expiro | 21107ad941129c46c1e8bacedc1abb8a34308f00b5b4960ba496c1415046e957

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
Size

672KB
MD5

f6851d3106481744b99132d5d47f7098
SHA1

3904070d2e59a51b9aefedd3b9ac9bc7b0808f92
SHA256

21107ad941129c46c1e8bacedc1abb8a34308f00b5b4960ba496c1415046e957
SHA512

9ea022e42689f4f777e72d7afb8f353c1657dd1a786feea58d0b68f6c92c5ec45a872aa3ea3e2844f8c75deda5e9ac03d5e7439328a927b42d461d7a500f722a
SSDEEP

12288:seBNUbTVO86UqHcyB53eEYRbA1F8eKEa6Nmz7wSR8YEst/:sJIUqHrB5ZeM1jNmz7wSNl

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 4 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2236-34-0x0000000010074000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2236-35-0x0000000010000000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2236-43-0x0000000010000000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2236-42-0x0000000010074000-0x0000000010108000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2856	alg.exe
2568	aspnet_state.exe
2236	mscorsvw.exe
2288	mscorsvw.exe
692	mscorsvw.exe
1432	mscorsvw.exe
616	mscorsvw.exe
1772	mscorsvw.exe
1096	mscorsvw.exe
2320	mscorsvw.exe
2276	mscorsvw.exe
2012	mscorsvw.exe
1708	mscorsvw.exe
2684	mscorsvw.exe
2576	mscorsvw.exe
2616	mscorsvw.exe
1160	mscorsvw.exe
2880	mscorsvw.exe
2084	mscorsvw.exe
2792	mscorsvw.exe
2888	mscorsvw.exe
1312	mscorsvw.exe
660	mscorsvw.exe
2492	mscorsvw.exe
2208	mscorsvw.exe
1992	mscorsvw.exe
1884	mscorsvw.exe
944	mscorsvw.exe
2860	mscorsvw.exe
2888	mscorsvw.exe
1760	mscorsvw.exe
1968	mscorsvw.exe
2492	mscorsvw.exe
2120	mscorsvw.exe
2264	mscorsvw.exe
2432	mscorsvw.exe
1888	mscorsvw.exe
2632	mscorsvw.exe
1532	mscorsvw.exe
2296	mscorsvw.exe
1712	mscorsvw.exe
2020	mscorsvw.exe
2212	mscorsvw.exe
2800	mscorsvw.exe
2896	mscorsvw.exe
1072	mscorsvw.exe
1492	mscorsvw.exe
476	mscorsvw.exe
2292	mscorsvw.exe
884	mscorsvw.exe
1620	mscorsvw.exe
1740	mscorsvw.exe
1132	mscorsvw.exe
2696	mscorsvw.exe
848	mscorsvw.exe
1500	mscorsvw.exe
2172	mscorsvw.exe
2460	mscorsvw.exe
2020	mscorsvw.exe
2148	mscorsvw.exe
2960	mscorsvw.exe
3056	mscorsvw.exe
2068	mscorsvw.exe

