cycbot | 8de785743381674a4212b91fcb1a876dbf6c830beb2e424d29729675aab60b43

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
Size

740KB
MD5

6c0d49ae62fcae54b6a55ed54e2c4ab0
SHA1

f3bf56d0e7c73e9930c8743e6a47c042f8eeeb6e
SHA256

8de785743381674a4212b91fcb1a876dbf6c830beb2e424d29729675aab60b43
SHA512

f865e0be6c3d3d0813775ebf59d25065c2cdb87368ed5283bc7e1a8cd0b24f9e0fde10af6d37822fa3a5ad10cced2233de6c26f9ae41b23fa1b5500a420f6834
SSDEEP

12288:Nori4cphZvBNJJGdwOl/EmOWbHVztBSlgG/2jKHvJnzAzdjW8pCKkL3:Mi4cTZvBNidzSoVti+jKP5Azda8pCKkL

Score

10^/10

cycbot expiro backdoor credential_access discovery evasion persistence rat spyware stealer trojan upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 1 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2028-18-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\A4D1F\\62FB8.exe"	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

Expiro payload 45 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2620-1-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/2620-4-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/2028-11-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/2028-12-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/2620-13-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/2028-17-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/2620-24-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/2620-34-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/2820-63-0x0000000010000000-0x0000000010263000-memory.dmp	family_expiro1
behavioral1/memory/1984-196-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/2620-213-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/1984-216-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/2956-227-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/976-239-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/976-400-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/1496-427-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/976-449-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/1496-457-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/2620-459-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/924-460-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/1252-462-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/1808-464-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/1736-466-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/1328-468-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/2840-470-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/2716-472-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/1584-474-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/2856-476-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/2692-478-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/2796-480-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/992-482-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/1780-485-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/2932-487-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/1708-501-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/1440-503-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/1996-505-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/2180-507-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/2620-513-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/2864-514-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/1296-523-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/848-524-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/2620-534-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral1/memory/2524-689-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/332-690-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1
behavioral1/memory/1288-691-0x0000000000400000-0x000000000066C000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 49 IoCs

pid	Process
2820	mscorsvw.exe
476	Process not Found
2560	mscorsvw.exe
2956	mscorsvw.exe
2740	mscorsvw.exe
332	elevation_service.exe
2280	infocard.exe
976	mscorsvw.exe
484	IEEtwCollector.exe
1496	mscorsvw.exe
924	mscorsvw.exe
1252	mscorsvw.exe
1808	mscorsvw.exe
1736	mscorsvw.exe
1328	mscorsvw.exe
2840	mscorsvw.exe
2716	mscorsvw.exe
1584	mscorsvw.exe
2856	mscorsvw.exe
2692	mscorsvw.exe
2796	mscorsvw.exe
992	mscorsvw.exe
1780	mscorsvw.exe
2932	mscorsvw.exe
1708	mscorsvw.exe
1440	mscorsvw.exe
1996	mscorsvw.exe
2180	mscorsvw.exe
2864	mscorsvw.exe
1296	mscorsvw.exe
848	mscorsvw.exe
2052	mscorsvw.exe
1052	mscorsvw.exe
2524	mscorsvw.exe
332	mscorsvw.exe
1288	mscorsvw.exe
872	mscorsvw.exe
2288	mscorsvw.exe
1052	mscorsvw.exe
2636	mscorsvw.exe
2844	mscorsvw.exe
2824	mscorsvw.exe
2904	mscorsvw.exe
2700	mscorsvw.exe
1700	mscorsvw.exe
1280	mscorsvw.exe
272	mscorsvw.exe
1148	mscorsvw.exe
3048	mscorsvw.exe

