expiro | 8de785743381674a4212b91fcb1a876dbf6c830beb2e424d29729675aab60b43

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
Size

740KB
MD5

6c0d49ae62fcae54b6a55ed54e2c4ab0
SHA1

f3bf56d0e7c73e9930c8743e6a47c042f8eeeb6e
SHA256

8de785743381674a4212b91fcb1a876dbf6c830beb2e424d29729675aab60b43
SHA512

f865e0be6c3d3d0813775ebf59d25065c2cdb87368ed5283bc7e1a8cd0b24f9e0fde10af6d37822fa3a5ad10cced2233de6c26f9ae41b23fa1b5500a420f6834
SSDEEP

12288:Nori4cphZvBNJJGdwOl/EmOWbHVztBSlgG/2jKHvJnzAzdjW8pCKkL3:Mi4cTZvBNidzSoVti+jKP5Azda8pCKkL

Score

10^/10

expiro backdoor credential_access discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\8E8F6\\F2ED4.exe"	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

Expiro payload 15 IoCs

backdoor

resource	yara_rule
behavioral2/memory/3240-4-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/3240-5-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/2756-11-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/2756-12-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/3240-17-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/2756-20-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/2756-22-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/3240-30-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/3240-29-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/4368-177-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/4368-202-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/3240-203-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/3240-400-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/3240-537-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1
behavioral2/memory/3240-550-0x0000000000400000-0x00000000006E3000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 7 IoCs

pid	Process
224	elevation_service.exe
2432	elevation_service.exe
2372	maintenanceservice.exe
3056	OSE.EXE
3716	ssh-agent.exe
1044	AgentService.exe
2600	wbengine.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4089630652-1596403869-279772308-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4089630652-1596403869-279772308-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\N:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\O:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\X:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\G:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\Z:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\I:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\U:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\H:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\S:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\T:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\Q:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\M:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\P:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\J:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\Y:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\L:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\W:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\E:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\V:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\R:	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\spectrum.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	OSE.EXE
File created	\??\c:\windows\system32\pnoelngg.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\searchindexer.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\msiexec.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\SysWOW64\fmcagcmc.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\system32\njbfcjbd.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	OSE.EXE
File created	\??\c:\windows\system32\jhqenqqn.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\egleqpib.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\dllhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\msdtc.exe	OSE.EXE
File created	\??\c:\windows\system32\dndbglga.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\system32\nqhiilmp.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\system32\openssh\dkfhcipb.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\system32\lnqifhkk.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\ibnbchfh.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\windows\system32\mghmajin.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3240-4-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/3240-5-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/3240-17-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/2756-20-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/2756-22-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/3240-30-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/3240-29-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/4368-202-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/3240-203-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/3240-400-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/3240-537-0x0000000000400000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/3240-550-0x0000000000400000-0x00000000006E3000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\nkmjnipk.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Google\Chrome\Application\elidehmc.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File created	C:\Program Files (x86)\Microsoft\Edge\Application\cbfkhjmg.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ifpcoece.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	OSE.EXE
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	OSE.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	OSE.EXE
File created	C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	OSE.EXE
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	\??\c:\program files\windows media player\epihdnme.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	OSE.EXE
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	OSE.EXE
File created	C:\Program Files\Java\jdk-1.8\bin\imamgieo.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE
3056	OSE.EXE

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3240	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
Token: SeAssignPrimaryTokenPrivilege	1044	AgentService.exe
Token: SeBackupPrivilege	2600	wbengine.exe
Token: SeRestorePrivilege	2600	wbengine.exe
Token: SeSecurityPrivilege	2600	wbengine.exe
Token: SeTakeOwnershipPrivilege	3056	OSE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 2756	3240	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	82
PID 3240 wrote to memory of 2756	3240	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	82
PID 3240 wrote to memory of 2756	3240	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	82
PID 3240 wrote to memory of 4368	3240	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	97
PID 3240 wrote to memory of 4368	3240	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	97
PID 3240 wrote to memory of 4368	3240	JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe	97

