Analysis Overview
SHA256
8de785743381674a4212b91fcb1a876dbf6c830beb2e424d29729675aab60b43
Threat Level: Known bad
The file JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0 was found to be: Known bad.
Malicious Activity Summary
Expiro, m0yv
Detects Cycbot payload
Cycbot family
Modifies WinLogon for persistence
Cycbot
Expiro family
Expiro payload
Disables taskbar notifications via registry modification
Executes dropped EXE
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Windows security modification
Reads user/profile data of web browsers
Enumerates connected drives
Checks installed software on the system
Drops Chrome extension
Drops file in System32 directory
UPX packed file
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-03 10:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-03 10:40
Reported
2025-01-03 10:43
Platform
win7-20241010-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Expiro family
Expiro, m0yv
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\A4D1F\\62FB8.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
Expiro payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables taskbar notifications via registry modification
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2039016743-699959520-214465309-1000\EnableNotifications = "0" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2039016743-699959520-214465309-1000 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\kihlpche.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft office\office14\hdggolld.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | \??\c:\program files (x86)\common files\microsoft shared\source engine\ojlkabom.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ddnfppgh.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft office\office14\hbbhnach.tmp | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\google\update\googleupdate.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\occlljkq.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\olemadei.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\pgildlkb.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | \??\c:\program files\google\chrome\Application\106.0.5249.119\oeejgpmn.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\7-Zip\hlepeenn.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\microsoft office\office14\groove.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSInfo\jkgaipki.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\jmofaklb.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\google\update\googleupdate.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\DVD Maker\clmaedbq.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\miqfjfol.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lhbjhkab.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\DVDMaker.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\hhfjjgab.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\jfjkgccl.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | \??\c:\program files (x86)\mozilla maintenance service\inechdaf.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\7-Zip\mgecidfd.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\microsoft office\office14\groove.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | \??\c:\program files\windows media player\wmpnetwk.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | \??\c:\program files\windows media player\wmpnetwk.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\pijgofaf.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | \??\c:\program files\windows media player\mheoachq.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Internet Explorer\bdiaenko.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\7-Zip\cedpmnkl.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\7-Zip\mnmjadqg.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\kgacdccg.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\nnbpngba.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\obkakffi.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\microsoft.net\framework64\v4.0.30319\mclhemcm.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | \??\c:\windows\servicing\trustedinstaller.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\windows\servicing\trustedinstaller.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFAF2.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | \??\c:\windows\ehome\ehsched.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File created | \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\iddoefmk.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | \??\c:\windows\servicing\pjpccaiq.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | \??\c:\windows\ehome\oiaiglql.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP696.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | \??\c:\windows\servicing\nopbomgi.tmp | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | \??\c:\windows\ehome\ehsched.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | \??\c:\windows\microsoft.net\framework64\v4.0.30319\jikbpppn.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\windows\ehome\ehrecvr.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | \??\c:\windows\microsoft.net\framework\v2.0.50727\oldlhgjm.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | \??\c:\windows\microsoft.net\framework64\v2.0.50727\bmmqngml.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | \??\c:\windows\ehome\imeegkbd.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9D.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD0B.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe startC:\Program Files (x86)\LP\B8AA\2F2.exe%C:\Program Files (x86)\LP\B8AA