Loads dropped DLL 21 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
476	Process not Found
2288	mscorsvw.exe
2288	mscorsvw.exe
2636	mscorsvw.exe
2636	mscorsvw.exe
2824	mscorsvw.exe
2824	mscorsvw.exe
2700	mscorsvw.exe
2700	mscorsvw.exe
1280	mscorsvw.exe
1280	mscorsvw.exe
1148	mscorsvw.exe
1148	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2039016743-699959520-214465309-1000\EnableNotifications = "0"	mscorsvw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2039016743-699959520-214465309-1000	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\Z:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\H:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\K:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\E:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\S:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\U:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\I:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\N:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\Y:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\O:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\T:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\J:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\M:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\P:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\W:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\G:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\V:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\X:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\L:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\Q:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\R:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\system32\inldbimf.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\system32\gqbkmheb.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\dfnhmame.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\system32\njccdcia.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\SysWOW64\gjdkbjkh.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\SysWOW64\jbhmidab.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\system32\qcjofeof.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	mscorsvw.exe
File created	\??\c:\windows\system32\mimegeoo.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ejjkjgom.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	mscorsvw.exe
File created	\??\c:\windows\system32\mccgplla.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File created	\??\c:\windows\system32\wbem\njkjlpmg.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\SysWOW64\ekkqhlgo.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\system32\cngjmolf.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\SysWOW64\mejoblnl.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2620-4-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral1/memory/2620-13-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral1/memory/2028-18-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2028-17-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral1/memory/2620-24-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral1/memory/2620-34-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral1/memory/2620-213-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral1/memory/1984-216-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral1/memory/2620-459-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral1/memory/2620-513-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral1/memory/2620-534-0x0000000000400000-0x00000000006E3000-memory.dmp	upx