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	OSE.EXE

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe"
1⤵
- Modifies WinLogon for persistence
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe startC:\Program Files (x86)\LP\D488\C69.exe%C:\Program Files (x86)\LP\D488
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe startC:\Program Files (x86)\F6883\lvvm.exe%C:\Program Files (x86)\F6883
  2⤵
  PID:4368

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2432

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2372

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3056

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
83f1e5f53680c224123faba21af10a60

SHA1
07cef0f90d5280cea8e61637d643e83c5bef0753

SHA256
46dd06395d2d8b2982de57feb47945504d575303bb565ebd365c44868828b175

SHA512
26f8af421463a5d2e300da371c05d7a25c52f02fa0affd18e1519e46ec06a45a4044ff8dddc7691eb0695775b56e86990d651c5bf2cf5384ca8b6b1e28421e9e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
793KB

MD5
6e5ee10eda01266c12734ec19e812e85

SHA1
930b862fb8b3bb98343af374dfdaf3dcf3cd9a5c

SHA256
87073d6d539c191e5e1a540ef8ff252ce20060cc0bea0be3a19b4c0eb04c30fb

SHA512
595877d161215287aec1938e48d567114fb08b0f0e346d7055ddd9345f0e800287a40ac29b99b517e199aca4ef8e45278fa8faae1dc341db4799860c3838deba

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c47b351c3d1677c5d42b4634e8986a7b

SHA1
05ea4c7b7d080a37311bfc50a7b462d648f05a75

SHA256
5ca082901df1f18cbd065f3b5b987b6eb7b6e13a10dbc14eb207b0bd38324e6c

SHA512
3e0626acc1638bbb0ca07dd059cc66356247bd7b322598c2b984ad480f4c8e06564db334e23fc7885b7b7864b3f56efdba3ed667824941d10fd68e14cdb4d044

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
50b73f036a225703cbc859599b15adaa

SHA1
5d11c33550d31eff5dee3f5f6fbec0b4a56165d5

SHA256
4eaeccaea3a0e43f9617ae908c68ae98c3b64526b76d3054c97c749f33a2dc85

SHA512
183adb93ad7cbee07490823d70fc0afc18750c7987cd1b1012edbf61d227074ada4632ef21ebafe95ed0d55f5c5583b5201b6e6c139e6bc6ea3c7c5c81ff496f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d0e7053518029c9c4fab11764002a88f

SHA1
e7afb34969989277ff48d590a79435aa19d6f55a

SHA256
dfece6a4e0dc093160c6f59f1340dc838361ce1ebb91d470691019acad92cf6d

SHA512
34042a1ce8c785536aed57884f4065c41093c64058421ff1efecbd35f52fba90ece290bc06bce2da49bb6a97c3c860007e9228955253a411277d5e1986e86364

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
98285e8fd7f66b2e2334a342a8823b57

SHA1
ebefa022321de565cf363ec381a79f96caa01fe5

SHA256
d3af9e4dfefcfd03c61839bcd0c039e470da5ebd1e0f5835311f412cc740048f

SHA512
0fdaa269c8a1a8b0d84e76aecf8b1190de1d85e80410b1e48aa7b1f2080f4f0185e1102aaa9c5d9e693d609cc556f8b1a5f31de8852b29fb6072781d28635b5a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
844KB

MD5
c8f0695e1a3af2664a2e0684e2881372

SHA1
09f8b5eae8f9449fe8eecc32c7f6cf35c6d7f752

SHA256
206ca5e757543932b9fea551a5a9b43ddb09db011b6d74ad45e7c74b1705f46f

SHA512
8df44e4eceb35afc215b70d6c796c2cb7d27aff410c33d5b75f3cc272fb19d0ba4d5c2e65c995430b902067e62708436762bb5bd55c8c1676b46444e38760c93

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a02057deea476d45da6768d67dd9ac21

