expiro | 2e410d578b4089e73944da93e75cc6d1ce59fc68cf9212113f0395740c135701

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
Size

672KB
MD5

6c2dff90879c1f9661ac72c6baaf7260
SHA1

9347c2e4805a0e66c76ea84703e9eb72630bd3b7
SHA256

2e410d578b4089e73944da93e75cc6d1ce59fc68cf9212113f0395740c135701
SHA512

e817d71a6d2360e8a56faa1bb19e1a15b62d7048257c002de7e575e1ccc1c71c065598b7587211bef4cf827196e81b7e437e01301ccaa95f92c652eabfb6053d
SSDEEP

12288:tU7xC9VRB2R52TpvLult4TxPex0VXecPbJye8zd1DZuxppyr:tUSV2RoTlucmx0VXBJyeYlZypm

Score

10^/10

expiro backdoor credential_access discovery spyware stealer

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral2/memory/3344-2-0x0000000000400000-0x00000000005C7000-memory.dmp	family_expiro1
behavioral2/memory/3344-161-0x0000000000400000-0x00000000005C7000-memory.dmp	family_expiro1

Executes dropped EXE 8 IoCs

pid	Process
1504	elevation_service.exe
2764	elevation_service.exe
1752	maintenanceservice.exe
436	OSE.EXE
5008	ssh-agent.exe
4676	AgentService.exe
2888	wbengine.exe
1780	TrustedInstaller.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\T:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\U:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\V:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\Z:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\E:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\J:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\K:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\X:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\H:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\M:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\Q:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\S:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\W:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\Y:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\G:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\L:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\O:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\P:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\R:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened (read-only)	\??\I:	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\msiexec.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\msdtc.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\wbengine.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\Appvclient.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\openssh\ssh-agent.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\Agentservice.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\fxssvc.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\windows\system32\snmptrap.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	C:\Program Files\7-Zip\7z.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	C:\Program Files\Internet Explorer\iexplore.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	C:\Program Files\7-Zip\7zG.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\ose.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	\??\c:\program files\windows media player\wmpnetwk.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	C:\Program Files\7-Zip\7zFM.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.vir	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3344	JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c2dff90879c1f9661ac72c6baaf7260.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2764

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1752

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:436

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5cebc3d640f5412b608b85ad14bd50b2

SHA1
f90fdad7f7e1f30a3cb693e16c9054f9b6fcd3d8

SHA256
01ffa71fcc491ce72770a685e67cd7a29d5f5b8742760b31883a6c6753ada761

SHA512
bf641dc99cbe397fac67b45c8086c63fb4c6870cc9d3bce926a675d2415b5ac0cf301c2f5bcbe7ed07e50bf1ca0d835306ee914ae170280bab76cacc43670972

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
731KB

MD5
9cff6ee6d470ee12c9bad1a37129de3e

SHA1
3c460a133a7a05b3569a9ff04228f5b07c65b0dd

SHA256
f4bda2b18270b13b608202735c6978426acdcaf722b66db3aa7c2e9758f0b46a

SHA512
d05951da0de8ed4572f4c2a39349b41ca0b2c58813bdcbae490bff34e0be05927e7bb26fc72691a21cd92c8d4d1abbfe64de3e70cc32aafb505df7b7ed20b8f0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
748KB

MD5
a9bcf2495529b516b522039614ceb14d

SHA1
91f9eb37bc03fd92384237b9c830cb4a64f09cf1

SHA256
bd1b4863eb8a7312651b76524f38f8782c0c5f163718b369a4f5cf8eb54f7ab9

SHA512
ccba191fc08e288dec318ba3fb855bcce98271ba83b79fa5f4f69ca6bf7316ec5290843da302ee197b73b4d8f10c9378234d986e334e0e58e0663eea77088ba3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
c1dec6c26a1b7ab5161430954917c775

SHA1
2ae1e14d2e81a3b6d00724ab9402f9db99533a82

SHA256
77fd75744d8b4303e2d973acf2bd5a4ea00a63c3879536b54954b630fff9585e

SHA512
f90d0cfa3e56f8c5a64073d610ca5ec0df87c6053689d76374c32288b52e54e5786c6816fce1e0263befe47e4d22843cedbbd43719a732bbfe3f90513442e67b