Drops file in Program Files directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\kihlpche.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\program files (x86)\microsoft office\office14\hdggolld.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ojlkabom.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ddnfppgh.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\program files (x86)\microsoft office\office14\hbbhnach.tmp	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\occlljkq.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\olemadei.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pgildlkb.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\oeejgpmn.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\7-Zip\hlepeenn.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\jkgaipki.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Google\Chrome\Application\jmofaklb.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\DVD Maker\clmaedbq.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\miqfjfol.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lhbjhkab.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hhfjjgab.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\jfjkgccl.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\inechdaf.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\7-Zip\mgecidfd.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\pijgofaf.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\program files\windows media player\mheoachq.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Internet Explorer\bdiaenko.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\7-Zip\mnmjadqg.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\kgacdccg.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nnbpngba.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\obkakffi.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mclhemcm.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFAF2.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\iddoefmk.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\servicing\pjpccaiq.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\oiaiglql.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP696.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	\??\c:\windows\servicing\nopbomgi.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\jikbpppn.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\oldlhgjm.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\bmmqngml.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\ehome\imeegkbd.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9D.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD0B.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2620	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2956	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2028	2620	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	31
PID 2620 wrote to memory of 2028	2620	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	31
PID 2620 wrote to memory of 2028	2620	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	31
PID 2620 wrote to memory of 2028	2620	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	31
PID 2620 wrote to memory of 1984	2620	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	37
PID 2620 wrote to memory of 1984	2620	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	37
PID 2620 wrote to memory of 1984	2620	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	37
PID 2620 wrote to memory of 1984	2620	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	37
PID 2956 wrote to memory of 976	2956	mscorsvw.exe	40
PID 2956 wrote to memory of 976	2956	mscorsvw.exe	40
PID 2956 wrote to memory of 976	2956	mscorsvw.exe	40
PID 2956 wrote to memory of 976	2956	mscorsvw.exe	40
PID 2280 wrote to memory of 1780	2280	infocard.exe	41
PID 2280 wrote to memory of 1780	2280	infocard.exe	41
PID 2280 wrote to memory of 1780	2280	infocard.exe	41
PID 2956 wrote to memory of 1496	2956	mscorsvw.exe	43
PID 2956 wrote to memory of 1496	2956	mscorsvw.exe	43
PID 2956 wrote to memory of 1496	2956	mscorsvw.exe	43
PID 2956 wrote to memory of 1496	2956	mscorsvw.exe	43
PID 2956 wrote to memory of 924	2956	mscorsvw.exe	45
PID 2956 wrote to memory of 924	2956	mscorsvw.exe	45
PID 2956 wrote to memory of 924	2956	mscorsvw.exe	45
PID 2956 wrote to memory of 924	2956	mscorsvw.exe	45
PID 2956 wrote to memory of 1252	2956	mscorsvw.exe	46
PID 2956 wrote to memory of 1252	2956	mscorsvw.exe	46
PID 2956 wrote to memory of 1252	2956	mscorsvw.exe	46
PID 2956 wrote to memory of 1252	2956	mscorsvw.exe	46
PID 2956 wrote to memory of 1808	2956	mscorsvw.exe	47
PID 2956 wrote to memory of 1808	2956	mscorsvw.exe	47
PID 2956 wrote to memory of 1808	2956	mscorsvw.exe	47
PID 2956 wrote to memory of 1808	2956	mscorsvw.exe	47
PID 2956 wrote to memory of 1736	2956	mscorsvw.exe	48
PID 2956 wrote to memory of 1736	2956	mscorsvw.exe	48
PID 2956 wrote to memory of 1736	2956	mscorsvw.exe	48
PID 2956 wrote to memory of 1736	2956	mscorsvw.exe	48
PID 2956 wrote to memory of 1328	2956	mscorsvw.exe	49
PID 2956 wrote to memory of 1328	2956	mscorsvw.exe	49
PID 2956 wrote to memory of 1328	2956	mscorsvw.exe	49
PID 2956 wrote to memory of 1328	2956	mscorsvw.exe	49
PID 2956 wrote to memory of 2840	2956	mscorsvw.exe	50
PID 2956 wrote to memory of 2840	2956	mscorsvw.exe	50
PID 2956 wrote to memory of 2840	2956	mscorsvw.exe	50
PID 2956 wrote to memory of 2840	2956	mscorsvw.exe	50
PID 2956 wrote to memory of 2716	2956	mscorsvw.exe	51
PID 2956 wrote to memory of 2716	2956	mscorsvw.exe	51
PID 2956 wrote to memory of 2716	2956	mscorsvw.exe	51
PID 2956 wrote to memory of 2716	2956	mscorsvw.exe	51
PID 2956 wrote to memory of 1584	2956	mscorsvw.exe	52
PID 2956 wrote to memory of 1584	2956	mscorsvw.exe	52
PID 2956 wrote to memory of 1584	2956	mscorsvw.exe	52
PID 2956 wrote to memory of 1584	2956	mscorsvw.exe	52
PID 2956 wrote to memory of 2856	2956	mscorsvw.exe	53
PID 2956 wrote to memory of 2856	2956	mscorsvw.exe	53
PID 2956 wrote to memory of 2856	2956	mscorsvw.exe	53
PID 2956 wrote to memory of 2856	2956	mscorsvw.exe	53
PID 2956 wrote to memory of 2692	2956	mscorsvw.exe	54
PID 2956 wrote to memory of 2692	2956	mscorsvw.exe	54
PID 2956 wrote to memory of 2692	2956	mscorsvw.exe	54
PID 2956 wrote to memory of 2692	2956	mscorsvw.exe	54
PID 2956 wrote to memory of 2796	2956	mscorsvw.exe	55
PID 2956 wrote to memory of 2796	2956	mscorsvw.exe	55
PID 2956 wrote to memory of 2796	2956	mscorsvw.exe	55
PID 2956 wrote to memory of 2796	2956	mscorsvw.exe	55
PID 2956 wrote to memory of 992	2956	mscorsvw.exe	56

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe"
1⤵
- Modifies WinLogon for persistence
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe startC:\Program Files (x86)\LP\B8AA\2F2.exe%C:\Program Files (x86)\LP\B8AA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe startC:\Program Files (x86)\1F575\lvvm.exe%C:\Program Files (x86)\1F575
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2820

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 1a8 -NGENProcess 1ac -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 234 -NGENProcess 214 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 234 -NGENProcess 1fc -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 220 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 258 -NGENProcess 1fc -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 234 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 270 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 25c -NGENProcess 228 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1a8 -NGENProcess 258 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 214 -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 220 -NGENProcess 258 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 284 -NGENProcess 1a8 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 280 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 220 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 270 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 294 -NGENProcess 214 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 28c -NGENProcess 29c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 244 -NGENProcess 288 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 258 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 228 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 27c -NGENProcess 258 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 27c -NGENProcess 228 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 2a4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 290 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1c4 -NGENProcess 284 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1f0 -NGENProcess 268 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 198 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 1a4 -NGENProcess 284 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 26c -NGENProcess 284 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 228 -NGENProcess 2a8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1a4 -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 268 -NGENProcess 2a8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2a8 -NGENProcess 1f0 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a4 -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 274 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2b4 -NGENProcess 130 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 130 -NGENProcess 2a4 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 130 -InterruptEvent 29c -NGENProcess 268 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 268 -NGENProcess 2b4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 194 -NGENProcess 198 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a0 -InterruptEvent 20c -NGENProcess 214 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:332

