	572	mscorsvw.exe	41
PID 572 wrote to memory of 2460	572	mscorsvw.exe	41
PID 572 wrote to memory of 2460	572	mscorsvw.exe	41
PID 572 wrote to memory of 2460	572	mscorsvw.exe	41
PID 572 wrote to memory of 1692	572	mscorsvw.exe	42
PID 572 wrote to memory of 1692	572	mscorsvw.exe	42
PID 572 wrote to memory of 1692	572	mscorsvw.exe	42
PID 572 wrote to memory of 1692	572	mscorsvw.exe	42
PID 572 wrote to memory of 1292	572	mscorsvw.exe	43
PID 572 wrote to memory of 1292	572	mscorsvw.exe	43
PID 572 wrote to memory of 1292	572	mscorsvw.exe	43
PID 572 wrote to memory of 1292	572	mscorsvw.exe	43
PID 572 wrote to memory of 2580	572	mscorsvw.exe	44
PID 572 wrote to memory of 2580	572	mscorsvw.exe	44
PID 572 wrote to memory of 2580	572	mscorsvw.exe	44
PID 572 wrote to memory of 2580	572	mscorsvw.exe	44
PID 572 wrote to memory of 2716	572	mscorsvw.exe	45
PID 572 wrote to memory of 2716	572	mscorsvw.exe	45
PID 572 wrote to memory of 2716	572	mscorsvw.exe	45
PID 572 wrote to memory of 2716	572	mscorsvw.exe	45
PID 572 wrote to memory of 2108	572	mscorsvw.exe	46
PID 572 wrote to memory of 2108	572	mscorsvw.exe	46
PID 572 wrote to memory of 2108	572	mscorsvw.exe	46
PID 572 wrote to memory of 2108	572	mscorsvw.exe	46
PID 572 wrote to memory of 2600	572	mscorsvw.exe	47
PID 572 wrote to memory of 2600	572	mscorsvw.exe	47
PID 572 wrote to memory of 2600	572	mscorsvw.exe	47
PID 572 wrote to memory of 2600	572	mscorsvw.exe	47
PID 572 wrote to memory of 2488	572	mscorsvw.exe	48
PID 572 wrote to memory of 2488	572	mscorsvw.exe	48
PID 572 wrote to memory of 2488	572	mscorsvw.exe	48
PID 572 wrote to memory of 2488	572	mscorsvw.exe	48
PID 572 wrote to memory of 2324	572	mscorsvw.exe	49
PID 572 wrote to memory of 2324	572	mscorsvw.exe	49
PID 572 wrote to memory of 2324	572	mscorsvw.exe	49
PID 572 wrote to memory of 2324	572	mscorsvw.exe	49
PID 572 wrote to memory of 876	572	mscorsvw.exe	50
PID 572 wrote to memory of 876	572	mscorsvw.exe	50
PID 572 wrote to memory of 876	572	mscorsvw.exe	50
PID 572 wrote to memory of 876	572	mscorsvw.exe	50
PID 572 wrote to memory of 2664	572	mscorsvw.exe	51
PID 572 wrote to memory of 2664	572	mscorsvw.exe	51
PID 572 wrote to memory of 2664	572	mscorsvw.exe	51
PID 572 wrote to memory of 2664	572	mscorsvw.exe	51

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0da8135857c0fcf60dfe3876e78540e.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2768