SHA1
d7860db1b3c3b79db3b3a5106e7d8b6bb6d058af

SHA256
bdac1a6752fff28908330a3808ee739764b1201a1261e09c51cdff02a6557bcc

SHA512
273c1d652a4da63f10e9aa3b211715a324cdb87541aef5be4f7be82b8cc35b10964b850c4a471e298c90a5a9a6a59c313bf90a00f65425d167abf7016b4ce2d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
914KB

MD5
a04307fdae683da57a65180f67267cdf

SHA1
0ae0624d6cdeda5e612c1500d1fc9e42ee9c07e8

SHA256
4d2ba9cb4130b921fa090919ef4b1ea7746f8b929fcca25712bcfb557569fca2

SHA512
10df95b9c2e894386a6599bf09ca3095ade75ecba6b6e1c30ac3c7fcf187b5b2373925ab080794073fb2839516871a2fb101792c3228493c38d4cf1517c637ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f2e503480c1e2b4da39c33d1aac48b47

SHA1
a60904e7ebbf05a100f69e39ed478a43d3c6cc56

SHA256
6fc4c705bdde44ae1861c13443dc14fad9fd1c6cd6a1d0fa60c25b1402bdf2f1

SHA512
1c3e21add4f6eea71972da432cf9dba87441e18eb817f8adcb6d25e7bea3f79fae30d8affc80d9796c19fca7da52c94464a2bf11297e093a5f258f20287f154d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
829dcee317eee14a176541c30b54b41e

SHA1
c6768326c4875bf5f1d427c1e4266965da792d15

SHA256
143a304c4fb7c04504ab2ff39c9efd9422e1c521eadae8abd91168d6438c35ff

SHA512
7dbe892579847a254fb9c9f3f2f583690e89ac153b810143e6778516b9e0893df212fa61d932376900be6b71f0b7cd8d8b135aaf3df636e1fc64dc6788cb0ac0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
809KB

MD5
59fa61213847e413516f919e5af5663e

SHA1
e4e44984f1b44603064e2e45d30b9cce51e5a0b9

SHA256
acb4c4e72c7123024929bc8983c654ebc170b39c994e7c5bb73ecf440d63e6bd

SHA512
95e99b418eca07e66bd69159f4569657b620da2b37dcc449baccc1e197302a9c9b82f7be4a14e18e5a947bb87b6fd10d0b9a6be12506a9a12f788f53ad527b60

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
aa26e1f15b29ad7254c6e99635137362

SHA1
d5a9d10a90ecde8b6495c56ddbe4bcce046c0cd7

SHA256
613b4e702e2dbc6353501fd3da954021661cf9ea288f6969419908181199f54d

SHA512
1655e7708ca4564c667bbe1fb441e13d966606895bfbcd75b16e6728fe096a80c940e43fed5ec6276140619745a6a05a8cf54277c4f411ab4ba32603e99892d8

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.4MB

MD5
ede925d04fdc3f441c9dd296c3a7d712

SHA1
bbfbacb2032dde720a79053441b16f521c262d9f

SHA256
d7083b2a6155beda9f7f75f3b015084e902cda6a9fc9007c753a0e832a5ebcf1

SHA512
6352d023c867412167390a3a4277808591abb5043d8054093db4d3d2f492d42c67b68985f91d8ad1cf71e692b075c778ba50c8afc5b6480ade0b1fe84bbb54ee

Download Submit
C:\Users\Admin\AppData\Roaming\8E8F6\6883.E8F

Filesize
996B

MD5
ab77a814f1a121f564d8f281dbaf3394

SHA1
42a1d15dde72bea34e277c94f67e70cbfaf5a7e2

SHA256
a023ef5ceedef1c36b294d0ad3c818f1b03c9f72ac64f4c90dd617379ee2186d

SHA512
7f522c2b4f85241549708a2d2f355d4132fc81ff21d9a464309f9cb28ad1d2cfef1fc8618ef590a3d778310d6fc748b494fd7334e21780a0f4f2d31d5d2aab13