C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
"C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2280 -s 428
  2⤵
  - Loads dropped DLL
  PID:1780

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
710KB

MD5
92e857b17d81552e1fc6743e071e4096

SHA1
0d0f19195a56f95f791d66d08a5c90d5fc7d0d7f

SHA256
df190a2dcb13038762eff05e15314aa5d434e6bfc18394da8593c768133a2f1f

SHA512
186fe80bd7089f320e7a7ace7a717e1fde1c7b6e336842c528ac150351a413ed942a3cf3462ce994d608bb3042dc7cca39939ea9c20ce61cf0560b2f0a4b8bd0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
bdad26e51b72d6c600417c0d9177f0f6

SHA1
90b3252291ee957f1a2fca8347acfacdc346a8bd

SHA256
aa44bb353ba9954d5cb2df1c5a582ae8414dd819be356eb6754077fa063a5066

SHA512
4ee13cfa155383e02aa3cfc7b60bfb2e717074d8bff88926166bdb1eed99f3172d0c09d66aaf6264779cd3eac2f8e989c2809152d9ae24c870e9d7cf656defdf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
85f6498cfa2822b5ad9d14e39471e821

SHA1
922ef04e5c241e21fc54c157e659d3499b88975c

SHA256
82062fd3088e2072cc8c79d8554a83484912041cc240625574137405ef5dd04a

SHA512
486ebdad4f713fd8555da2d2ba4f03f75ea603f013539f7217de11416803f1936fd36ab677d2489a84494c0f460b845ea56c52ae401aa52c2c2d233276a562c6

Download Submit
C:\Users\Admin\AppData\Roaming\A4D1F\F575.4D1

Filesize
996B

MD5
4b3aae9bd6268677cff5f63eb5f7f29c

SHA1
30f1ea672e2f99c2a5fdc750ad8fc8f415af7597

SHA256
951cd26b66a4f9b7d3fd2fc0ce7836e65cc2644962ebdeaa084ddc6b9ae21854

SHA512
c6df2246c43312487205a22f3ec27f4109e217840ec1d23d20c9a3c0b13496ef3b72810218384c2cf3828370efeaf5d3395f17444a66fc1811f66405b89668a3

Download Submit
C:\Users\Admin\AppData\Roaming\A4D1F\F575.4D1

Filesize
1KB

MD5
f71bab34bcfc0569b38829ea99d70300

SHA1
7ccf1a6fee7ffe8bd72fb1bbe691ae9dee69dcd2

SHA256
83f8a1928dd1da1c023576980c68d52948d456ed5d361b44742804c1a4c69bbf

SHA512
1373663a2b2658b77c7b07b21f046e95b2934d7d2e1d6863ac684fbcaee809f75ca1662027634aa2ec171122343dab49aa799fdcea6853e0ae799893d9e17742

Download Submit
C:\Users\Admin\AppData\Roaming\A4D1F\F575.4D1

Filesize
600B

MD5
46bfb081ad684017acb93deedee6e2c9

SHA1
dbb8586bd0f60f9af4aab8ccbf362eed4e1ccec8

SHA256
1fbc2c09e882f09a0a6e6c7aefc7a22b54c0e0ae69cb5bb6ed8c276f324a5f56

SHA512
ada8dfa4d1ac9dd71da267e3c07dc20253eaf81158a76bdcc40828e7d935d7cc470244a82f947bfa75019ee43460e6bb3920c9c4d14d1140fa603681fb0c8ce4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
652KB

MD5
c791645be81776922b944f5c1919bd86

SHA1
7bb9070d76c79c89bdde2e56a1bd85ec7d15d7d7

SHA256
3725c2b49eae748992643dd206b2fadd8c241c0349970ec5766fe4a482c62eb3

SHA512
270300d87b04799cb15829119d2724a97093a5ddb2cfd45cb5ea16ce7be20be15e0b5344a41be42d79a9f530da8f70bae75cda6be18a29664de568f480f76ae0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
4d418c92338dbf7d69fa509acb544a93