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe startC:\Program Files (x86)\1F575\lvvm.exe%C:\Program Files (x86)\1F575
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
"C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 1a8 -NGENProcess 1ac -Pipe 1b8 -Comment "NGen Worker Process"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2280 -s 428
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 234 -NGENProcess 214 -Pipe 230 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 234 -NGENProcess 1fc -Pipe 1c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 220 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 258 -NGENProcess 1fc -Pipe 254 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 234 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 270 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 25c -NGENProcess 228 -Pipe 274 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1a8 -NGENProcess 258 -Pipe 1fc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 214 -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 220 -NGENProcess 258 -Pipe 278 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 284 -NGENProcess 1a8 -Pipe 1bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 280 -Pipe 234 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 220 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 270 -Pipe 220 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 294 -NGENProcess 214 -Pipe 290 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 28c -NGENProcess 29c -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 244 -NGENProcess 288 -Pipe 214 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 258 -Pipe 298 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 228 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 27c -NGENProcess 258 -Pipe 250 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 27c -NGENProcess 228 -Pipe 1a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 2a4 -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 194 -NGENProcess 198 -Pipe 1a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a0 -InterruptEvent 20c -NGENProcess 214 -Pipe 218 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 290 -Pipe 250 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1c4 -NGENProcess 284 -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1f0 -NGENProcess 268 -Pipe 230 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 198 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 1a4 -NGENProcess 284 -Pipe 214 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 26c -NGENProcess 284 -Pipe 1c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 228 -NGENProcess 2a8 -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1a4 -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 268 -NGENProcess 2a8 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2a8 -NGENProcess 1f0 -Pipe 228 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a4 -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 274 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2b4 -NGENProcess 130 -Pipe 290 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 130 -NGENProcess 2a4 -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 130 -InterruptEvent 29c -NGENProcess 268 -Pipe 2a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 268 -NGENProcess 2b4 -Pipe 260 -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | patentgenius.com | udp |
| US | 208.91.197.27:80 | patentgenius.com | tcp |
| US | 8.8.8.8:53 | fur6j76.cloudstorepro.com | udp |
| US | 8.8.8.8:53 | 2hh-v4.remindmeroster.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.164:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | uwj.grizlybigtit.com | udp |
| FR | 172.217.20.164:80 | www.google.com | tcp |
| N/A | 127.0.0.1:50081 | tcp | |
| FR | 172.217.20.164:80 | www.google.com | tcp |
| N/A | 127.0.0.1:50081 | tcp |
Files
memory/2620-0-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2620-1-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2620-2-0x0000000000403000-0x0000000000404000-memory.dmp
memory/2620-4-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2028-11-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2620-10-0x0000000003830000-0x0000000003B13000-memory.dmp
memory/2028-12-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2620-13-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2620-14-0x0000000000403000-0x0000000000404000-memory.dmp