Loads dropped DLL 39 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
2492	mscorsvw.exe
2492	mscorsvw.exe
2264	mscorsvw.exe
2264	mscorsvw.exe
1888	mscorsvw.exe
1888	mscorsvw.exe
1532	mscorsvw.exe
1532	mscorsvw.exe
1712	mscorsvw.exe
1712	mscorsvw.exe
2212	mscorsvw.exe
2212	mscorsvw.exe
2896	mscorsvw.exe
2896	mscorsvw.exe
1492	mscorsvw.exe
1492	mscorsvw.exe
2292	mscorsvw.exe
2292	mscorsvw.exe
1620	mscorsvw.exe
1620	mscorsvw.exe
1132	mscorsvw.exe
1132	mscorsvw.exe
848	mscorsvw.exe
848	mscorsvw.exe
2172	mscorsvw.exe
2172	mscorsvw.exe
2020	mscorsvw.exe
2020	mscorsvw.exe
2960	mscorsvw.exe
2960	mscorsvw.exe
2068	mscorsvw.exe
2068	mscorsvw.exe
900	mscorsvw.exe
900	mscorsvw.exe
2256	mscorsvw.exe
2256	mscorsvw.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-312935884-697965778-3955649944-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-312935884-697965778-3955649944-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\U:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\X:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\M:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\N:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\K:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\T:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\I:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\R:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\J:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\S:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\W:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\Y:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\G:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\H:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\L:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\O:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\Z:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\Q:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\V:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\E:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\P:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\svchost.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File created	\??\c:\windows\system32\qkaioodj.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\dkjmeopm.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\aleafafp.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\nadipoho.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\elhdaokb.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\kmkmhchj.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\fcbknpag.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\syswow64\bdfdanok.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\pmoheoae.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File created	\??\c:\windows\system32\jqohppgf.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\wbem\jgcmaeqb.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File created	\??\c:\windows\system32\djboipfn.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\kdljoajb.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File created	\??\c:\windows\system32\jqonkkii.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\alg.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\vds.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\mnmjadqg.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\pppjqpbi.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\edpbgqqb.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\occlljkq.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hhfjjgab.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft office\office14\coohecjh.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ocnfphoi.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\jkgaipki.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ekchdkjb.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ldcnmoao.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ckfdqqhh.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\program files\windows media player\abbnopgc.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lhbjhkab.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ajjekqnl.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\fnndmnho.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\nopnnfcn.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kldonlpi.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\jmofaklb.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\gkfbdaji.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\hqeagjno.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\dddilmae.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\miqfjfol.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ckideamg.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\eehmdpjh.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\haoofdbm.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP12A6.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E0.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1786.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\khakaeal.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB32.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFC0B.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\gddgajde.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\lbbcpfhp.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE698.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe
2856	alg.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2756	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2856	alg.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe
Token: SeShutdownPrivilege	692	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 1432	692	mscorsvw.exe	35
PID 692 wrote to memory of 1432	692	mscorsvw.exe	35
PID 692 wrote to memory of 1432	692	mscorsvw.exe	35
PID 692 wrote to memory of 1432	692	mscorsvw.exe	35
PID 692 wrote to memory of 616	692	mscorsvw.exe	37
PID 692 wrote to memory of 616	692	mscorsvw.exe	37
PID 692 wrote to memory of 616	692	mscorsvw.exe	37
PID 692 wrote to memory of 616	692	mscorsvw.exe	37
PID 692 wrote to memory of 1772	692	mscorsvw.exe	38
PID 692 wrote to memory of 1772	692	mscorsvw.exe	38
PID 692 wrote to memory of 1772	692	mscorsvw.exe	38
PID 692 wrote to memory of 1772	692	mscorsvw.exe	38
PID 692 wrote to memory of 1096	692	mscorsvw.exe	39
PID 692 wrote to memory of 1096	692	mscorsvw.exe	39
PID 692 wrote to memory of 1096	692	mscorsvw.exe	39
PID 692 wrote to memory of 1096	692	mscorsvw.exe	39
PID 692 wrote to memory of 2320	692	mscorsvw.exe	40
PID 692 wrote to memory of 2320	692	mscorsvw.exe	40
PID 692 wrote to memory of 2320	692	mscorsvw.exe	40
PID 692 wrote to memory of 2320	692	mscorsvw.exe	40
PID 692 wrote to memory of 2276	692	mscorsvw.exe	41
PID 692 wrote to memory of 2276	692	mscorsvw.exe	41
PID 692 wrote to memory of 2276	692	mscorsvw.exe	41
PID 692 wrote to memory of 2276	692	mscorsvw.exe	41
PID 692 wrote to memory of 2012	692	mscorsvw.exe	42
PID 692 wrote to memory of 2012	692	mscorsvw.exe	42
PID 692 wrote to memory of 2012	692	mscorsvw.exe	42
PID 692 wrote to memory of 2012	692	mscorsvw.exe	42
PID 692 wrote to memory of 1708	692	mscorsvw.exe	43
PID 692 wrote to memory of 1708	692	mscorsvw.exe	43
PID 692 wrote to memory of 1708	692	mscorsvw.exe	43
PID 692 wrote to memory of 1708	692	mscorsvw.exe	43
PID 692 wrote to memory of 2684	692	mscorsvw.exe	44
PID 692 wrote to memory of 2684	692	mscorsvw.exe	44
PID 692 wrote to memory of 2684	692	mscorsvw.exe	44
PID 692 wrote to memory of 2684	692	mscorsvw.exe	44
PID 692 wrote to memory of 2576	692	mscorsvw.exe	45
PID 692 wrote to memory of 2576	692	mscorsvw.exe	45
PID 692 wrote to memory of 2576	692	mscorsvw.exe	45
PID 692 wrote to memory of 2576	692	mscorsvw.exe	45
PID 692 wrote to memory of 2616	692	mscorsvw.exe	46
PID 692 wrote to memory of 2616	692	mscorsvw.exe	46
PID 692 wrote to memory of 2616	692	mscorsvw.exe	46
PID 692 wrote to memory of 2616	692	mscorsvw.exe	46
PID 692 wrote to memory of 1160	692	mscorsvw.exe	47
PID 692 wrote to memory of 1160	692	mscorsvw.exe	47
PID 692 wrote to memory of 1160	692	mscorsvw.exe	47
PID 692 wrote to memory of 1160	692	mscorsvw.exe	47
PID 692 wrote to memory of 2880	692	mscorsvw.exe	48
PID 692 wrote to memory of 2880	692	mscorsvw.exe	48
PID 692 wrote to memory of 2880	692	mscorsvw.exe	48
PID 692 wrote to memory of 2880	692	mscorsvw.exe	48
PID 692 wrote to memory of 2084	692	mscorsvw.exe	49
PID 692 wrote to memory of 2084	692	mscorsvw.exe	49
PID 692 wrote to memory of 2084	692	mscorsvw.exe	49
PID 692 wrote to memory of 2084	692	mscorsvw.exe	49
PID 692 wrote to memory of 2792	692	mscorsvw.exe	50
PID 692 wrote to memory of 2792	692	mscorsvw.exe	50
PID 692 wrote to memory of 2792	692	mscorsvw.exe	50
PID 692 wrote to memory of 2792	692	mscorsvw.exe	50
PID 692 wrote to memory of 2888	692	mscorsvw.exe	51
PID 692 wrote to memory of 2888	692	mscorsvw.exe	51
PID 692 wrote to memory of 2888	692	mscorsvw.exe	51
PID 692 wrote to memory of 2888	692	mscorsvw.exe	51