SHA1
ee548823da87fa71b47f003588ccd7d7602317db

SHA256
c8ed53a4b12f7e005015d94fc36d6d51e990b6b49d4852229b266f3bfba9a5fb

SHA512
1c4386f8262032f139b3e8de92e30874ab1bffdf3f67819353cb4ee08971dcfe6dcde72dd9e7800c8bf776dacef30a070f149b6a1bbaedf930fca7cfde3f2bb5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
629KB

MD5
301156097f6f978bd135fe316beb8dea

SHA1
868eba1e318dcf66b802bed68e4dbaec89532996

SHA256
389b34f5c10b9b0b31586b333f0ecb5fe9f4a915dab46580ab3ebcfb93abe13c

SHA512
a9e2deb9fb359cfa906ece80f5b3f52f1e6af06f62bff759a9e4ea2756936f47e9ccec32d78fd0cae557bf7500814c0488d877e7aead2466486b14d7c6d16a0d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
8a03444ed0b16ff18b03c7b709b048c8

SHA1
aa38cd6c0b1308e748ba5533deb523ca0e7a4cd3

SHA256
05111a1fa5e17efe44430cee220b1ad375a520878b2ab6576f47264bf5bc7234

SHA512
e4ca92b4b1ca45d16b4b1312c378565c4b0a6d5320ec1081a5a7da42711bb358354cdaa04ae5f2d52e5a26940f1911497a27f601b659f6d34e47039a2c9ae48d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
660KB

MD5
61c240a8ab71d987744f679306ca416c

SHA1
a09df4e574f3806f8e0026d686a50cb02b4a0113

SHA256
064bc508fe079f480b3625b6eddda812ecf92ee42154977906d3e14b904d5f67

SHA512
dabf121c14cffe0f4d409bd4d718dc7572aef26c2b11be0809a5137def6e5c7279ec20d1dceb70a85edddd8efa8d65a6c0750314104f0364f946f8b54c43ce44

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
852d0c5a08e49107763f41e2ca4cb653

SHA1
049e37a8cfd32a4ce0ccbcf41b09442b9206debf

SHA256
802a123f64b872ae5afcd4f6eeef051d9d9f8a3a1981ff2b49a322c39953f115

SHA512
69f6589f8f6f9f8d4ae2665ed634a2897be392c72e5ba3a0ee311e9a94de36c3c4afa771a305a8ca0d20c9f5124fa74154e1c24ca9cecc9e2621e1f59318e737

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
710KB

MD5
71646b091212fcac22de4787e8400391

SHA1
237fc9e559389c4640373f9da6392c56d7d30b2c

SHA256
be8a778a115523f6f62c37a9081b0a6d248900049872c9f404a9ea768fa18bdf

SHA512
c73520d2e7fef8b5e0b84c68357d7c9468624d42a411059588a3d8ca8f39d5b5e579c2d336a465b02f7cb18b7fcf49aeede17ebecaf2a356fc16d33cbdcb2a9e

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
6258a5f9351c7017f64234642e0ad2b3

SHA1
7886e48250a082ec7aa3c7eb47b80688090b916b

SHA256
c92014876b38c8bd1f8412b3bb4445a77c5a3be32532270969056d6458c39429

SHA512
9938cbbf876d37b34490c488e77f18d703f556ff8076456e05e21e418fe433fd6ff59050a9615d3ab107fa3e9117967d2dcab586861e1a22bcda75020f536dcc

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
785KB

MD5
ed211b37b803628346faf365da023cf0

SHA1
acdbcc0820431c16a5300b8e37ada63a497285b5

SHA256
b724be1d1ecfa36f0d5c36f29707443dd17bb92627a20f222b1b7d7820581729

SHA512
f095ebc256cc988039efb1ee0ebe19fecf6b77576d9392acf0cf16d347a6cddd26417c7485f9e1f55c17992b5debd036a71b4690af6044f8c4015d365c6f8d69