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
931KB

MD5
eec58a37d9f4cb3cfb8788dd38b4bde4

SHA1
c76674a7484231e757416c5807c3afe3e2ea1f0c

SHA256
3952946953f46198fbc7034a6e2ada7f8b1fad305f8dac8179528da5a31ff4a0

SHA512
821e719ff802c8f1c42d4635f23cfbc0f22bddfd573f77c81adca6d824d6e516fc63d78142c14c1acfcb54cc993b67d2ee77e9a767650810c453ac3a9beee2a9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
dd73f76b887248d100197dc44009856c

SHA1
10f1515306915366deba2064aea43fe752090506

SHA256
0567f61b1105756910b61bc9f30f919cd2e7bb7827f7366244feed42363ad0d1

SHA512
eb43b424e03b77abaff3f8c134dc1686595b571c7e659c8d27a45604327586181e7dc5dc1399063b77124a0ae6c8bdf9f5e4fac9c84f447a8316a1e7e8a45662

Download Submit
C:\Windows\System32\Appvclient.vir

Filesize
1.2MB

MD5
d1dfcf585d3a0c49eec9b203285d7e90

SHA1
a4f06cc35baf3bb29d5bc2502fbdc7af4201aa9b

SHA256
ad0f8202b5ae5373ff2e128735e56a5caf9b94f773e4505443b1ee390c3804f0

SHA512
cfa89fe278705f4b0e477f36561a9d8e08fdc79a5ab89faec049e13f0d40e04bc983b115fe30cde831a769e6fe7c5a0ed6a73698b013b2c74b02cc7270f81a3a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
882KB

MD5
22d8b3f56627110f9e91c5dc0806673a

SHA1
8b8685018f89b2d0a40d680c4e73fe43ab09241d

SHA256
bb3ef7ffc6548f708cc21e9fd1d6a66afecbdfd3972fa4bdb2211f10377d8481

SHA512
9f6892c7489a980b07d8e7926314def840f8e04bfe494dccb1025a9450153b8eb9ede28f6a5704dafd90537fc274575399ef3b3e1c91716b0e85cbdf30feb542

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
950c84aff84894574bdadbaf08a9db62

SHA1
a6748a11079d050724e6c78a111a14c8055530f8

SHA256
c0af7ff7c87d37b55836b1020248a2bf0fa002ff38e8c7bb2b1b1c3a9623c081

SHA512
cd50ee9ca055d7533e524b3da37cfc5422923ecac6a6f8a95dc8702573d04da0b676db180fd57f52796ba29d18fb28d643380925f63f76b1dd40ada1f45ccec3

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
memory/436-59-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/436-60-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/1504-21-0x0000000140000000-0x0000000140368000-memory.dmp

Filesize
3.4MB

Download
memory/1504-20-0x0000000140000000-0x0000000140368000-memory.dmp

Filesize
3.4MB

Download
memory/1752-37-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/1752-36-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/2764-29-0x0000000140000000-0x000000014035F000-memory.dmp

Filesize
3.4MB

Download
memory/2764-28-0x0000000140000000-0x000000014035F000-memory.dmp

Filesize
3.4MB

Download
memory/2888-89-0x0000000140000000-0x000000014034A000-memory.dmp

Filesize
3.3MB

Download
memory/2888-90-0x0000000140000000-0x000000014034A000-memory.dmp

Filesize
3.3MB

Download
memory/3344-0-0x0000000000400000-0x00000000005C7000-memory.dmp

Filesize
1.8MB

Download
memory/3344-2-0x0000000000400000-0x00000000005C7000-memory.dmp

Filesize
1.8MB

Download
memory/3344-1-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download
memory/3344-161-0x0000000000400000-0x00000000005C7000-memory.dmp

Filesize
1.8MB

Download
memory/4676-81-0x0000000140000000-0x00000001402F4000-memory.dmp

Filesize
3.0MB

Download
memory/4676-82-0x0000000140000000-0x00000001402F4000-memory.dmp

Filesize
3.0MB

Download
memory/5008-74-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/5008-73-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download