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 1a8 -NGENProcess 1ac -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 1a8 -NGENProcess 1ac -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 228 -NGENProcess 230 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 224 -NGENProcess 1ac -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 214 -NGENProcess 218 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 238 -NGENProcess 230 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 1ac -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 218 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 230 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 1ac -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 218 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 230 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 1ac -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 218 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 230 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1ac -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 218 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 268 -NGENProcess 264 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 254 -NGENProcess 230 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 260 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 264 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 230 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 1ac -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 210 -NGENProcess 24c -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 234 -NGENProcess 228 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 22c -NGENProcess 1ac -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 1bc -NGENProcess 24c -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 1ac -NGENProcess 24c -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 180 -NGENProcess 1f0 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 1f0 -NGENProcess 1bc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 260 -NGENProcess 24c -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 180 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 26c -NGENProcess 1bc -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1bc -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 230 -NGENProcess 180 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 180 -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 254 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 230 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 26c -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 284 -NGENProcess 26c -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 230 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 230 -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 290 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 26c -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 298 -NGENProcess 268 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 268 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 2cc -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 2b8 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2b8 -NGENProcess 2d4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d4 -NGENProcess 2c8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2c8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2e0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2c8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2e0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2e4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2c8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2e4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2c8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2e0 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2e4 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2c8 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2e0 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2e4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2c8 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2e0 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 320 -NGENProcess 2e4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 31c -NGENProcess cc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 334 -NGENProcess 2e0 -Pipe c8 -Comment "NGen Worker Process"
  2⤵
  PID:1384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2e4 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess cc -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2e0 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2e4 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 2e4 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 34c -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
534KB

MD5
3cea47c8fb754724cdd9d02877bd9ae7

SHA1
6c0cda296a1d0a4fb8d155e9ba190e418b05aa0f

SHA256
7903d42d88ea9637df999363f079dd3933ade99275b7bb03a68672c2f19ba03c

SHA512
b724a567c5dde79d31278c6466c6dd4ad54409a7e02f2f271344b9e793c0346f75cfcb9bbab5b5b20316267c17a7c91fe0efaa053516d87f7f75fd60f230e406

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.4MB

MD5
ce669c0a23344ae82025e7ccbe719e36

SHA1
978d0461c942ff995ebeaa5a2e433fb39c69baf4

SHA256
dd18e1228ea5388b3e7708798b5149ce5083bb32fb58febb6919beb56cdbca81

SHA512
e50ac1cb039a2298a07670bab297ca99d617c936627ca8d5735e27c303c7be20aded1115598bcc39bf2e522c0632c9469eac5eb094cde28ddd60628278eb0079

Download Submit
C:\Users\Admin\AppData\Local\fcinojbr\cmd.exe

Filesize
732KB

MD5
fd072ad4f446fc6b01d0f3fdcf74cadc

SHA1
8cbcc218ecc13bc7c7e530b8bafbc02cf3e3e32e

SHA256
87ce9f7d7afbbaace556a8f7ebb688c87c4f314daf2138bd6c8a229ac8fb13f3

SHA512
9fbb62959b4b403ab8472ff8144621c0927fc822c61ddc86f703236f5d45d7222b7950471416e7b51d7e83fa4d32325b9dbb4a06ac384eed40656ace68ecc9d8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
9270199c2926b465e9881623f656845a

SHA1
5cad952e01279bea0076bf5fa7f2e4e0c7ab5a40

SHA256
c78ff987585f5a18b8f1b620f2bc770c1f21fae79227cf17f0317676c02d1ced

SHA512
39ab656cdd43e43ebe55e806cc7a007a83ebecbb201a65f31c12791eb71abeae128d4595cccaef00f0f7fbbdf1b1af937396dc0651a938908e1c3e0205da6226

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
431KB

MD5
e9b199bd2ffa1c2e895af50ebfd152e2

SHA1
622a43069d7b6efa221b3b728db7a2a5797f107c

SHA256
5fc23ae11c1969f14abc3b9403bf45bd9b52dc5a4dd7e2d5a9ca66301657a189

SHA512
1ea0434953aee5f7d9d833afadadedb6d6602522f9a126ec504134dbc59a3e622845e8cfa91554caaa1ff0f3f2692123cbc36302d7f45833c361a48e75e16408

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
457KB

MD5
4f73225c70cea168fd34582f11882224

SHA1
a1cf024aef4b50d462f5624da4c180eb04e8b157

SHA256
ad12112010b24b0986b87f141f18f3a8d3d7d7c64795bc655dae1a982d940ee0

SHA512
5b788d10a56dce9a8c0123583959147a832ead7f7f53e8f5f41c10de99cc61a5af5e1405114229d085f0d9598b641dcec33bca764c52c0806b0018e0505e73e0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e297958bf6bfce77784f42dec02a5251