Download Submit
\??\c:\windows\SysWOW64\dllhost.exe

Filesize
578KB

MD5
3b4a7e1c6127c89922c876b1e10c3ba9

SHA1
589983c3f98ba46faf5032153840626f1c3618b1

SHA256
7e960ca02e6a695d288cbc2aa8fe42ced92ca02c1d9197fdcbc1990a631d4ab9

SHA512
7318ccaed0b3274cb53c814f8dbbb508ac363c05383b2125bd07a9c20d4d40fb61cc3cd3ce425c195f33d7c62785ce7a993380b574b22cd0020eeb407770247c

Download Submit
\??\c:\windows\SysWOW64\msiexec.exe

Filesize
640KB

MD5
7b989e36451f764bf505a59ec84ce7ce

SHA1
a682c1ba7b3c2b9c2fd1b77c6aa0d595e2a60c15

SHA256
07a49a8edb0eb0c25160d4e4911e14c83c37d3e9f38075e89147c99f3a0463b3

SHA512
7edc79bfee4b28925540d2d987c556c4f0529b5e86305d5379611225bfd1a961ed66a5de5509c0c927833ead6aa742d96594f12b0d3309bef2e0cee8f0614e1d

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
591KB

MD5
856fcca3d7ce7042fa378641a60a9d57

SHA1
268f345683d887b4487b20418e50b9a858fa3b76

SHA256
4fbfeedbe9405fdf0fce4c330ed0ab173d232e1b4d64facd851abec43931c1da

SHA512
ad307f99fada7ff02dd0847122848e39f86664106344d4a4829b991f84969860ecd62a6c3c44d61f5a64bc9e9dd791925dceff4f5c6b91c532488015221f2ed3

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
46fd7f934e86bd3e1f1abfd5e5154de6

SHA1
432ccb4c838d1f1d48f66a767268690e745039d9

SHA256
a7e0066712bb85f1e60a8fb7434b44131a4dfbd8dda8ca9bc1945e339b222d83

SHA512
30abeddfe8704091f7bdd642966368589d9fd65fecc88961582f7d47485084dfdc8f169a8f6ace108d2a00fdef8a0cb888b4a2466396812459c79c02669bb904

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
695KB

MD5
35eca321328ee56160f3cc0a1ea71b1f

SHA1
e7cd6aa06a993337e0bb2c38faf8f12b03e465ac

SHA256
da501e0fa59f7a8b45f2565308204f5151ddcdbcd70828171adc08265b0ff125

SHA512
b0c0642cb7b659e0408a0350c09c61d8cf98420f05653ff7e305798669cfd7679fcebc7d03edf9a1466efac3a98f707625923b1fef42510677457a2782aae44c

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
607KB

MD5
df72e932dc73e09078ab306fd4553911

SHA1
f33bb41c29edfc7dee2a13c6cdedecb2baddc52b

SHA256
e2e3171e91e72a78fe2a23c1f305db8bb376150d81383095ab8d72dc9765b9e5

SHA512
c7bcc8d2db41b5a1e4d272a76d219b82ae24fd83d5d5d8dcd48b526dcf10b6b83920468415e339b8e337e72709f19aa26f27278fdb32f60867d4a20afe0438f1

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
648KB

MD5
f7975d3e4ca91898a952750841d7eed4

SHA1
c1549c11bc6dc688aae28ea17a7cbcd210757cd3

SHA256
d4be8505a0f78d62662e758c01d7676443f39c9744cc4efd78fa4e6f03742e53

SHA512
8126658eebe36ddefeeeaeae1b283ffdffa69d5487c4b83d0f7897e72134036809eb24efb1ccfdeab6697842ea05718522f3d46b53746575281416e8a565c598

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d00ab1ff234de56541012d2c96a963f2

SHA1
e99a05cb0aca82e825ae7418ae8907a5cf874f4c

SHA256
2b81ad08eff84da9fd505489ef81e15ae81ae7c7048958ffef7f2b040aa8964a

SHA512
124eff6798dbf65ea4bf803d51a7eaf9225edfc99c017d0877ef0f1e7fcf17fdf47754aee0ed02d48204e524c0d67984413f0a328a471983ec02a140baa09736