memory/2028-15-0x0000000000730000-0x0000000000930000-memory.dmp
memory/2028-19-0x0000000000778000-0x0000000000790000-memory.dmp
memory/2028-18-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2028-17-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2620-24-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2620-34-0x0000000000400000-0x00000000006E3000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | 301156097f6f978bd135fe316beb8dea |
| SHA1 | 868eba1e318dcf66b802bed68e4dbaec89532996 |
| SHA256 | 389b34f5c10b9b0b31586b333f0ecb5fe9f4a915dab46580ab3ebcfb93abe13c |
| SHA512 | a9e2deb9fb359cfa906ece80f5b3f52f1e6af06f62bff759a9e4ea2756936f47e9ccec32d78fd0cae557bf7500814c0488d877e7aead2466486b14d7c6d16a0d |
memory/2820-45-0x0000000010000000-0x0000000010263000-memory.dmp
memory/2620-44-0x0000000003830000-0x0000000003B13000-memory.dmp
memory/2820-46-0x000000001000C000-0x000000001000D000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | 8a03444ed0b16ff18b03c7b709b048c8 |
| SHA1 | aa38cd6c0b1308e748ba5533deb523ca0e7a4cd3 |
| SHA256 | 05111a1fa5e17efe44430cee220b1ad375a520878b2ab6576f47264bf5bc7234 |
| SHA512 | e4ca92b4b1ca45d16b4b1312c378565c4b0a6d5320ec1081a5a7da42711bb358354cdaa04ae5f2d52e5a26940f1911497a27f601b659f6d34e47039a2c9ae48d |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | c791645be81776922b944f5c1919bd86 |
| SHA1 | 7bb9070d76c79c89bdde2e56a1bd85ec7d15d7d7 |
| SHA256 | 3725c2b49eae748992643dd206b2fadd8c241c0349970ec5766fe4a482c62eb3 |
| SHA512 | 270300d87b04799cb15829119d2724a97093a5ddb2cfd45cb5ea16ce7be20be15e0b5344a41be42d79a9f530da8f70bae75cda6be18a29664de568f480f76ae0 |
memory/2560-60-0x0000000010000000-0x000000001029A000-memory.dmp
memory/2560-61-0x0000000010000000-0x000000001029A000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | 4d418c92338dbf7d69fa509acb544a93 |
| SHA1 | ee548823da87fa71b47f003588ccd7d7602317db |
| SHA256 | c8ed53a4b12f7e005015d94fc36d6d51e990b6b49d4852229b266f3bfba9a5fb |
| SHA512 | 1c4386f8262032f139b3e8de92e30874ab1bffdf3f67819353cb4ee08971dcfe6dcde72dd9e7800c8bf776dacef30a070f149b6a1bbaedf930fca7cfde3f2bb5 |
memory/2820-63-0x0000000010000000-0x0000000010263000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 61c240a8ab71d987744f679306ca416c |
| SHA1 | a09df4e574f3806f8e0026d686a50cb02b4a0113 |
| SHA256 | 064bc508fe079f480b3625b6eddda812ecf92ee42154977906d3e14b904d5f67 |
| SHA512 | dabf121c14cffe0f4d409bd4d718dc7572aef26c2b11be0809a5137def6e5c7279ec20d1dceb70a85edddd8efa8d65a6c0750314104f0364f946f8b54c43ce44 |
memory/2956-74-0x0000000000400000-0x000000000066C000-memory.dmp
memory/2560-75-0x0000000010000000-0x000000001029A000-memory.dmp
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | d3ea836aa29ce531830010cfea5a20cc |
| SHA1 | 3af566dd2164703e02151e15694efcb3f74b7de9 |
| SHA256 | c32913cbd9cf729d1af8ea04f513e90e257e0b52b4217ae7bc953ff2307a2969 |
| SHA512 | 97fadd5acb5b6edb40e6d6e5e4c2669e0a3ffded28bf56d031137c0c57aa4b89dbbb537b318ab3b04a93b0e0d856219508610ac29d369fccfc212e5bfc45611a |
memory/2740-85-0x0000000140000000-0x00000001402A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\A4D1F\F575.4D1
| MD5 | 46bfb081ad684017acb93deedee6e2c9 |
| SHA1 | dbb8586bd0f60f9af4aab8ccbf362eed4e1ccec8 |
| SHA256 | 1fbc2c09e882f09a0a6e6c7aefc7a22b54c0e0ae69cb5bb6ed8c276f324a5f56 |
| SHA512 | ada8dfa4d1ac9dd71da267e3c07dc20253eaf81158a76bdcc40828e7d935d7cc470244a82f947bfa75019ee43460e6bb3920c9c4d14d1140fa603681fb0c8ce4 |
memory/2620-194-0x0000000004020000-0x0000000004303000-memory.dmp
memory/1984-196-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2620-213-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/1984-216-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/1984-214-0x00000000007C0000-0x00000000009C0000-memory.dmp
\??\c:\windows\system32\alg.exe
| MD5 | f7975d3e4ca91898a952750841d7eed4 |
| SHA1 | c1549c11bc6dc688aae28ea17a7cbcd210757cd3 |
| SHA256 | d4be8505a0f78d62662e758c01d7676443f39c9744cc4efd78fa4e6f03742e53 |
| SHA512 | 8126658eebe36ddefeeeaeae1b283ffdffa69d5487c4b83d0f7897e72134036809eb24efb1ccfdeab6697842ea05718522f3d46b53746575281416e8a565c598 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 85f6498cfa2822b5ad9d14e39471e821 |
| SHA1 | 922ef04e5c241e21fc54c157e659d3499b88975c |
| SHA256 | 82062fd3088e2072cc8c79d8554a83484912041cc240625574137405ef5dd04a |
| SHA512 | 486ebdad4f713fd8555da2d2ba4f03f75ea603f013539f7217de11416803f1936fd36ab677d2489a84494c0f460b845ea56c52ae401aa52c2c2d233276a562c6 |
\??\c:\windows\SysWOW64\svchost.exe
| MD5 | 856fcca3d7ce7042fa378641a60a9d57 |
| SHA1 | 268f345683d887b4487b20418e50b9a858fa3b76 |
| SHA256 | 4fbfeedbe9405fdf0fce4c330ed0ab173d232e1b4d64facd851abec43931c1da |
| SHA512 | ad307f99fada7ff02dd0847122848e39f86664106344d4a4829b991f84969860ecd62a6c3c44d61f5a64bc9e9dd791925dceff4f5c6b91c532488015221f2ed3 |
memory/2956-227-0x0000000000400000-0x000000000066C000-memory.dmp
memory/332-225-0x0000000140000000-0x000000014042A000-memory.dmp
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe
| MD5 | df72e932dc73e09078ab306fd4553911 |
| SHA1 | f33bb41c29edfc7dee2a13c6cdedecb2baddc52b |
