expiro | 074c485967fa1a356f14c49ecb49fdfe19833b5401bd727daca572cd2d5b9794

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
31/12/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
Size

472KB
MD5

1b1071e58bf6a85eda6b0a27562de00d
SHA1

829c143f7fd6f7d80ca93ce7defee2944a2c0cc7
SHA256

074c485967fa1a356f14c49ecb49fdfe19833b5401bd727daca572cd2d5b9794
SHA512

88e94d8dee668503a6b856c0cf587eba22f602b2c590d42476db8a27088d078a307d7be7468d2ef4bd8043de5897c8cd303512aead2148832d5d9aef23073bc8
SSDEEP

12288:DCPzrOBcpsSeLm7inay076SWqM1QQOiy:qrOBjS4m/y076SW/eQO

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 11 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2312-0-0x0000000000E5A000-0x0000000000EED000-memory.dmp	family_expiro1
behavioral1/memory/2312-1-0x0000000000DE0000-0x0000000000EED000-memory.dmp	family_expiro1
behavioral1/memory/2312-2-0x0000000000DE0000-0x0000000000EED000-memory.dmp	family_expiro1
behavioral1/memory/2312-3-0x0000000000E5A000-0x0000000000EED000-memory.dmp	family_expiro1
behavioral1/memory/2312-4-0x0000000000DE0000-0x0000000000EED000-memory.dmp	family_expiro1
behavioral1/memory/2312-6-0x0000000000DE0000-0x0000000000EED000-memory.dmp	family_expiro1
behavioral1/memory/2312-7-0x0000000000DE0000-0x0000000000EED000-memory.dmp	family_expiro1
behavioral1/memory/2956-40-0x0000000010074000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2956-42-0x0000000010000000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2956-53-0x0000000010000000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2956-52-0x0000000010074000-0x0000000010108000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 51 IoCs

pid	Process
476	Process not Found
2536	alg.exe
2924	aspnet_state.exe
2956	mscorsvw.exe
2720	mscorsvw.exe
1588	mscorsvw.exe
2980	mscorsvw.exe
1100	mscorsvw.exe
2316	mscorsvw.exe
1068	mscorsvw.exe
2556	mscorsvw.exe
1596	mscorsvw.exe
2052	mscorsvw.exe
2768	mscorsvw.exe
652	mscorsvw.exe
2856	mscorsvw.exe
2988	mscorsvw.exe
2496	mscorsvw.exe
1812	mscorsvw.exe
2320	mscorsvw.exe
1220	mscorsvw.exe
1040	mscorsvw.exe
1248	mscorsvw.exe
1452	mscorsvw.exe
1684	mscorsvw.exe
1048	mscorsvw.exe
896	mscorsvw.exe
1364	mscorsvw.exe
916	mscorsvw.exe
2748	mscorsvw.exe
1652	mscorsvw.exe
1336	mscorsvw.exe
1016	mscorsvw.exe
1452	mscorsvw.exe
912	mscorsvw.exe
1872	mscorsvw.exe
572	mscorsvw.exe
1200	mscorsvw.exe
2372	mscorsvw.exe
888	mscorsvw.exe
1616	mscorsvw.exe
2620	mscorsvw.exe
2888	mscorsvw.exe
2968	mscorsvw.exe
2700	mscorsvw.exe
2068	mscorsvw.exe
1812	mscorsvw.exe
2320	mscorsvw.exe
2996	mscorsvw.exe
1336	mscorsvw.exe
2624	mscorsvw.exe