SHA1
e305c4afc2aa95042fb6a9198cb8ce3c62746cbf

SHA256
272a3f7ee9e11146f5dba5903f4699e1e5a0c072c1c78074c268dc47a448cdd5

SHA512
3c689d30649b462dea7ac691514cf34d594f9696b1186948aecd71050544f97872d1b02f21d98ebd7bb735c34738e1c41645793086ce616fbf03ddac5a5b2049

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
484KB

MD5
7b9296f0e9c60f9981d8d98a7d641e41

SHA1
2ae50d2c7d5aa2c06fd036ac03afc99b58cfe966

SHA256
07f860d2a51f1582f20e0054d971fc776672c910ee9ac09d362605b580749ae3

SHA512
b59c75a8aca148e39e1b890e56bc748fb5f34e9ebf50ed11a91731f48d676bd53cc7f45dae865b0f562820965854a02210862b8d1ff1e7627748589038b1b122

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
13bedfd869e26f2194492631831297f2

SHA1
75df7e6d645d4920c0cb5ed065aa362ab82ffe9a

SHA256
7041841f33b6a3069ad779f19d6402f07a66b07cee6e6b00b9ce3cb86e110566

SHA512
677df82dd0d56fa8cb209fa5008e8168e2f7a693c1fe6a617f6a0ce9c82fc88548c9acbccff4397d6439651010d63f75810ea58a780fa8aedef4c59a14dabc5a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\677f702dae85e9e71dd263389b314e4c\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
707dfd12050367afa559a46fb9f58cc3

SHA1
5de2d34f0244ea30a7cee2ce057911d496b275ec

SHA256
c573fbe5d6d82ded4bf0b6e009ec70ce0deb2b6a17d071941d4be4d7a533c4b2

SHA512
09129b72022fdd6853ab271997dfe452df1fecc718b07b334559c481f5524c9cbb9a36f3f51631046332b5841012d273882b8ce5e95c6d38a52b7634dc15e3b8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\869e5a88cd5b54e076763490343782b9\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
606df7a35c4f4fc29efc3c1ae598adec

SHA1
d07db8382434e1647ba8cea98bee606a88d145cd

SHA256
2ae1c719bf392c352759c9f5c5c5b5104bfe829d270cc7b276fc9544191e7ddf

SHA512
28bd86826e939354a3b0f679aa4e1b900f22db4749a7bb991f09a79c5086b3a032f03b0defa9915206ef53ab5316d3affe4c9a3f919581d29e983620c0841f35

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d2357a5b97fa38cfd62be44ff49d5048\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
f3da418f928978a8e7d1774fd692a3af

SHA1
825a516f411d55a34ad96e953847e1d27a7c8b24

SHA256
1f12bb04f134aff507c99cb634758c6c39305129abe93b22fa1a5a376dd825fd

SHA512
9a4e3404aae8082606b203df252d80336dff750ac98b08153b3fc4d27d49e878527a50fbcac7c09e7feb879b166efcfde4c6b6dbae49af5af6301673e0956f7f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d3ad3a28bc48543c65431b8293df0d1c\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
e1a214ba73691711f1dd8df707209315

SHA1
64e3753b618a8b0a7dc389c3b08bdd50d6930b7e

SHA256
9bf667cc249ec2b90405fbe73bea9b9925758a5d646a9e8716fc774a8f35a8b3

SHA512
83f56e0b0fc3c547a4f5104076e0bef32f7aea3295f206348402b2b4b9028bbfea45bd58d3563b4ec03d1ab37ee347bd7061338484d86ba7f894ebfb0a991bd2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
534KB

MD5
f54f8082c3b118451950a30b38f8e2dc

SHA1
699a9e0128392d99be65463af53a23df259434a0

SHA256
d3b3a2a37d062c048a25c348b266e7fab6bf9e12c64bc491212554c768d8c789

SHA512
7c04b024f01960d9da6a6c9f0f048b32a5f4f2ce366362c4053546bcbc49f6be291a673bef07c4637d9de5a872ef4e43a193c7954e67c0ca73daae3b4975fb68