| SHA256 | e2e3171e91e72a78fe2a23c1f305db8bb376150d81383095ab8d72dc9765b9e5 |
| SHA512 | c7bcc8d2db41b5a1e4d272a76d219b82ae24fd83d5d5d8dcd48b526dcf10b6b83920468415e339b8e337e72709f19aa26f27278fdb32f60867d4a20afe0438f1 |
\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
| MD5 | d2a646038b9dd19096a3ca2edd2e8b27 |
| SHA1 | 5495caaaaa7cef458b6a7b11998b9a0d3eeeb6a6 |
| SHA256 | faf32ce6f46353c820f68e9e7a39fff8a859dec3417ebf4ad469474152578798 |
| SHA512 | 337f9d70ca8120628996c6c43f25e4eea9516d22497e19d2a782dd0050c5199ee9b5df2cf45e058e668776d6f31e980ee73889856f7257b84d04a9b1eb3b8b64 |
memory/976-239-0x0000000000400000-0x000000000066C000-memory.dmp
memory/2740-238-0x0000000140000000-0x00000001402A1000-memory.dmp
memory/2280-240-0x00000000027F0000-0x000000000287F000-memory.dmp
\??\c:\windows\SysWOW64\dllhost.exe
| MD5 | 3b4a7e1c6127c89922c876b1e10c3ba9 |
| SHA1 | 589983c3f98ba46faf5032153840626f1c3618b1 |
| SHA256 | 7e960ca02e6a695d288cbc2aa8fe42ced92ca02c1d9197fdcbc1990a631d4ab9 |
| SHA512 | 7318ccaed0b3274cb53c814f8dbbb508ac363c05383b2125bd07a9c20d4d40fb61cc3cd3ce425c195f33d7c62785ce7a993380b574b22cd0020eeb407770247c |
memory/2620-246-0x0000000004020000-0x0000000004303000-memory.dmp
\??\c:\windows\ehome\ehsched.exe
| MD5 | 35eca321328ee56160f3cc0a1ea71b1f |
| SHA1 | e7cd6aa06a993337e0bb2c38faf8f12b03e465ac |
| SHA256 | da501e0fa59f7a8b45f2565308204f5151ddcdbcd70828171adc08265b0ff125 |
| SHA512 | b0c0642cb7b659e0408a0350c09c61d8cf98420f05653ff7e305798669cfd7679fcebc7d03edf9a1466efac3a98f707625923b1fef42510677457a2782aae44c |
\??\c:\windows\ehome\ehrecvr.exe
| MD5 | 46fd7f934e86bd3e1f1abfd5e5154de6 |
| SHA1 | 432ccb4c838d1f1d48f66a767268690e745039d9 |
| SHA256 | a7e0066712bb85f1e60a8fb7434b44131a4dfbd8dda8ca9bc1945e339b222d83 |
| SHA512 | 30abeddfe8704091f7bdd642966368589d9fd65fecc88961582f7d47485084dfdc8f169a8f6ace108d2a00fdef8a0cb888b4a2466396812459c79c02669bb904 |
\??\c:\windows\system32\fxssvc.exe
| MD5 | d00ab1ff234de56541012d2c96a963f2 |
| SHA1 | e99a05cb0aca82e825ae7418ae8907a5cf874f4c |
| SHA256 | 2b81ad08eff84da9fd505489ef81e15ae81ae7c7048958ffef7f2b040aa8964a |
| SHA512 | 124eff6798dbf65ea4bf803d51a7eaf9225edfc99c017d0877ef0f1e7fcf17fdf47754aee0ed02d48204e524c0d67984413f0a328a471983ec02a140baa09736 |
C:\Users\Admin\AppData\Roaming\A4D1F\F575.4D1
| MD5 | 4b3aae9bd6268677cff5f63eb5f7f29c |
| SHA1 | 30f1ea672e2f99c2a5fdc750ad8fc8f415af7597 |
| SHA256 | 951cd26b66a4f9b7d3fd2fc0ce7836e65cc2644962ebdeaa084ddc6b9ae21854 |
| SHA512 | c6df2246c43312487205a22f3ec27f4109e217840ec1d23d20c9a3c0b13496ef3b72810218384c2cf3828370efeaf5d3395f17444a66fc1811f66405b89668a3 |
C:\Users\Admin\AppData\Roaming\A4D1F\F575.4D1
| MD5 | f71bab34bcfc0569b38829ea99d70300 |
| SHA1 | 7ccf1a6fee7ffe8bd72fb1bbe691ae9dee69dcd2 |
| SHA256 | 83f8a1928dd1da1c023576980c68d52948d456ed5d361b44742804c1a4c69bbf |
| SHA512 | 1373663a2b2658b77c7b07b21f046e95b2934d7d2e1d6863ac684fbcaee809f75ca1662027634aa2ec171122343dab49aa799fdcea6853e0ae799893d9e17742 |
\Windows\System32\ieetwcollector.exe
| MD5 | 1c44ce6863701190719e6bf3c5cbe325 |
| SHA1 | be1a749a4c0d7bf335107c0e53e343eb4f1340c8 |
| SHA256 | 8657d5d77e7399ae482a3033752cc0ba0e1877a69f797984c758c47673383da7 |
| SHA512 | ef794efeec5b0ce79390e24be58e96bdb8b5171b25ded3c21b2a4abe14f24e89a717981f3615e99b6fdcdb80ece54d64e1cc9c1be607062679b47501d0b15220 |
memory/484-368-0x0000000140000000-0x00000001402A1000-memory.dmp
\??\c:\program files (x86)\microsoft office\office14\groove.exe
| MD5 | 6258a5f9351c7017f64234642e0ad2b3 |
| SHA1 | 7886e48250a082ec7aa3c7eb47b80688090b916b |
| SHA256 | c92014876b38c8bd1f8412b3bb4445a77c5a3be32532270969056d6458c39429 |
| SHA512 | 9938cbbf876d37b34490c488e77f18d703f556ff8076456e05e21e418fe433fd6ff59050a9615d3ab107fa3e9117967d2dcab586861e1a22bcda75020f536dcc |
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe
| MD5 | ed211b37b803628346faf365da023cf0 |
| SHA1 | acdbcc0820431c16a5300b8e37ada63a497285b5 |
| SHA256 | b724be1d1ecfa36f0d5c36f29707443dd17bb92627a20f222b1b7d7820581729 |
| SHA512 | f095ebc256cc988039efb1ee0ebe19fecf6b77576d9392acf0cf16d347a6cddd26417c7485f9e1f55c17992b5debd036a71b4690af6044f8c4015d365c6f8d69 |
memory/976-400-0x0000000000400000-0x000000000066C000-memory.dmp
\??\c:\windows\system32\msdtc.exe
| MD5 | abb45f21a2a6eaf4c56706b4a863ceda |
| SHA1 | 080730c2cea074073384a65b45bdb13fae7ccd27 |
| SHA256 | e1ca42d7837e286c4fb910a21bbeffc3ce60cada925f4c3154672c921609abe7 |
| SHA512 | 4a375a79c388282cf435cb036920f53ee6cbae57542f0066414c4fc0ae27abf3fb684fa2b22e0c7c179ca5364ad160ecde908befed909f6a63602bbd0e23fe0a |
\??\c:\windows\SysWOW64\msiexec.exe
| MD5 | 7b989e36451f764bf505a59ec84ce7ce |
| SHA1 | a682c1ba7b3c2b9c2fd1b77c6aa0d595e2a60c15 |
| SHA256 | 07a49a8edb0eb0c25160d4e4911e14c83c37d3e9f38075e89147c99f3a0463b3 |
| SHA512 | 7edc79bfee4b28925540d2d987c556c4f0529b5e86305d5379611225bfd1a961ed66a5de5509c0c927833ead6aa742d96594f12b0d3309bef2e0cee8f0614e1d |
\??\c:\windows\system32\msiexec.exe
| MD5 | 5a0663ba39c773404d94b617b9dd91ed |
| SHA1 | 99f21e38370432523126b4190271332f9e8d0451 |
| SHA256 | 3e44baa6335b9822b2d92aca6d8027debbd9ced63dd06b074a4b70ed426191c9 |