Loads dropped DLL 21 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
1452	mscorsvw.exe
1452	mscorsvw.exe
1872	mscorsvw.exe
1872	mscorsvw.exe
1200	mscorsvw.exe
1200	mscorsvw.exe
888	mscorsvw.exe
888	mscorsvw.exe
2620	mscorsvw.exe
2620	mscorsvw.exe
2968	mscorsvw.exe
2968	mscorsvw.exe
2068	mscorsvw.exe
2068	mscorsvw.exe
2320	mscorsvw.exe
2320	mscorsvw.exe
1336	mscorsvw.exe
1336	mscorsvw.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1163522206-1469769407-485553996-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1163522206-1469769407-485553996-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\N:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\O:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\J:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\Q:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\S:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\U:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\T:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\Z:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\M:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\R:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\K:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\V:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\Y:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\I:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\L:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\X:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\P:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\W:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\E:	alg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File created	\??\c:\windows\syswow64\mjagnffj.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\ahhcmpdh.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\SysWOW64\pmgklidl.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\ippibchj.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\SysWOW64\fpnmcegj.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\nimndejq.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\ljbbocmb.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\wbem\fhdeiomf.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\dhecnjmd.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\ibpibelc.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	alg.exe
File created	\??\c:\windows\system32\gqlelcjm.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\lkpdppag.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\hnfggoqm.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\SysWOW64\nefkkfpb.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\mnkpcpch.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	alg.exe
File created	\??\c:\windows\system32\nblgmoog.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\SysWOW64\kkffbnfo.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File created	\??\c:\windows\system32\oleifpmo.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\onbaidqf.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\mngianin.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\dakeokhg.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\iilmmhmc.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\kihlpche.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ldcnmoao.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\gkeendib.tmp	alg.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\miqfjfol.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\lgamkbac.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ekchdkjb.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ifpcoece.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\dendjgfp.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\knkmmeba.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\program files (x86)\microsoft office\office14\pddlogcq.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pgildlkb.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\fjleillh.tmp	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\7-Zip\hlepeenn.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\DVD Maker\clmaedbq.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\kgacdccg.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ddnfppgh.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kjkookie.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nnbpngba.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\jfjkgccl.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Google\Chrome\Application\jmofaklb.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\dddilmae.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	alg.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hhfjjgab.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Internet Explorer\elidehmc.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jipjcfed.