Download Submit
C:\Users\Admin\AppData\Roaming\8E8F6\6883.E8F

Filesize
1KB

MD5
94ca02c70dafd60e1d682b73b82358f4

SHA1
66f1978d878c49a6152b481f97613122a1357302

SHA256
3aa4cd584f15f3d0c233a588704a25aeca12e44dd35438630d101bcffbe7aeee

SHA512
b3e8bc2afd5c73d1b45791f3c62ee7d7ab47ff8443b5d70b277cdcf1a0262719cb5f647cd7049d1153e684383b1ce39466b845e39432be70894681f0c2053652

Download Submit
C:\Users\Admin\AppData\Roaming\8E8F6\6883.E8F

Filesize
600B

MD5
4f2e0a673cf31411164f4bd7b53ed485

SHA1
a82c3a8f3cf05910b5d738ca336b5ecdd8b4cffe

SHA256
af821120e08fc344169195a686a2ce1ef12ee5e02f7fb78381a3c5b9b9016a02

SHA512
6d2b9eb4530eedd4c2a96d2dfb51d63ff60ad954d0c5c1088262351ad78caf8e963477b8137f1670befaf84c710034762048b8c7bfb74820d87fd155e8937213

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
994KB

MD5
b8285bade6d0f35cdb783a3bcb63929f

SHA1
074032ab89c6b3c0c46bb92e187e19e0dc0a8bba

SHA256
a29d40c7e2871ef779cecea90351fad11b4e8d99638ccec9572bfca412423d6a

SHA512
83dc514e0914eaf56fee193c060012fadc515a7788838953d7339e1bf94385552d0cff280cadf46272b2e2261665df61b497b98cc889aa091a6b7fc8b52ebcae

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ef17edb39b671da05c27a6e58bba23cf

SHA1
2a0100283846f568294f41d5b58f4af79955e3bc

SHA256
7f8dac3d5e417d4ac0230daa9e0415df9d0e5e33ed8babcd25759b121b0acbff

SHA512
5c43f880aea6eedaa3527f30482490951a4814d4791dfc39e996ad7643ccabe1009c1bfb6bb522d3923481c81aabc75053d3c586c8ad4b167f122ff75b317eca

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
944KB

MD5
f5b42743601bd64fee89b156a76d3719

SHA1
e6274d739e5620f885cd92a2bd47f4e984c775be

SHA256
dcf14657b6aa2c7ed8ca7bee05cca735cf2b9b34580a1a68eb88005bf13de7cd

SHA512
ff26957b9fb38302462ba73a7bce4170bf6bd3e6dc7f44564049b5cdd0f66cc95ca93891249e350fc616622850e232c41571099c03db18ee43f12f5ff96a8157

Download Submit
C:\Windows\System32\mghmajin.tmp

Filesize
1.3MB

MD5
35912ef729e1c300726175dbe69fcfcd

SHA1
78136f2a78700425543d7744a5e06b9906b7c4ac

SHA256
164390d93229801f0d22c98d7552bc8a785ec2d2b2cc19e690ec22ffdc12c7a0

SHA512
d5a310c32ce603fa45d641e756c017cc954434edcb6838161f215cf501f36e49b53ac50fb9b57d88d43adc46ea7e4df7f7eda8adf1c066bd975a60a6c03b3730

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6142751fd49396c7f9d2a21a82282bb3

SHA1
9546796197d3c98ae22b8061c19e8d2cbbf0b6dc

SHA256
a97c9d30dda2dce63b3ae306e9b8da0ee81b4f682962044e11d95669f3625d7a

SHA512
6777cdc3c75b89fc48f3958cb0ea0ba88343dcc864e4ee1d73bc1895744636d20a45fe89a6738715c475b7155d3346f26b1c5a141a044928167d51350446a055

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.5MB

MD5
4c8acf7a0aa0e965b13b70c38d3efabc

SHA1
cc147442a8afef59aea25cc9007ae0f9a7a8e532

SHA256
d47116535421cf8ee827224172f4ae400192c2d6134ae1a4bbc1130c54224002

SHA512
e821a52c65aa9ad1fce12a33027cee8cfffcd72f6eefdc821c8309f09baf00d790aecf9a30c1c732e40c99f2dad5ef1a6cff49e85ab5d03866ebc8d2c1394217