| SHA512 | d2c9bdc22aadfcd881107a8a188a80521aeb9623dfcdd6c42a577c810681c479043d09e527087e10fb6e38cbbf9f4190da0fda047e0498e4f87e5699de2ebdc7 |
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe
| MD5 | 71646b091212fcac22de4787e8400391 |
| SHA1 | 237fc9e559389c4640373f9da6392c56d7d30b2c |
| SHA256 | be8a778a115523f6f62c37a9081b0a6d248900049872c9f404a9ea768fa18bdf |
| SHA512 | c73520d2e7fef8b5e0b84c68357d7c9468624d42a411059588a3d8ca8f39d5b5e579c2d336a465b02f7cb18b7fcf49aeede17ebecaf2a356fc16d33cbdcb2a9e |
\??\c:\windows\system32\snmptrap.exe
| MD5 | c389beba777c017fa460cb83cd8438ca |
| SHA1 | ea5de0923264ea399cfc2c78b3c1eaece1136086 |
| SHA256 | c2cacc1a7bd65b4360e547398e26c11fce4a54f0ee30dd9e27c5a8c793d332b3 |
| SHA512 | 87af03788c49978d97caf82bcf46436a26a9ff2c9a283784aec6ce5bdcab8d61d624032efebc21647a94b82a739e8ce80e4e8761dada57a2a16454d5dd3923d7 |
\??\c:\windows\system32\ui0detect.exe
| MD5 | 7d73c9a982fa0f48ece2db68632082b4 |
| SHA1 | 1c5565da588a6f47553878e9312f84232c2a0cee |
| SHA256 | a66e5c4c35f21a0e821afbbd34e4111b83046439b01ed8a2741493032d02d2a4 |
| SHA512 | 53f6520390b11cd758cf4363b46e93036de16494c2e342e4a0752c6d87787ef95884144d7b696a9d741158c8f39927fba33456462d48f9e35b6d9e243be567c9 |
\??\c:\windows\system32\vds.exe
| MD5 | 43033a936cafdd00a668a03f204774f5 |
| SHA1 | 8572327787ddd54544f2a46c0c4fbcf43ce38075 |
| SHA256 | ecb7c900de827ef149601d9b6591cf6048e9f074a4e51b32c388f3c1945cfec6 |
| SHA512 | 26179b88b559f2ab618cd4db4b2d1a408bce08f768e593b76b5a5287953c8ccc66ab8e7413aa5fc1c231dd5ff7102a4f4474177c17df66f9432681a1af021593 |
memory/484-421-0x0000000140000000-0x00000001402A1000-memory.dmp
memory/1496-427-0x0000000000400000-0x000000000066C000-memory.dmp
\??\c:\windows\system32\vssvc.exe
| MD5 | e4707a386df92022f7efc948d8e03277 |
| SHA1 | e9bc9ce59c065eaa128814a9e6558167fd6de236 |
| SHA256 | 520744ca999a0c5fd58a2232e785d6e391df8c40df16f32072b07c8768645474 |
| SHA512 | 728821eb7fa2154fc27648c34cd85e1b901b7e3c95809a7ac602d7e321f30bd21c7eb1f7877a1c89849dded840b6ef58c1be60fab9cb45286ad9024da7c41cb0 |
memory/976-449-0x0000000000400000-0x000000000066C000-memory.dmp
memory/924-456-0x0000000000400000-0x000000000066C000-memory.dmp
memory/1496-457-0x0000000000400000-0x000000000066C000-memory.dmp
memory/2620-459-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/924-460-0x0000000000400000-0x000000000066C000-memory.dmp
memory/1252-462-0x0000000000400000-0x000000000066C000-memory.dmp
memory/1808-464-0x0000000000400000-0x000000000066C000-memory.dmp
memory/1736-466-0x0000000000400000-0x000000000066C000-memory.dmp
memory/1328-468-0x0000000000400000-0x000000000066C000-memory.dmp
memory/2840-470-0x0000000000400000-0x000000000066C000-memory.dmp
memory/2716-472-0x0000000000400000-0x000000000066C000-memory.dmp
memory/1584-474-0x0000000000400000-0x000000000066C000-memory.dmp
memory/2856-476-0x0000000000400000-0x000000000066C000-memory.dmp
memory/2692-478-0x0000000000400000-0x000000000066C000-memory.dmp
memory/2796-480-0x0000000000400000-0x000000000066C000-memory.dmp
memory/992-482-0x0000000000400000-0x000000000066C000-memory.dmp
memory/1780-483-0x0000000003220000-0x00000000032DA000-memory.dmp
memory/1780-485-0x0000000000400000-0x000000000066C000-memory.dmp
memory/2932-487-0x0000000000400000-0x000000000066C000-memory.dmp
memory/1708-501-0x0000000000400000-0x000000000066C000-memory.dmp
memory/1440-503-0x0000000000400000-0x000000000066C000-memory.dmp
memory/1996-505-0x0000000000400000-0x000000000066C000-memory.dmp
memory/2180-507-0x0000000000400000-0x000000000066C000-memory.dmp
memory/2620-513-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2864-514-0x0000000000400000-0x000000000066C000-memory.dmp
memory/484-520-0x0000000140000000-0x00000001402A1000-memory.dmp
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 92e857b17d81552e1fc6743e071e4096 |
| SHA1 | 0d0f19195a56f95f791d66d08a5c90d5fc7d0d7f |
| SHA256 | df190a2dcb13038762eff05e15314aa5d434e6bfc18394da8593c768133a2f1f |
| SHA512 | 186fe80bd7089f320e7a7ace7a717e1fde1c7b6e336842c528ac150351a413ed942a3cf3462ce994d608bb3042dc7cca39939ea9c20ce61cf0560b2f0a4b8bd0 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | bdad26e51b72d6c600417c0d9177f0f6 |
| SHA1 | 90b3252291ee957f1a2fca8347acfacdc346a8bd |
| SHA256 | aa44bb353ba9954d5cb2df1c5a582ae8414dd819be356eb6754077fa063a5066 |
| SHA512 | 4ee13cfa155383e02aa3cfc7b60bfb2e717074d8bff88926166bdb1eed99f3172d0c09d66aaf6264779cd3eac2f8e989c2809152d9ae24c870e9d7cf656defdf |
memory/1296-523-0x0000000000400000-0x000000000066C000-memory.dmp
memory/848-524-0x0000000000400000-0x000000000066C000-memory.dmp
memory/2052-527-0x0000000140000000-0x00000001402A1000-memory.dmp
memory/2052-528-0x0000000140000000-0x00000001402A1000-memory.dmp
memory/1052-529-0x0000000140000000-0x00000001402A1000-memory.dmp
memory/2620-534-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2956-671-0x0000000000730000-0x000000000073A000-memory.dmp
memory/2956-672-0x0000000000730000-0x000000000074E000-memory.dmp
memory/2956-673-0x0000000000730000-0x000000000074A000-memory.dmp
memory/2956-674-0x0000000003700000-0x000000000378C000-memory.dmp
memory/2956-675-0x0000000003700000-0x00000000037A4000-memory.dmp