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC810.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF40F.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\dnffkoac.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\ehome\lcdnibch.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB61.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEF8D.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mgifcefh.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\ehome\ejpdqfmi.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4CC.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\fboafehj.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	\??\c:\windows\servicing\cgnibajh.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\japnckod.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCC25.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE16A.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE975.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\anjdekfl.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\fhmcjeia.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe
2536	alg.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2312	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2536	alg.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe
Token: SeShutdownPrivilege	1588	mscorsvw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2312	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
2312	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2980	1588	mscorsvw.exe	36
PID 1588 wrote to memory of 2980	1588	mscorsvw.exe	36
PID 1588 wrote to memory of 2980	1588	mscorsvw.exe	36
PID 1588 wrote to memory of 2980	1588	mscorsvw.exe	36
PID 1588 wrote to memory of 1100	1588	mscorsvw.exe	38
PID 1588 wrote to memory of 1100	1588	mscorsvw.exe	38
PID 1588 wrote to memory of 1100	1588	mscorsvw.exe	38
PID 1588 wrote to memory of 1100	1588	mscorsvw.exe	38
PID 1588 wrote to memory of 2316	1588	mscorsvw.exe	39
PID 1588 wrote to memory of 2316	1588	mscorsvw.exe	39
PID 1588 wrote to memory of 2316	1588	mscorsvw.exe	39
PID 1588 wrote to memory of 2316	1588	mscorsvw.exe	39
PID 1588 wrote to memory of 1068	1588	mscorsvw.exe	40
PID 1588 wrote to memory of 1068	1588	mscorsvw.exe	40
PID 1588 wrote to memory of 1068	1588	mscorsvw.exe	40
PID 1588 wrote to memory of 1068	1588	mscorsvw.exe	40
PID 1588 wrote to memory of 2556	1588	mscorsvw.exe	41
PID 1588 wrote to memory of 2556	1588	mscorsvw.exe	41
PID 1588 wrote to memory of 2556	1588	mscorsvw.exe	41
PID 1588 wrote to memory of 2556	1588	mscorsvw.exe	41
PID 1588 wrote to memory of 1596	1588	mscorsvw.exe	42
PID 1588 wrote to memory of 1596	1588	mscorsvw.exe	42
PID 1588 wrote to memory of 1596	1588	mscorsvw.exe	42
PID 1588 wrote to memory of 1596	1588	mscorsvw.exe	42
PID 1588 wrote to memory of 2052	1588	mscorsvw.exe	43
PID 1588 wrote to memory of 2052	1588	mscorsvw.exe	43
PID 1588 wrote to memory of 2052	1588	mscorsvw.exe	43
PID 1588 wrote to memory of 2052	1588	mscorsvw.exe	43
PID 1588 wrote to memory of 2768	1588	mscorsvw.exe	44
PID 1588 wrote to memory of 2768	1588	mscorsvw.exe	44
PID 1588 wrote to memory of 2768	1588	mscorsvw.exe	44
PID 1588 wrote to memory of 2768	1588	mscorsvw.exe	44
PID 1588 wrote to memory of 652	1588	mscorsvw.exe	45
PID 1588 wrote to memory of 652	1588	mscorsvw.exe	45
PID 1588 wrote to memory of 652	1588	mscorsvw.exe	45
PID 1588 wrote to memory of 652	1588	mscorsvw.exe	45
PID 1588 wrote to memory of 2856	1588	mscorsvw.exe	46
PID 1588 wrote to memory of 2856	1588	mscorsvw.exe	46
PID 1588 wrote to memory of 2856	1588	mscorsvw.exe	46
PID 1588 wrote to memory of 2856	1588	mscorsvw.exe	46
PID 1588 wrote to memory of 2988	1588	mscorsvw.exe	47
PID 1588 wrote to memory of 2988	1588	mscorsvw.exe	47
PID 1588 wrote to memory of 2988	1588	mscorsvw.exe	47
PID 1588 wrote to memory of 2988	1588	mscorsvw.exe	47
PID 1588 wrote to memory of 2496	1588	mscorsvw.exe	48
PID 1588 wrote to memory of 2496	1588	mscorsvw.exe	48
PID 1588 wrote to memory of 2496	1588	mscorsvw.exe	48
PID 1588 wrote to memory of 2496	1588	mscorsvw.exe	48
PID 1588 wrote to memory of 1812	1588	mscorsvw.exe	49
PID 1588 wrote to memory of 1812	1588	mscorsvw.exe	49
PID 1588 wrote to memory of 1812	1588	mscorsvw.exe	49
PID 1588 wrote to memory of 1812	1588	mscorsvw.exe	49
PID 1588 wrote to memory of 2320	1588	mscorsvw.exe	50
PID 1588 wrote to memory of 2320	1588	mscorsvw.exe	50
PID 1588 wrote to memory of 2320	1588	mscorsvw.exe	50
PID 1588 wrote to memory of 2320	1588	mscorsvw.exe	50
PID 1588 wrote to memory of 1220	1588	mscorsvw.exe	51
PID 1588 wrote to memory of 1220	1588	mscorsvw.exe	51
PID 1588 wrote to memory of 1220	1588	mscorsvw.exe	51
PID 1588 wrote to memory of 1220	1588	mscorsvw.exe	51
PID 1588 wrote to memory of 1040	1588	mscorsvw.exe	52
PID 1588 wrote to memory of 1040	1588	mscorsvw.exe	52
PID 1588 wrote to memory of 1040	1588	mscorsvw.exe	52
PID 1588 wrote to memory of 1040	1588	mscorsvw.exe	52