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.9MB

MD5
0e21b16d46528dda5773d7cfb91e01c3

SHA1
d94530ea2fc0e1285e3cb5f4d95b162ec84e879b

SHA256
624487a1008840bf964b77309bc88fc91d6a0a67c6a3c4b0058c569c62b7e361

SHA512
308bd4e945009ccead67c42662283e4ae8303c9c49b258617c4eadaf3056eefe081db3f9730af7824b5668fbbfef4db2330246b052d27cdbd07d21dc50272c35

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
613KB

MD5
f5fb46f0f63251c4e2c1e07c479466bc

SHA1
277b252714c9ed318c855e23b3e7fd18838224c9

SHA256
09523d9420967a6dccd3051682a6d5a4dedb26faf6259ccb040eaffb1e506a38

SHA512
53aa4dfd594696d259ec137cf3fac7c1ed6b828020c2311240089f8bee8f015ff22f0afb6ed1394afc6a642a464b281616cdf74695e929a794b61da1c9862c48

Download Submit
\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.0MB

MD5
bf110586a472506275fbc82a127fc4ff

SHA1
0464a4fb2680efb6a015c50a82ab3efcf2fd3437

SHA256
cc473a7ff76ada64847eba9fd5149333db9bd4a49537c0618624ed0afa0053d1

SHA512
02b621a394309529d01cf48a9cfcb40a989c371d82ee7303223d1e2c5816f1aa40f80b4a9622dd97724126cc4ed2e2f875071def5f0cb47c26ea8280156cd96b

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.1MB

MD5
ba26c72434f024dab5a013200443c895

SHA1
43f27fb7f2a22f2653d3cb4c255e40e5d0f1f141

SHA256
d2c3648597d214afb65cbc445f501a9126dc9cf0755c3b467ceb9989fb781c6e

SHA512
b4f8442f8763c9875a227371ff7c186db9358069ee6d5049be4fe609b66299270617dcda475c469915144449c67ff31565b849bdf98df922a96836c0ec313eb9

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
519KB

MD5
e8de1c61b1f28ada3e3a35ce3b29c973

SHA1
c48ca0d64ecb36e68b00ea0d3e8a99b7dbad6528

SHA256
0fe754b339e5f6c02ad26ab04ce0a7c4d8abbd84bb055f63c2c53300a75cb43c

SHA512
9edb50da1357913482cc2be00cfe408444e5fb901962389199abe5fdff214e571185eba1c60ecda85cb41399bb960917716893f5123e451d99f97e4cc9a5c968

Download Submit
\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe

Filesize
1.2MB

MD5
90f5d09e78cc868f8bcd1ed938d73bec

SHA1
c42649ebf398d3912f01b78a00b9162e16677035

SHA256
fe54c09f481615911794421f67c6ad5ab747f3f6e34eed13236aaa9fed2b7139

SHA512
6906386649a457e00654f29d81cff47d1fa4294473ebe3dda58b9f45d2ad585a4507358f8fe3a8a5c4a303d0863ba77619b74afbd3862ffdff1f5fac7ae55c7c

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe

Filesize
506KB

MD5
082a526159a487284b70d5fa6348c9e1

SHA1
4d1d55c6a5935b7081f1512f2dc19e98d47f84d5

SHA256
36f91365016d350a864343062543210b137f16ca4a27ab967289d245e4b3069d

SHA512
b5c7e3c62ef92f39937e825636f6df1fb4a5aca08eb62a2be465e3175ae7ed4cd0746e8694107fff4d74df3c90bff9d7b25a40a14ab800ff6f82ef497c7c06f1

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.0MB

MD5
06d8e857700a0dc25991cad425f9304f

SHA1
4d5ec1fe0767a7bb1f11517dcfb1f9f67d8c67e3

SHA256
97d4221272631acebcb3fe3e9e5772d484a1db8c76c2fbd189ae302782b341fa

SHA512
4362e30a8e625bba2ef55d65c6d36e1e4357ac80177c0f3647ea8b3531d7b73f134df24b8e59f4d6e0779c2271e41643562253da82e0a457672bcf96a5c919d6