memory/2956-676-0x0000000003700000-0x000000000389E000-memory.dmp
memory/2956-677-0x0000000003700000-0x00000000037EC000-memory.dmp
memory/2956-678-0x0000000000730000-0x0000000000740000-memory.dmp
memory/2956-679-0x0000000003700000-0x0000000003788000-memory.dmp
memory/2956-680-0x00000000007D0000-0x00000000007F4000-memory.dmp
memory/2956-681-0x0000000000730000-0x0000000000738000-memory.dmp
memory/2956-682-0x00000000007D0000-0x00000000007FA000-memory.dmp
memory/2956-683-0x0000000003700000-0x0000000003766000-memory.dmp
memory/332-688-0x0000000000400000-0x000000000066C000-memory.dmp
memory/2524-689-0x0000000000400000-0x000000000066C000-memory.dmp
memory/332-690-0x0000000000400000-0x000000000066C000-memory.dmp
memory/1288-691-0x0000000000400000-0x000000000066C000-memory.dmp
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
| MD5 | 8c69bbdfbc8cc3fa3fa5edcd79901e94 |
| SHA1 | b8028f0f557692221d5c0160ec6ce414b2bdf19b |
| SHA256 | a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d |
| SHA512 | 825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
| MD5 | 4f40997b51420653706cb0958086cd2d |
| SHA1 | 0069b956d17ce7d782a0e054995317f2f621b502 |
| SHA256 | 8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553 |
| SHA512 | e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
| MD5 | 852d0c5a08e49107763f41e2ca4cb653 |
| SHA1 | 049e37a8cfd32a4ce0ccbcf41b09442b9206debf |
| SHA256 | 802a123f64b872ae5afcd4f6eeef051d9d9f8a3a1981ff2b49a322c39953f115 |
| SHA512 | 69f6589f8f6f9f8d4ae2665ed634a2897be392c72e5ba3a0ee311e9a94de36c3c4afa771a305a8ca0d20c9f5124fa74154e1c24ca9cecc9e2621e1f59318e737 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
| MD5 | 71d4273e5b77cf01239a5d4f29e064fc |
| SHA1 | e8876dea4e4c4c099e27234742016be3c80d8b62 |
| SHA256 | f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575 |
| SHA512 | 41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
| MD5 | 3c269caf88ccaf71660d8dc6c56f4873 |
| SHA1 | f9481bf17e10fe1914644e1b590b82a0ecc2c5c4 |
| SHA256 | de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48 |
| SHA512 | bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
| MD5 | ac901cf97363425059a50d1398e3454b |
| SHA1 | 2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7 |
| SHA256 | f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58 |
| SHA512 | 6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00 |
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
| MD5 | e3a7a2b65afd8ab8b154fdc7897595c3 |
| SHA1 | b21eefd6e23231470b5cf0bd0d7363879a2ed228 |
| SHA256 | e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845 |
| SHA512 | 6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-03 10:40
Reported
2025-01-03 10:43
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Expiro family
Expiro, m0yv
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\8E8F6\\F2ED4.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
Expiro payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables taskbar notifications via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | N/A |
| N/A | N/A | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| N/A | N/A | C:\Windows\System32\OpenSSH\ssh-agent.exe | N/A |
| N/A | N/A | C:\Windows\system32\AgentService.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbengine.exe | N/A |
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4089630652-1596403869-279772308-1000 | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4089630652-1596403869-279772308-1000\EnableNotifications = "0" | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\nkmjnipk.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\elidehmc.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\google\update\googleupdate.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\cbfkhjmg.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\ifpcoece.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\program files\windows media player\wmpnetwk.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\dotnet\ddnfppgh.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File created | C:\Program Files\Internet Explorer\hfoijjjp.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | \??\c:\program files\windows media player\epihdnme.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\7-Zip\jgpijieg.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\7-Zip\gkooamha.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File created | C:\Program Files\Internet Explorer\dendjgfp.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\idlj.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\imamgieo.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\mip.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\windows\servicing\trustedinstaller.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\AgentService.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe startC:\Program Files (x86)\LP\D488\C69.exe%C:\Program Files (x86)\LP\D488
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe startC:\Program Files (x86)\F6883\lvvm.exe%C:\Program Files (x86)\F6883