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2312

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 1a8 -NGENProcess 1ac -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 22c -NGENProcess 214 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 21c -NGENProcess 220 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 218 -NGENProcess 214 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 234 -NGENProcess 1bc -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 238 -NGENProcess 220 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 214 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 1bc -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 220 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 214 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 1bc -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 220 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 214 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 250 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 220 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 214 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 220 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 214 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 220 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 214 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1c0 -NGENProcess 25c -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 1b4 -NGENProcess 258 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 230 -NGENProcess 234 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 210 -NGENProcess 25c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 224 -NGENProcess 258 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 25c -NGENProcess 258 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f0 -NGENProcess 1a8 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1a8 -NGENProcess 224 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 1a4 -NGENProcess 258 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 258 -NGENProcess 1f0 -Pipe 198 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 220 -NGENProcess 224 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 1a4 -NGENProcess 224 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 268 -NGENProcess 1f0 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1f0 -NGENProcess 220 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 250 -NGENProcess 224 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 224 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 250 -NGENProcess 1a4 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1a4 -NGENProcess 224 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 288 -NGENProcess 1f0 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1f0 -NGENProcess 250 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 290 -NGENProcess 224 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 224 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
534KB

MD5
1d61b67d6e86c61fc439b0fe842e19a6

SHA1
8cb1564ab05609a45679c53effb434eed79a5814

SHA256
d0a3515cb0da1705f5852452f071348061f14e9d0de127f8a73fd5c41a6ffe4d

SHA512
77e01f79f219e263243fca92ca1a80c3b493ba2871159cb50b9f4b290ee7c56a0609db17509f7db7320d53a309a9dfcf215a5cd973c656ae68d55e84d0a65504

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.4MB

MD5
d33f809cc000dedcbeb8b5d9fdd0e43e

SHA1
d4f5841267fe30a4a0add5e82f0ed77fd1e65a92

SHA256
d015ebe4aedd7b0d61b7eed4253f3602404959bb71d9db4d8199631947e6034a

SHA512
c65f6f27fa418b9731271feb32c1ce47a60807ceb9489c14074eaba12fea22eaad3989eca9733f608dc8b08c8e1721633f63cee8383c255e77b1f057aa0a141f

Download Submit
C:\Users\Admin\AppData\Local\lkrdmpad\cmd.exe

Filesize
692KB

MD5
186bdae66da1cd387d20a8ec4db2b256

SHA1
041e91c671c848b87f52e86a55daa745eb9670a5

SHA256
d51a401e688aec1b85512ed902b52b9ee4eaa4510b2a109177ba6ba1e504452d

SHA512
42a0758fda682ee56480f4bcfbe23a134c571ae0af9d3e7cf262ad871234b69a7c1793869ddbeb5873aa720a7266a749c89014287827ccfed951060a315f515a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
351e0e6fb709603afeed55d33616a862

SHA1
31aabf069e064967f7953ca7fee451da11390ac2

SHA256
580146b7ac9571c965ac16f65454287d7b3d284d9abe7a802cf1daa036d662a7

SHA512
6ccd39dea6cdf957106336c588c8da0f52e97641d4c5a89b92b63e73a73e78195b96d5c5f3651bff49ec0ae5739da93634ba5a98dc96a699dbfff0749d4429eb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
457KB

MD5
f8b6030e139a6be52194fc005af69b85

SHA1
bc2744da85117f4004121117a5852421a7fa0846

SHA256
b30d761a056c09d2bba84fbb930389019b7bc6bab74af4812a143f145109125c

SHA512
596db68ff3becd15631beb337c8acded4d2956fa8e8ec30c27c4ec067897017c6fa9e6e7ead9310dcb0feb1c7994d4ece00b413a4ef549349f90e11292d84b1d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
be2ec9e45c871a579ef11ee5d1e4ce3d

SHA1
20d995e5a0dd54bba9f26d6eafd2232589763d5b

SHA256
d5ed8bd4b11955a1f2f4d41bcbeb90845751e56b3d51e1211668606fa510fb30

SHA512
71069625574629b8289da04d813c929666d175d26695f85c515127fa67b92190e3836363c21f44c731ea5509208c14427b873924108e45df4c54c60105491dda

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
484KB

MD5
acd3cf981a9cf7a0f250fc6327b0180d

SHA1
db8eb3755bf2ad3a4f23da51acf1651de2b5b308

SHA256
0a5320eef820dee7d41ff001660b361b17604a0997abb6cee2001c8fd4b6b247

SHA512
0a96a8398302eed43d85fb7c777da067cd2fee5f1101fe22d349320ee67281d53dc35479ffd63d6b55c4f8f1b3331df8bf1d187b2fca71479b1f327c45224168

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
2c64261a1a2c02ccb11f63e18fbcfd85

SHA1
f39197b58337639aeff4c7cb17a05116c80436fb

SHA256
575f8580341d084b6ae4bbc157ce79a4e049dabad6c15ee6ad4e44f9bedef2e4

SHA512
221d38df4c63376265fd99d28f6c0ef52fa49f70437b21361dcd10d796dcf25d32071a2f6ce989f882befb544c55d68180daed339340774949e3c930bd8dffda