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
8d97562693292cd4bb4a3a28715e9827

SHA1
1815e21fdf09e5f82466309a4aedab2a3dea143b

SHA256
3fc7e740132506207119db58d652a8c0d6bb1c4173821e7a42037b23e3ded5b1

SHA512
bca45617262b01cf7efb20049ae59d2929f25596689a4b14b073435f7f99440ba612facf4635c4c87275ad4ae17db767575868a5eb6c94e14110d9ad33c77e29

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
716KB

MD5
0f92685ebcdf36e955040e90c01592d9

SHA1
873cfd16788158b1bc3a216ea9c1e852b8843d51

SHA256
7b3c65762d4e011a9a230bf23183979f926f894f77782806e6d61a7eaac8dc4c

SHA512
c9786be6c7f793a6678323b24304cf38e545ead784d87bec848ab9f6b4dc35e25b4591e4bdc77cfd709ed9584380c4fca83ac1aea4aac4bb2b527d6d7c069186

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
639KB

MD5
54455826fef9f03ea16eb0b07418dad6

SHA1
c1d5a0f66063c5955f0fab7372147a892d69cbeb

SHA256
daab0f98e81d9a35a75f9dfb53537950079a15a91a2a74cba7eb9484b80035b2

SHA512
352b1828adfd5a890728f229daa0322ccad1f652366c8247d9b5c2aa4b0e4eae9eacc1163b4ef9af77d0616d02f7b51f9f336086ee2d1b1d9a49fb968de9a458

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
588KB

MD5
37139aebbcba12b8a63b73dd64637f47

SHA1
0b84d44859f20e75c368a593677125b9f7e886e0

SHA256
2f6e4133692589adee4cbb802b49a9290f3f0df277c32a196c38fd7fc601b121

SHA512
686bab2adb1f7a1648ae31a5f30e56f714a3ddd91375d8d41547a4979411f73996aee3673f0ac6578c628857c27c7b841515628987435b9c38de80ccfb5f5f85

Download Submit
memory/224-42-0x0000000140000000-0x0000000140427000-memory.dmp

Filesize
4.2MB

Download
memory/224-43-0x0000000140000000-0x0000000140427000-memory.dmp

Filesize
4.2MB

Download
memory/1044-218-0x0000000140000000-0x00000001403B3000-memory.dmp

Filesize
3.7MB

Download
memory/1044-219-0x0000000140000000-0x00000001403B3000-memory.dmp

Filesize
3.7MB

Download
memory/2372-165-0x0000000140000000-0x00000001402C2000-memory.dmp

Filesize
2.8MB

Download
memory/2372-166-0x0000000140000000-0x00000001402C2000-memory.dmp

Filesize
2.8MB

Download
memory/2432-50-0x0000000140000000-0x000000014041E000-memory.dmp

Filesize
4.1MB

Download
memory/2432-51-0x0000000140000000-0x000000014041E000-memory.dmp

Filesize
4.1MB

Download
memory/2600-381-0x0000000140000000-0x0000000140409000-memory.dmp

Filesize
4.0MB

Download
memory/2600-338-0x0000000140000000-0x0000000140409000-memory.dmp

Filesize
4.0MB

Download
memory/2756-22-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2756-11-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2756-12-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2756-20-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3056-337-0x0000000140000000-0x00000001402C2000-memory.dmp

Filesize
2.8MB

Download
memory/3056-194-0x0000000140000000-0x00000001402C2000-memory.dmp

Filesize
2.8MB

Download
memory/3240-203-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3240-18-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/3240-400-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3240-0-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3240-30-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3240-537-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3240-550-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3240-1-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3240-2-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/3240-29-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3240-17-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3240-4-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3240-5-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/3716-211-0x0000000140000000-0x00000001402F5000-memory.dmp

Filesize
3.0MB

Download
memory/3716-355-0x0000000140000000-0x00000001402F5000-memory.dmp

Filesize
3.0MB

Download
memory/4368-177-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/4368-202-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download