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
709KB

MD5
abb45f21a2a6eaf4c56706b4a863ceda

SHA1
080730c2cea074073384a65b45bdb13fae7ccd27

SHA256
e1ca42d7837e286c4fb910a21bbeffc3ce60cada925f4c3154672c921609abe7

SHA512
4a375a79c388282cf435cb036920f53ee6cbae57542f0066414c4fc0ae27abf3fb684fa2b22e0c7c179ca5364ad160ecde908befed909f6a63602bbd0e23fe0a

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
695KB

MD5
5a0663ba39c773404d94b617b9dd91ed

SHA1
99f21e38370432523126b4190271332f9e8d0451

SHA256
3e44baa6335b9822b2d92aca6d8027debbd9ced63dd06b074a4b70ed426191c9

SHA512
d2c9bdc22aadfcd881107a8a188a80521aeb9623dfcdd6c42a577c810681c479043d09e527087e10fb6e38cbbf9f4190da0fda047e0498e4f87e5699de2ebdc7

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
585KB

MD5
c389beba777c017fa460cb83cd8438ca

SHA1
ea5de0923264ea399cfc2c78b3c1eaece1136086

SHA256
c2cacc1a7bd65b4360e547398e26c11fce4a54f0ee30dd9e27c5a8c793d332b3

SHA512
87af03788c49978d97caf82bcf46436a26a9ff2c9a283784aec6ce5bdcab8d61d624032efebc21647a94b82a739e8ce80e4e8761dada57a2a16454d5dd3923d7

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
611KB

MD5
7d73c9a982fa0f48ece2db68632082b4

SHA1
1c5565da588a6f47553878e9312f84232c2a0cee

SHA256
a66e5c4c35f21a0e821afbbd34e4111b83046439b01ed8a2741493032d02d2a4

SHA512
53f6520390b11cd758cf4363b46e93036de16494c2e342e4a0752c6d87787ef95884144d7b696a9d741158c8f39927fba33456462d48f9e35b6d9e243be567c9

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
43033a936cafdd00a668a03f204774f5

SHA1
8572327787ddd54544f2a46c0c4fbcf43ce38075

SHA256
ecb7c900de827ef149601d9b6591cf6048e9f074a4e51b32c388f3c1945cfec6

SHA512
26179b88b559f2ab618cd4db4b2d1a408bce08f768e593b76b5a5287953c8ccc66ab8e7413aa5fc1c231dd5ff7102a4f4474177c17df66f9432681a1af021593

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
e4707a386df92022f7efc948d8e03277

SHA1
e9bc9ce59c065eaa128814a9e6558167fd6de236

SHA256
520744ca999a0c5fd58a2232e785d6e391df8c40df16f32072b07c8768645474

SHA512
728821eb7fa2154fc27648c34cd85e1b901b7e3c95809a7ac602d7e321f30bd21c7eb1f7877a1c89849dded840b6ef58c1be60fab9cb45286ad9024da7c41cb0

Download Submit
\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe

Filesize
1.4MB

MD5
d2a646038b9dd19096a3ca2edd2e8b27

SHA1
5495caaaaa7cef458b6a7b11998b9a0d3eeeb6a6

SHA256
faf32ce6f46353c820f68e9e7a39fff8a859dec3417ebf4ad469474152578798

SHA512
337f9d70ca8120628996c6c43f25e4eea9516d22497e19d2a782dd0050c5199ee9b5df2cf45e058e668776d6f31e980ee73889856f7257b84d04a9b1eb3b8b64

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
682KB

MD5
d3ea836aa29ce531830010cfea5a20cc

SHA1
3af566dd2164703e02151e15694efcb3f74b7de9

SHA256
c32913cbd9cf729d1af8ea04f513e90e257e0b52b4217ae7bc953ff2307a2969

SHA512
97fadd5acb5b6edb40e6d6e5e4c2669e0a3ffded28bf56d031137c0c57aa4b89dbbb537b318ab3b04a93b0e0d856219508610ac29d369fccfc212e5bfc45611a