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2236

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 1ac -NGENProcess 1b0 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1ac -NGENProcess 1b0 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 234 -NGENProcess 224 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 234 -NGENProcess 228 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 1c8 -NGENProcess 1ac -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 21c -NGENProcess 214 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 240 -NGENProcess 228 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 1ac -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 214 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 228 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 1ac -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 214 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 228 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1ac -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 214 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 228 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1ac -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 214 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 228 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 1ac -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 228 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 1ac -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 218 -NGENProcess 254 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 230 -NGENProcess 24c -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 230 -NGENProcess 218 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 238 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 238 -NGENProcess 230 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 220 -NGENProcess 230 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 218 -NGENProcess 284 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 284 -NGENProcess 224 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 274 -NGENProcess 220 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 220 -NGENProcess 218 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 26c -NGENProcess 224 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 224 -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 1ac -NGENProcess 218 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 218 -NGENProcess 26c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 264 -NGENProcess 274 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 1ac -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 270 -NGENProcess 26c -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 264 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 1ac -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1ac -NGENProcess 270 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 294 -NGENProcess 264 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 264 -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 29c -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 270 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ac -NGENProcess 2c4 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2c4 -NGENProcess 2a4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d4 -NGENProcess 24c -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 29c -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 2a4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2ac -NGENProcess 24c -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 24c -NGENProcess 2d8 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2d8 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e4 -NGENProcess 278 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 29c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
534KB

MD5
f7f3ad570ea07a0d5d05277aded74072

SHA1
bcae06b3b4c2be465ee21a9aeda06f755f4a9660

SHA256
ea276a16a96f04ff538d54fe395668a97019cb825ea96fe077eaab51aaab7e8b

SHA512
8186d679ae9026c9039c4a94435a4238556c1a317fba2ec2f514ca226e57a9cbbe98fc424f51dbf7cfc1028ae32b93bbf9e4c7d1e9e96e75ac90937e646c31a6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.4MB

MD5
f1a5aaa2fde9ca7678e836087d4de6c8

SHA1
df2865f239b574902e3ddafbcc0e778e2da7911b

SHA256
a0489e6ecbe4f983946110ddbe4f3a8b8d59ab3ae8cafb14f3c787d6d91ef9c6

SHA512
07ab8e36d29d8a6954bf608474a591aa933d352bc182e11ccb3a7347ed7e5130989303fa745b76cd797f16785e538b05c990f9d300d180ae76aac926a50e96b1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
5ccbee0db145c861cd7af4c943511cd4

SHA1
08f2523f2b163a13fe8aa75753a21aa9c0ca4f74

SHA256
b27bc055f16d746266559ea3ec052d29bf14310d7cc8d1bfa25cc2215e9c2249

SHA512
d93c6607b998c608f2d05b368f1f8cad42a4d68dca3ca80ff62668d83bb22d4a17f379001f3e4dc35f12eda7bc447beb774b37c6eeb3b9d0d3c9bb2d4329d884