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | complaintsboard.com | udp |
| US | 104.25.181.41:80 | complaintsboard.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 41.181.25.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ahkb.remindmeroster.com | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qn3iat23.yordatazone.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s29imf.yordatazone.com | udp |
| N/A | 127.0.0.1:63414 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.164:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 164.20.217.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:63414 | tcp | |
| FR | 172.217.20.164:80 | www.google.com | tcp |
| FR | 172.217.20.164:80 | www.google.com | tcp |
| N/A | 127.0.0.1:63414 | tcp | |
| N/A | 127.0.0.1:63414 | tcp | |
| N/A | 127.0.0.1:63414 | tcp | |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
Files
memory/3240-0-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/3240-1-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/3240-2-0x0000000000403000-0x0000000000404000-memory.dmp
memory/3240-4-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/3240-5-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2756-11-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2756-12-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/3240-17-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/3240-18-0x0000000000403000-0x0000000000404000-memory.dmp
memory/2756-20-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/2756-22-0x0000000000400000-0x00000000006E3000-memory.dmp
C:\Windows\System32\mghmajin.tmp
| MD5 | 35912ef729e1c300726175dbe69fcfcd |
| SHA1 | 78136f2a78700425543d7744a5e06b9906b7c4ac |
| SHA256 | 164390d93229801f0d22c98d7552bc8a785ec2d2b2cc19e690ec22ffdc12c7a0 |
| SHA512 | d5a310c32ce603fa45d641e756c017cc954434edcb6838161f215cf501f36e49b53ac50fb9b57d88d43adc46ea7e4df7f7eda8adf1c066bd975a60a6c03b3730 |
memory/3240-30-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/3240-29-0x0000000000400000-0x00000000006E3000-memory.dmp
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
| MD5 | aa26e1f15b29ad7254c6e99635137362 |
| SHA1 | d5a9d10a90ecde8b6495c56ddbe4bcce046c0cd7 |
| SHA256 | 613b4e702e2dbc6353501fd3da954021661cf9ea288f6969419908181199f54d |
| SHA512 | 1655e7708ca4564c667bbe1fb441e13d966606895bfbcd75b16e6728fe096a80c940e43fed5ec6276140619745a6a05a8cf54277c4f411ab4ba32603e99892d8 |
memory/224-42-0x0000000140000000-0x0000000140427000-memory.dmp
memory/224-43-0x0000000140000000-0x0000000140427000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | 83f1e5f53680c224123faba21af10a60 |
| SHA1 | 07cef0f90d5280cea8e61637d643e83c5bef0753 |
| SHA256 | 46dd06395d2d8b2982de57feb47945504d575303bb565ebd365c44868828b175 |
| SHA512 | 26f8af421463a5d2e300da371c05d7a25c52f02fa0affd18e1519e46ec06a45a4044ff8dddc7691eb0695775b56e86990d651c5bf2cf5384ca8b6b1e28421e9e |
memory/2432-50-0x0000000140000000-0x000000014041E000-memory.dmp
memory/2432-51-0x0000000140000000-0x000000014041E000-memory.dmp
C:\Users\Admin\AppData\Roaming\8E8F6\6883.E8F
| MD5 | 4f2e0a673cf31411164f4bd7b53ed485 |
| SHA1 | a82c3a8f3cf05910b5d738ca336b5ecdd8b4cffe |
| SHA256 | af821120e08fc344169195a686a2ce1ef12ee5e02f7fb78381a3c5b9b9016a02 |
| SHA512 | 6d2b9eb4530eedd4c2a96d2dfb51d63ff60ad954d0c5c1088262351ad78caf8e963477b8137f1670befaf84c710034762048b8c7bfb74820d87fd155e8937213 |
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 6e5ee10eda01266c12734ec19e812e85 |
| SHA1 | 930b862fb8b3bb98343af374dfdaf3dcf3cd9a5c |
| SHA256 | 87073d6d539c191e5e1a540ef8ff252ce20060cc0bea0be3a19b4c0eb04c30fb |
| SHA512 | 595877d161215287aec1938e48d567114fb08b0f0e346d7055ddd9345f0e800287a40ac29b99b517e199aca4ef8e45278fa8faae1dc341db4799860c3838deba |
memory/2372-165-0x0000000140000000-0x00000001402C2000-memory.dmp
memory/2372-166-0x0000000140000000-0x00000001402C2000-memory.dmp
memory/4368-177-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/3056-194-0x0000000140000000-0x00000001402C2000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 59fa61213847e413516f919e5af5663e |
| SHA1 | e4e44984f1b44603064e2e45d30b9cce51e5a0b9 |
| SHA256 | acb4c4e72c7123024929bc8983c654ebc170b39c994e7c5bb73ecf440d63e6bd |
| SHA512 | 95e99b418eca07e66bd69159f4569657b620da2b37dcc449baccc1e197302a9c9b82f7be4a14e18e5a947bb87b6fd10d0b9a6be12506a9a12f788f53ad527b60 |
memory/4368-202-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/3240-203-0x0000000000400000-0x00000000006E3000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | f5b42743601bd64fee89b156a76d3719 |
| SHA1 | e6274d739e5620f885cd92a2bd47f4e984c775be |
| SHA256 | dcf14657b6aa2c7ed8ca7bee05cca735cf2b9b34580a1a68eb88005bf13de7cd |
| SHA512 | ff26957b9fb38302462ba73a7bce4170bf6bd3e6dc7f44564049b5cdd0f66cc95ca93891249e350fc616622850e232c41571099c03db18ee43f12f5ff96a8157 |
memory/3716-211-0x0000000140000000-0x00000001402F5000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | ef17edb39b671da05c27a6e58bba23cf |
| SHA1 | 2a0100283846f568294f41d5b58f4af79955e3bc |
| SHA256 | 7f8dac3d5e417d4ac0230daa9e0415df9d0e5e33ed8babcd25759b121b0acbff |