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
678KB

MD5
1c44ce6863701190719e6bf3c5cbe325

SHA1
be1a749a4c0d7bf335107c0e53e343eb4f1340c8

SHA256
8657d5d77e7399ae482a3033752cc0ba0e1877a69f797984c758c47673383da7

SHA512
ef794efeec5b0ce79390e24be58e96bdb8b5171b25ded3c21b2a4abe14f24e89a717981f3615e99b6fdcdb80ece54d64e1cc9c1be607062679b47501d0b15220

Download Submit
memory/332-688-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/332-690-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/332-225-0x0000000140000000-0x000000014042A000-memory.dmp

Filesize
4.2MB

Download
memory/484-520-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/484-368-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/484-421-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/848-524-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/924-460-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/924-456-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/976-239-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/976-449-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/976-400-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/992-482-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1052-529-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1252-462-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1288-691-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1296-523-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1328-468-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1440-503-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1496-427-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1496-457-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1584-474-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1708-501-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1736-466-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1780-483-0x0000000003220000-0x00000000032DA000-memory.dmp

Filesize
744KB

Download
memory/1780-485-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1808-464-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1984-196-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/1984-214-0x00000000007C0000-0x00000000009C0000-memory.dmp

Filesize
2.0MB

Download
memory/1984-216-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/1996-505-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2028-19-0x0000000000778000-0x0000000000790000-memory.dmp

Filesize
96KB

Download
memory/2028-15-0x0000000000730000-0x0000000000930000-memory.dmp

Filesize
2.0MB

Download
memory/2028-11-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2028-12-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2028-18-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2028-17-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2052-528-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2052-527-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2180-507-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2280-240-0x00000000027F0000-0x000000000287F000-memory.dmp

Filesize
572KB

Download
memory/2524-689-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2560-61-0x0000000010000000-0x000000001029A000-memory.dmp

Filesize
2.6MB

Download
memory/2560-60-0x0000000010000000-0x000000001029A000-memory.dmp

Filesize
2.6MB

Download
memory/2560-75-0x0000000010000000-0x000000001029A000-memory.dmp

Filesize
2.6MB

Download
memory/2620-24-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2620-4-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2620-194-0x0000000004020000-0x0000000004303000-memory.dmp

Filesize
2.9MB

Download
memory/2620-14-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/2620-213-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2620-13-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2620-246-0x0000000004020000-0x0000000004303000-memory.dmp

Filesize
2.9MB

Download
memory/2620-459-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2620-513-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2620-10-0x0000000003830000-0x0000000003B13000-memory.dmp

Filesize
2.9MB

Download
memory/2620-0-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2620-1-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2620-34-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2620-534-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2620-44-0x0000000003830000-0x0000000003B13000-memory.dmp

Filesize
2.9MB

Download
memory/2620-2-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/2692-478-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2716-472-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2740-85-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2740-238-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2796-480-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2820-63-0x0000000010000000-0x0000000010263000-memory.dmp

Filesize
2.4MB

Download
memory/2820-46-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2820-45-0x0000000010000000-0x0000000010263000-memory.dmp

Filesize
2.4MB

Download
memory/2840-470-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2856-476-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2864-514-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-487-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2956-673-0x0000000000730000-0x000000000074A000-memory.dmp

Filesize
104KB

Download
memory/2956-681-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/2956-682-0x00000000007D0000-0x00000000007FA000-memory.dmp

Filesize
168KB

Download
memory/2956-683-0x0000000003700000-0x0000000003766000-memory.dmp

Filesize
408KB

Download
memory/2956-680-0x00000000007D0000-0x00000000007F4000-memory.dmp

Filesize
144KB

Download
memory/2956-679-0x0000000003700000-0x0000000003788000-memory.dmp

Filesize
544KB

Download
memory/2956-678-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/2956-677-0x0000000003700000-0x00000000037EC000-memory.dmp

Filesize
944KB

Download
memory/2956-676-0x0000000003700000-0x000000000389E000-memory.dmp

Filesize
1.6MB

Download
memory/2956-675-0x0000000003700000-0x00000000037A4000-memory.dmp

Filesize
656KB

Download
memory/2956-674-0x0000000003700000-0x000000000378C000-memory.dmp

Filesize
560KB

Download
memory/2956-672-0x0000000000730000-0x000000000074E000-memory.dmp

Filesize
120KB

Download
memory/2956-671-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/2956-74-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2956-227-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download