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
431KB

MD5
0f455a786a3fa0a73d61c6fc60bec8e0

SHA1
9efb78ac7adf5309e8f53ca8aa063536b6a1c654

SHA256
dee71e1dd8f05262c5938e2fba58525bd2cff025e2408568901b96d3b96d6885

SHA512
cf42322aa8bbc0a98ca79d053df7080c523891a40a1f862fc60e9700fbbcc53911d0be65a77db00bdf2a0841ea70d84adf7384762a8418e3feefefed62c50307

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
457KB

MD5
25d274e1fb42ff8628395596a8b6c71d

SHA1
06c73b30faaf16239b11f43f95d4611fe5a05594

SHA256
006b52c8a9f783047ae250d70517e0521d8490bd71465a043250a99a5b876ce1

SHA512
3156397ef27a303d6ed5f8a48c3ff7b80f053b9041fffa65b8d2b38ea007787a7e9ce41329d40c769456aaf3b5ae761598285bc3cda04d950a79050ed936c86c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
5ed07af00dbdcbf9bebc1ba8c311941f

SHA1
087c1836d28e1076b744ab3e817af09520586784

SHA256
3ad4865f36c6038b6d0169ac75ef0968f5c3c9c46916e98c5d4129c1d519900e

SHA512
dab7676016ffd09c7c5e2f02617da4522fbb4d7025cd0ecf68ee7a4958923484654037b1be9f0168b8c724ffc2f73832979281eec050d3cf7615d1c3a875addf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
484KB

MD5
26fd1741f1413bf6c07d19575b420d58

SHA1
bfe2c918a6249c15cdf0c86dda8ca2f29fdf0a95

SHA256
9dcd9fac07ec70c8e295efc93788e9cf6f91733616f907b919407a356f3298ef

SHA512
6ef75441f81f40873b6d1faf01cd44b638b6f0ce4a922c6684f27f8bbc10f5b460d0a741329be1535e17c739c8f8c7955e74d2f5dba7cf938fc7526fa24edaec

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
73d2538625795fccdd9e34674ea8f676

SHA1
444586d09228a5a2df6bc135a31013b7e487db45

SHA256
8a2deb4afac4b5553067d237f62dd4383b92d2c050b52a4f0ce60335318d3aa5

SHA512
310a4e1db8a0011f745f473f47ac895723bc00b9e337282214f65264fef20c4c6811b2e7154a604842b64c03cdb9a49113701bce94b34b855a80e56706f741c2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\6f96d0a104dff4410f9af36ea4bf1314\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
d196d794fafb0171557c02d67a87dcfc

SHA1
3c80891963726beb09ad3f0003653a605e812453

SHA256
e99b5aaadbbb384a2799b7809ba8087939b69d0911f9dc46855c7f05326ef07c

SHA512
56d2744052a142cbca0463525e0f16a3c5c0a79644120c754a0961aa29271dd96f17785db4de548c4fe438ed64bb9e8bb1545ef40062529f6aa54b10d43091c0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a874db495018419cfe52d3aae3a85b96\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
1f9704bb2e53e35f811e366385a8831b

SHA1
3fb7c878ec9a3e3a181c7e8f29707aab25993134

SHA256
a340c60ef77a3c88fdda5012bcfac3e60173865d6a52f22f7e88c6ebd51840fa

SHA512
dd986bfae8d6627dd627c43f46688ac7c590deff5ee4104bee5071e7031cdafb9e23b8a40c86ef7c21f9c31cb65a500401d76b2adc0d688d824fa311dd92f58b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\cae013a35a0b90b83760bb89a58ee55b\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
0bbf380a3d8454f7a49858a9addd9729

SHA1
81a6cc2c3a8db943e93b42fe2bc5812ea72fb97e

SHA256
f9b3630a8cfc32d8ecf2d5c5fbdcee60454142b12a7976b2e1bd487654750f29

SHA512
0f583368d68f1e737d7abda184575ed61f294616b7ade121597b6e2b9eb50687b8b598247514a9d971c4f13c9f7f17f56da14fba184a5709308bfc2b176fb49f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\dc85ebb19dccb3b08374975471edd1d9\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
846a59a52c8abb0a779793f9f0aa4960