Download Submit
\??\c:\windows\system32\locator.exe

Filesize
405KB

MD5
1a2d367df185e549caeba0ce95b7d6d3

SHA1
d7237248c5c747436bb5debeb039e1f3a7971fc5

SHA256
a36fa790aedbc9a6674a110838ca4923f3d3f51a0e37736856dcfc84402caaf6

SHA512
761b65d1f6bc4b95e5849b2af1a8cb0e553fc6f9bdcd5688e2e2cadbb6bed16af10a622d31a17d85b6c04efbc965bd7da504166a6bc76c3cab9dc22cc0b8b4be

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
533KB

MD5
640756fd6b33d589212c941c6ce47c0b

SHA1
81f9c76435baff67c8fcec34e6bbda8191e31c67

SHA256
10a331284f563765ba488a5101c1a99f60cc655d21f8d048db11475860be23dc

SHA512
c0b275e04e2fb3ac785c58e49063fe342dcb57282553ad1fbd9532cee628937dbcc58ccff3e05dbced2c95c81bb02819177f3b991502f837bea30a965d21f153

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
523KB

MD5
ed7fd63797209c510ccdaa891f00f3cf

SHA1
57f80ff02b27b44e2bb001bb67cfc6926f8c2d15

SHA256
6dc73f5acbd1582ea33507fcbda9efa3dfd0fed77424bc7e200512434fdc9c1a

SHA512
e455bc7ea981152bbce0b0771cb72661e0e73d1a0dd46af6a8baf3b10b31f6ed1f9c7798dc8f34f098b08d1416e8592e4113495e09b2895c4cb6bffd656d20cb

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
409KB

MD5
68871860f7c399f803ca5b08972dcff4

SHA1
974dc7690fa25a228d11da8ffa8c7886d8638b17

SHA256
ddda0073c83bb11d9e448dcbee737161e284ea441949f0f3c6e9d923ca48e6b3

SHA512
787cc5962f7455388065bfa3ad85627c0f45ab66be4c79b8ffe06e0aed29b0d826634fc369cf0148f62543fceccde173b151d2bd727aba12ab9c9cbd5c080a1c

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
435KB

MD5
96c6ab27a2cf67d4c6cac3e8e2dca0b6

SHA1
ac4154c602fc567b8a9f5b788ba6fe57577a1c7e

SHA256
33fe5a7070ed460ca6ec900e9d928c28dbf418921f1042a8298fc8fdde7c3356

SHA512
0904b68b10c971ae17724d25270bda779f39172f4209cc130c70d7d16a887e688428d52f56430eac0dd0edb145aac7da1e17d9c56de4d9f8068712ae0ddcac0c

Download Submit
\??\c:\windows\syswow64\perfhost.exe

Filesize
415KB

MD5
9b9a0d5807db646cc7b77894b96b215c

SHA1
3b7f4af9d61640eefc17c445e8ebaa3d897be499

SHA256
564cd6fa5f387ab385a244510f59827edf95cc51ccef9a4fbf019ff5ebefaa55

SHA512
77e3130b59ce2e43cb42820e2d0813b2974803d0a799f01299d60c0c178e5f72b52cbe3493ea937f4daebcba7363ab639ec15250a8a5ebac8c9343580c545b08

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
3969bb6070e0ec92babdbbbf95f50820

SHA1
984b4b8ace42d7967d18ab5b82874af4522e483c

SHA256
d97032e7c70e3b070da2310bb9055597c6f94c3e55833c65de5f414a6b07cfe3

SHA512
756a4c0c31b913c843c331defb18c02140fb9cdb2e2a335ead6deaa2ba76c043d015700b8b0b351a4ff7607d6d78239e3b52dcc83bc7e798cb461655523c0a68

Download Submit
\Windows\System32\alg.exe

Filesize
472KB

MD5
d67d577e76e24cb22e2f4495127fd7b6

SHA1
b82a139fadd593704bd8f50405ed36db7e0c3da3

SHA256
aea25b7ad83820c2249e2326837a42e1227fccf9cb00fa6b163988dbe79d4b0a

SHA512
ed2ddcf44a29cd7007f63ea5bb58a43545bb2920ef78a763b751454e2b0c56f96a357b8bfebe1af9134704946c52dec8c5a3646fa3835b72c966858793ea40b0