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
534KB

MD5
537fc442b47359ab737e16a0bf50af5f

SHA1
c10488991f464fb4afa9265ec14a2153252f51a9

SHA256
b177948f16dd118f4c66c26e78d4c5ae1965c20a958909ac39dff44456ae1642

SHA512
9a2a17822cd0b9606857744916c699a16d95e99f341fcaca8771289e787ac6f53afe924f7554cca56ec6a4871757dfc9b14db1f10a585702d0778ea2f76a2723

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.9MB

MD5
7a7c6fba82dd92a3e22f3d23be05cf5a

SHA1
7d2f3b99647a43db2d12c818c1b142aa659c1aa5

SHA256
864d0c420c558c56e42a28776060488d7781149dbef12502a1fa58a623120228

SHA512
63a1042db41184fb8659c10ef390bca1843af585ec056d6bb42d33927a05008378b65e24d1ef1677c4fa997e2b809531becdd63f39a6592d2d4bb61f5a0f8797

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.1MB

MD5
72447f4c58827094d103d0dcb04f48ca

SHA1
3788fc32402d12cad6b27755f069cb0c54a5837a

SHA256
c06b5ae0c58ef5b8c3be1904ac2f3175aea63154d2311989ab95d48a360d6e01

SHA512
a86518adc973c0b33b1026d4261dbf374141cd16b237e883ded622787e22cef68ada250509642b6eab3241012a24876427585f55077806667caa8ba0a15042c9

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
519KB

MD5
9085b056401ebf815014408f4f44f0eb

SHA1
2b211bb73e782424abdbda6f6e1c09de62b68902

SHA256
7a7eb9109b7d09c73b519a97a8e257a9ef2f22da59b753c0cc9e330a4d238a6e

SHA512
f28eb0b03dc3b99a70b00f01ae3a9bd0342c2814946670736b36f42d898fff440c3688538fc341105bbf8f77b08bd79bd604e1adfdae988be06c04a4381879cc

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe

Filesize
506KB

MD5
44d7a1e4815b9ea2413a373b29856713

SHA1
a72e85e7ec57e9ff150bac440a30d640af11f084

SHA256
1a7af7be67d2dd49ecb6d55f542bd44490d624bf2ed25a7d0ff6f15a28d8b8ca

SHA512
c661aac2bbf557d89e627ca57c8d9916c7fca600deab132e603b59c044c15d860c0bd1e1a563de2ea363f611dc82fc7a05042ab8cb856a216b86cfc293147fa1

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.0MB

MD5
9c77c31dc6f96b9c30599d36ee4f0dd2

SHA1
0e6a6d4ad7433f738340eac0e3c462cbe9f880a5

SHA256
6bf267af2c410aeee3fbcfa70bd498039bde09b8521c32bc8d7ed05476f9acaf

SHA512
29ed2605863bba216868bc112d09699a72f1f4c7b3cf6322c85d38e3f5d89988e190b8b9df036a4a5a20132887d92fdab76ed72872e61784aeed69dd296ec0f4

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
81d4763405b9e89e65ed75adcfec7753

SHA1
bf0c06077071b4444a11e42f6a10d376819fa2cd

SHA256
9818f5e97f0354b63f2643aa602e8513eaa85251fff8a2b72c902a9e02ffe234

SHA512
02ad086140588d7cafa92d769d5c1dcb38bde3dd441f016d950f4f1a3b34817394b66adc6c013921088c707de95d9f85cd4e58c56851ab3c6a8a875db19f1614

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
431KB

MD5
92b539b3aae2732113e175804147e93a

SHA1
34a773598e53c65b5497667e8469c9bae7507906

SHA256
5c8e45a7b4403289cc2b86093ac83dd0f1031d957dc3d1b0ea46ec8ddd8fbcd0

SHA512
4905d5e9b7f8a47c74328bee7548e1855f7bc2dd395cb7c1043e7ef92e1386e39a749dac6bc5e290ddb8145b880e8e4b984b86e021fb619d8cd31534bfa0074d