SHA1
a51f3042dce80f0e710d1a0992df473de8fd5939

SHA256
d54561aed0d852ec606e8bec9a0489750e03372f5bd3f7a25cf567b3af908172

SHA512
d39f2350b8b611dd00431b02c19613e897baab7d851bf109b115e32419ee6c359e118d1deb5312c314c811dc9cdebf6709f3f81da2aa6713b43f1594670cbe8a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
534KB

MD5
827bc0ed4df6ec8adb80a644d5767547

SHA1
16e2e92dfd67440b304344e35d01d90ba84dc177

SHA256
091687a18d3227213ccbc2949f35f4c1ab677f61f5077b5698e0d3a8188d44cf

SHA512
318b68bdf8c96f8e2dd7eee889c636721d4c75d1d09eb06a990c3c53e20511b8237ecb9622429ee533e52f53c285bf58a49f92c24c85b772197c2ee9e6690d45

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.9MB

MD5
89af85b39a3920e680a020f59b8b6436

SHA1
5573a79b170a8c749d3213654500ed67c9cce9d7

SHA256
8d9e9f3ac3bbaaeafab273c5a1b5abc09799a5597c1990bb7db45540582da242

SHA512
56c302cf7c32f699d2324b2bcff40acce6300d7cc9d089b11f7e2ff05b25d48afc649a62a5c7d056e383187b6e4d5c2b920421f4a0012505bbe3584b54595422

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
613KB

MD5
a1339054c81a583103509c607f153dc5

SHA1
7c0882fa3636f229994aaeca810749f097f058ca

SHA256
a85aa7a4218bf336d08ee61eaeead46e8dfec956d80054d5a7d30600146fef7c

SHA512
f1fc3d338f14fd48693d5d799e7888e91dac8dbadf3a909e5ed0d01a190129fde1642ee61252540c06143bba9af13d767a0e4ff1ff19fd4237cbca3de0779086

Download Submit
\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.0MB

MD5
879f5261428fd9c48da969955b952efd

SHA1
7309f69643b848bb211e0d07a2390038ce93b6d9

SHA256
60cef174ba8e2d5a1d3a61e58853d9c25e8cd5bfc49f6012eda3117bc2018f78

SHA512
f679064f28899b55be19119d773fe2b55dcda9ae302cd47751d084bca9467fa2c1cfef833e1569d57d6b6711fd9ebcbc2d3e9c12d6c3aa70f1bc3cb6181e1517

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.1MB

MD5
d9d1abadbaada13cdfd5dc470811e23e

SHA1
caf8137bac4b2bf44c1c30b551418ffd8b0d8d82

SHA256
8cad441e98e2f8b03f0c26766b5bf9dc8cbfc917f73f5a1fe680f4809122219a

SHA512
18e8e61b178bc532a905ef15cb7e8a8a1809c9c86946ab3aa942b9f4d1e6194db1293a0b7f5455faaca1ea596927e678e4ea6119466c9d14dc819a927fbcd31c

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
519KB

MD5
bfc141414297e22678e0914eb64d9ca6

SHA1
2a3c551b8d601a500b85b87ae945f55763928c2b

SHA256
8f091e423f2023f42384a6b95b403c6976bc2651f84d4c23f03c8bead1753135

SHA512
7bbf88ef26b8916e192c46d37796a895e996022de919152056748128321956202dab7ad0b54d1dc06233672e39046f608de83890900643bcefa4fd481cde2faa

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe

Filesize
506KB

MD5
6ea7b1974cddeab44caf0a28b15fc0a9

SHA1
f6a40a2316046e64dba17e56dd350efe7f0ce25a

SHA256
6d5e3bd4ac142a7fa40d68bf89e0057313d905f650705b6719819121307f6ba6

SHA512
3431849557a4123e4be7b465cc4e2e991ee631e18def56cb3151f140e5b1490482650db6e051cdde15947ec6e2a59735f0ef8278496cdc740eecefd4632cc1b2

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.0MB

MD5
e28f5d27bb6d4cfbd0347f6e25a01f4e

SHA1
0e1e95c732470e6690806472caf2302c7f2ea15e

SHA256
5ed4719dd30ffaf869fcf2bb45b6e5db954d3080c37622109a76680d20abe87c

SHA512
21b6c469006b23249e0854928f6c80658e03d5818448a9e212589082afb64f1dc30a289fec124598343285215fd3bf7fb823a0efe80faee9f99c6c280d73e1ac

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
940474be9a4f607578157e8fb3452f3d