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5457.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP57A2.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
memory/572-301-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/572-300-0x00000000000B0000-0x00000000000B8000-memory.dmp

Filesize
32KB

Download
memory/572-302-0x0000000000F50000-0x0000000000FB6000-memory.dmp

Filesize
408KB

Download
memory/572-299-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download
memory/572-298-0x0000000000F50000-0x0000000000FD8000-memory.dmp

Filesize
544KB

Download
memory/572-290-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/572-291-0x00000000000B0000-0x00000000000CE000-memory.dmp

Filesize
120KB

Download
memory/572-292-0x00000000000B0000-0x00000000000CA000-memory.dmp

Filesize
104KB

Download
memory/572-293-0x0000000000F50000-0x0000000000FDC000-memory.dmp

Filesize
560KB

Download
memory/572-294-0x00000000030F0000-0x0000000003194000-memory.dmp

Filesize
656KB

Download
memory/572-295-0x0000000003B00000-0x0000000003C9E000-memory.dmp

Filesize
1.6MB

Download
memory/572-296-0x00000000030F0000-0x00000000031DC000-memory.dmp

Filesize
944KB

Download
memory/572-297-0x00000000000B0000-0x00000000000C0000-memory.dmp

Filesize
64KB

Download
memory/876-207-0x00000000034D0000-0x000000000358A000-memory.dmp

Filesize
744KB

Download
memory/1284-2-0x000000013F0EC000-0x000000013F1A4000-memory.dmp

Filesize
736KB

Download
memory/1284-286-0x000000013F0EC000-0x000000013F1A4000-memory.dmp

Filesize
736KB

Download
memory/1284-12-0x000000013F040000-0x000000013F1A4000-memory.dmp

Filesize
1.4MB

Download
memory/1284-0-0x000000013F0EC000-0x000000013F1A4000-memory.dmp

Filesize
736KB

Download
memory/1284-287-0x000000013F040000-0x000000013F1A4000-memory.dmp

Filesize
1.4MB

Download
memory/1284-1-0x000000013F040000-0x000000013F1A4000-memory.dmp

Filesize
1.4MB

Download
memory/1284-4-0x000000013F040000-0x000000013F1A4000-memory.dmp

Filesize
1.4MB

Download
memory/2084-81-0x00000000FF3A0000-0x00000000FF4D0000-memory.dmp

Filesize
1.2MB

Download
memory/2084-60-0x00000000FF419000-0x00000000FF4D0000-memory.dmp

Filesize
732KB

Download
memory/2084-66-0x00000000FF3A0000-0x00000000FF4D0000-memory.dmp

Filesize
1.2MB

Download
memory/2084-20-0x00000000FF3A0000-0x00000000FF4D0000-memory.dmp

Filesize
1.2MB

Download
memory/2084-19-0x00000000FF419000-0x00000000FF4D0000-memory.dmp

Filesize
732KB

Download
memory/2520-59-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2520-52-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2520-51-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2692-67-0x000000013F272000-0x000000013F329000-memory.dmp

Filesize
732KB

Download
memory/2692-27-0x000000013F272000-0x000000013F329000-memory.dmp

Filesize
732KB

Download
memory/2692-28-0x000000013F200000-0x000000013F329000-memory.dmp

Filesize
1.2MB

Download
memory/2692-76-0x000000013F200000-0x000000013F329000-memory.dmp

Filesize
1.2MB

Download
memory/2768-34-0x0000000010074000-0x0000000010108000-memory.dmp

Filesize
592KB

Download
memory/2768-35-0x0000000010000000-0x0000000010108000-memory.dmp

Filesize
1.0MB

Download
memory/2768-43-0x0000000010000000-0x0000000010108000-memory.dmp

Filesize
1.0MB

Download
memory/2768-42-0x0000000010074000-0x0000000010108000-memory.dmp

Filesize
592KB

Download