Download Submit
\Windows\System32\alg.exe

Filesize
472KB

MD5
fdc5623ebacf4403c27ec65504245c26

SHA1
677c580101b6724a1f01653a3e020741d579f9a5

SHA256
a2c0d3579da16a271b65346ce5d2b27b495a7b5e706be57e5eeafced6126e73f

SHA512
4d4259f171e82feb0bb63a57fde3f07877a7e2d60facf30e138d24fd076429620cab63fcd3f2a48ef1a46f5e57438ae4450acb9477da244bd89f063b79787bb8

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC810.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCC25.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4CC.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB61.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
memory/1220-209-0x0000000002280000-0x000000000233A000-memory.dmp

Filesize
744KB

Download
memory/1588-319-0x0000000000B40000-0x0000000000BC8000-memory.dmp

Filesize
544KB

Download
memory/1588-314-0x0000000000B40000-0x0000000000BCC000-memory.dmp

Filesize
560KB

Download
memory/1588-320-0x0000000000170000-0x0000000000194000-memory.dmp

Filesize
144KB

Download
memory/1588-318-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/1588-317-0x0000000002D30000-0x0000000002E1C000-memory.dmp

Filesize
944KB

Download
memory/1588-316-0x0000000002D30000-0x0000000002ECE000-memory.dmp

Filesize
1.6MB

Download
memory/1588-315-0x0000000000B40000-0x0000000000BE4000-memory.dmp

Filesize
656KB

Download
memory/1588-321-0x0000000000120000-0x0000000000128000-memory.dmp

Filesize
32KB

Download
memory/1588-323-0x0000000000B40000-0x0000000000BA6000-memory.dmp

Filesize
408KB

Download
memory/1588-322-0x0000000000170000-0x000000000019A000-memory.dmp

Filesize
168KB

Download
memory/1588-311-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/1588-312-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/1588-313-0x0000000000170000-0x000000000018A000-memory.dmp

Filesize
104KB

Download
memory/2312-7-0x0000000000DE0000-0x0000000000EED000-memory.dmp

Filesize
1.1MB

Download
memory/2312-6-0x0000000000DE0000-0x0000000000EED000-memory.dmp

Filesize
1.1MB

Download
memory/2312-4-0x0000000000DE0000-0x0000000000EED000-memory.dmp

Filesize
1.1MB

Download
memory/2312-3-0x0000000000E5A000-0x0000000000EED000-memory.dmp

Filesize
588KB

Download
memory/2312-2-0x0000000000DE0000-0x0000000000EED000-memory.dmp

Filesize
1.1MB

Download
memory/2312-0-0x0000000000E5A000-0x0000000000EED000-memory.dmp

Filesize
588KB

Download
memory/2312-1-0x0000000000DE0000-0x0000000000EED000-memory.dmp

Filesize
1.1MB

Download
memory/2536-26-0x00000000FF700000-0x00000000FF830000-memory.dmp

Filesize
1.2MB

Download
memory/2536-25-0x00000000FF779000-0x00000000FF830000-memory.dmp

Filesize
732KB

Download
memory/2536-68-0x00000000FF779000-0x00000000FF830000-memory.dmp

Filesize
732KB

Download
memory/2536-73-0x00000000FF700000-0x00000000FF830000-memory.dmp

Filesize
1.2MB

Download
memory/2536-83-0x00000000FF700000-0x00000000FF830000-memory.dmp

Filesize
1.2MB

Download
memory/2924-34-0x000000013FCF0000-0x000000013FE19000-memory.dmp

Filesize
1.2MB

Download
memory/2924-33-0x000000013FD62000-0x000000013FE19000-memory.dmp

Filesize
732KB

Download
memory/2924-84-0x000000013FCF0000-0x000000013FE19000-memory.dmp

Filesize
1.2MB

Download
memory/2924-78-0x000000013FD62000-0x000000013FE19000-memory.dmp

Filesize
732KB

Download
memory/2956-40-0x0000000010074000-0x0000000010108000-memory.dmp

Filesize
592KB

Download
memory/2956-42-0x0000000010000000-0x0000000010108000-memory.dmp

Filesize
1.0MB

Download
memory/2956-53-0x0000000010000000-0x0000000010108000-memory.dmp

Filesize
1.0MB

Download
memory/2956-52-0x0000000010074000-0x0000000010108000-memory.dmp

Filesize
592KB

Download