SHA1
c45c1b1218ae149531db7261debf57f349877ceb

SHA256
8aa3ec47403ac97f72a7748e6238bd463ec256a1592a5c69020a397c5afcd315

SHA512
4eaedf7f84b515483a3eb64b624e29451a31071cb8636e9fde0151ced114cdd2d434b4a4cdca64ac2c8b7a1546b2af4a087a9707cefeeb1419dbefa96f9aed26

Download Submit
\Windows\System32\alg.exe

Filesize
472KB

MD5
f391dee4931e9edc5a7b93b987f84be7

SHA1
75d0718b7094991eb110bc0f0fdf7bda1f3df9d8

SHA256
ea74261bd1dbf43b35c8775215572b7d7bb292de30b244fec1c2141f9afb3844

SHA512
51b12086b3f19095ee6e46201a324b812ef9a8e8d5ef0696a621fc16819087a2ff0b19e360dce8a02bcdda41a0a0ea51477483f68d4f4fe260523aac2b1e5e90

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD559.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB32.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE1A8.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
memory/692-324-0x0000000000120000-0x000000000014A000-memory.dmp

Filesize
168KB

Download
memory/692-323-0x0000000000120000-0x0000000000128000-memory.dmp

Filesize
32KB

Download
memory/692-325-0x00000000001B0000-0x0000000000216000-memory.dmp

Filesize
408KB

Download
memory/692-313-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/692-314-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/692-315-0x0000000000120000-0x000000000013A000-memory.dmp

Filesize
104KB

Download
memory/692-316-0x0000000001090000-0x000000000111C000-memory.dmp

Filesize
560KB

Download
memory/692-317-0x0000000001090000-0x0000000001134000-memory.dmp

Filesize
656KB

Download
memory/692-318-0x0000000001090000-0x000000000122E000-memory.dmp

Filesize
1.6MB

Download
memory/692-319-0x0000000001090000-0x000000000117C000-memory.dmp

Filesize
944KB

Download
memory/692-320-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/692-321-0x0000000001090000-0x0000000001118000-memory.dmp

Filesize
544KB

Download
memory/692-322-0x0000000000120000-0x0000000000144000-memory.dmp

Filesize
144KB

Download
memory/2236-35-0x0000000010000000-0x0000000010108000-memory.dmp

Filesize
1.0MB

Download
memory/2236-42-0x0000000010074000-0x0000000010108000-memory.dmp

Filesize
592KB

Download
memory/2236-34-0x0000000010074000-0x0000000010108000-memory.dmp

Filesize
592KB

Download
memory/2236-43-0x0000000010000000-0x0000000010108000-memory.dmp

Filesize
1.0MB

Download
memory/2288-51-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2288-59-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2288-53-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2568-67-0x000000013F112000-0x000000013F1C9000-memory.dmp

Filesize
732KB

Download
memory/2568-72-0x000000013F0A0000-0x000000013F1C9000-memory.dmp

Filesize
1.2MB

Download
memory/2568-28-0x000000013F0A0000-0x000000013F1C9000-memory.dmp

Filesize
1.2MB

Download
memory/2568-27-0x000000013F112000-0x000000013F1C9000-memory.dmp

Filesize
732KB

Download
memory/2756-2-0x000000013F31B000-0x000000013F3D3000-memory.dmp

Filesize
736KB

Download
memory/2756-0-0x000000013F31B000-0x000000013F3D3000-memory.dmp

Filesize
736KB

Download
memory/2756-12-0x000000013F270000-0x000000013F3D3000-memory.dmp

Filesize
1.4MB

Download
memory/2756-1-0x000000013F270000-0x000000013F3D3000-memory.dmp

Filesize
1.4MB

Download
memory/2756-4-0x000000013F270000-0x000000013F3D3000-memory.dmp

Filesize
1.4MB

Download
memory/2792-200-0x00000000011D0000-0x000000000128A000-memory.dmp

Filesize
744KB

Download
memory/2856-60-0x00000000FF519000-0x00000000FF5D0000-memory.dmp

Filesize
732KB

Download
memory/2856-19-0x00000000FF519000-0x00000000FF5D0000-memory.dmp

Filesize
732KB

Download
memory/2856-20-0x00000000FF4A0000-0x00000000FF5D0000-memory.dmp

Filesize
1.2MB

Download
memory/2856-66-0x00000000FF4A0000-0x00000000FF5D0000-memory.dmp

Filesize
1.2MB

Download
memory/2856-81-0x00000000FF4A0000-0x00000000FF5D0000-memory.dmp

Filesize
1.2MB

Download