| SHA512 | 5c43f880aea6eedaa3527f30482490951a4814d4791dfc39e996ad7643ccabe1009c1bfb6bb522d3923481c81aabc75053d3c586c8ad4b167f122ff75b317eca |
memory/1044-218-0x0000000140000000-0x00000001403B3000-memory.dmp
memory/1044-219-0x0000000140000000-0x00000001403B3000-memory.dmp
C:\Users\Admin\AppData\Roaming\8E8F6\6883.E8F
| MD5 | ab77a814f1a121f564d8f281dbaf3394 |
| SHA1 | 42a1d15dde72bea34e277c94f67e70cbfaf5a7e2 |
| SHA256 | a023ef5ceedef1c36b294d0ad3c818f1b03c9f72ac64f4c90dd617379ee2186d |
| SHA512 | 7f522c2b4f85241549708a2d2f355d4132fc81ff21d9a464309f9cb28ad1d2cfef1fc8618ef590a3d778310d6fc748b494fd7334e21780a0f4f2d31d5d2aab13 |
C:\Windows\System32\wbengine.exe
| MD5 | 6142751fd49396c7f9d2a21a82282bb3 |
| SHA1 | 9546796197d3c98ae22b8061c19e8d2cbbf0b6dc |
| SHA256 | a97c9d30dda2dce63b3ae306e9b8da0ee81b4f682962044e11d95669f3625d7a |
| SHA512 | 6777cdc3c75b89fc48f3958cb0ea0ba88343dcc864e4ee1d73bc1895744636d20a45fe89a6738715c475b7155d3346f26b1c5a141a044928167d51350446a055 |
memory/2600-338-0x0000000140000000-0x0000000140409000-memory.dmp
memory/3056-337-0x0000000140000000-0x00000001402C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\8E8F6\6883.E8F
| MD5 | 94ca02c70dafd60e1d682b73b82358f4 |
| SHA1 | 66f1978d878c49a6152b481f97613122a1357302 |
| SHA256 | 3aa4cd584f15f3d0c233a588704a25aeca12e44dd35438630d101bcffbe7aeee |
| SHA512 | b3e8bc2afd5c73d1b45791f3c62ee7d7ab47ff8443b5d70b277cdcf1a0262719cb5f647cd7049d1153e684383b1ce39466b845e39432be70894681f0c2053652 |
\??\c:\windows\system32\fxssvc.exe
| MD5 | 8d97562693292cd4bb4a3a28715e9827 |
| SHA1 | 1815e21fdf09e5f82466309a4aedab2a3dea143b |
| SHA256 | 3fc7e740132506207119db58d652a8c0d6bb1c4173821e7a42037b23e3ded5b1 |
| SHA512 | bca45617262b01cf7efb20049ae59d2929f25596689a4b14b073435f7f99440ba612facf4635c4c87275ad4ae17db767575868a5eb6c94e14110d9ad33c77e29 |
memory/3716-355-0x0000000140000000-0x00000001402F5000-memory.dmp
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
| MD5 | b8285bade6d0f35cdb783a3bcb63929f |
| SHA1 | 074032ab89c6b3c0c46bb92e187e19e0dc0a8bba |
| SHA256 | a29d40c7e2871ef779cecea90351fad11b4e8d99638ccec9572bfca412423d6a |
| SHA512 | 83dc514e0914eaf56fee193c060012fadc515a7788838953d7339e1bf94385552d0cff280cadf46272b2e2261665df61b497b98cc889aa091a6b7fc8b52ebcae |
\??\c:\windows\system32\msdtc.exe
| MD5 | 0f92685ebcdf36e955040e90c01592d9 |
| SHA1 | 873cfd16788158b1bc3a216ea9c1e852b8843d51 |
| SHA256 | 7b3c65762d4e011a9a230bf23183979f926f894f77782806e6d61a7eaac8dc4c |
| SHA512 | c9786be6c7f793a6678323b24304cf38e545ead784d87bec848ab9f6b4dc35e25b4591e4bdc77cfd709ed9584380c4fca83ac1aea4aac4bb2b527d6d7c069186 |
memory/2600-381-0x0000000140000000-0x0000000140409000-memory.dmp
\??\c:\windows\system32\msiexec.exe
| MD5 | 54455826fef9f03ea16eb0b07418dad6 |
| SHA1 | c1d5a0f66063c5955f0fab7372147a892d69cbeb |
| SHA256 | daab0f98e81d9a35a75f9dfb53537950079a15a91a2a74cba7eb9484b80035b2 |
| SHA512 | 352b1828adfd5a890728f229daa0322ccad1f652366c8247d9b5c2aa4b0e4eae9eacc1163b4ef9af77d0616d02f7b51f9f336086ee2d1b1d9a49fb968de9a458 |
memory/3240-400-0x0000000000400000-0x00000000006E3000-memory.dmp
\??\c:\windows\system32\snmptrap.exe
| MD5 | 37139aebbcba12b8a63b73dd64637f47 |
| SHA1 | 0b84d44859f20e75c368a593677125b9f7e886e0 |
| SHA256 | 2f6e4133692589adee4cbb802b49a9290f3f0df277c32a196c38fd7fc601b121 |
| SHA512 | 686bab2adb1f7a1648ae31a5f30e56f714a3ddd91375d8d41547a4979411f73996aee3673f0ac6578c628857c27c7b841515628987435b9c38de80ccfb5f5f85 |
\??\c:\program files\windows media player\wmpnetwk.exe
| MD5 | 4c8acf7a0aa0e965b13b70c38d3efabc |
| SHA1 | cc147442a8afef59aea25cc9007ae0f9a7a8e532 |
| SHA256 | d47116535421cf8ee827224172f4ae400192c2d6134ae1a4bbc1130c54224002 |
| SHA512 | e821a52c65aa9ad1fce12a33027cee8cfffcd72f6eefdc821c8309f09baf00d790aecf9a30c1c732e40c99f2dad5ef1a6cff49e85ab5d03866ebc8d2c1394217 |
memory/3240-537-0x0000000000400000-0x00000000006E3000-memory.dmp
memory/3240-550-0x0000000000400000-0x00000000006E3000-memory.dmp
C:\Program Files\7-Zip\7z.exe
| MD5 | c47b351c3d1677c5d42b4634e8986a7b |
| SHA1 | 05ea4c7b7d080a37311bfc50a7b462d648f05a75 |
| SHA256 | 5ca082901df1f18cbd065f3b5b987b6eb7b6e13a10dbc14eb207b0bd38324e6c |
| SHA512 | 3e0626acc1638bbb0ca07dd059cc66356247bd7b322598c2b984ad480f4c8e06564db334e23fc7885b7b7864b3f56efdba3ed667824941d10fd68e14cdb4d044 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 50b73f036a225703cbc859599b15adaa |
| SHA1 | 5d11c33550d31eff5dee3f5f6fbec0b4a56165d5 |
| SHA256 | 4eaeccaea3a0e43f9617ae908c68ae98c3b64526b76d3054c97c749f33a2dc85 |
| SHA512 | 183adb93ad7cbee07490823d70fc0afc18750c7987cd1b1012edbf61d227074ada4632ef21ebafe95ed0d55f5c5583b5201b6e6c139e6bc6ea3c7c5c81ff496f |
C:\Program Files\7-Zip\7zG.exe
| MD5 | d0e7053518029c9c4fab11764002a88f |
| SHA1 | e7afb34969989277ff48d590a79435aa19d6f55a |
| SHA256 | dfece6a4e0dc093160c6f59f1340dc838361ce1ebb91d470691019acad92cf6d |
| SHA512 | 34042a1ce8c785536aed57884f4065c41093c64058421ff1efecbd35f52fba90ece290bc06bce2da49bb6a97c3c860007e9228955253a411277d5e1986e86364 |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 98285e8fd7f66b2e2334a342a8823b57 |
| SHA1 | ebefa022321de565cf363ec381a79f96caa01fe5 |
| SHA256 | d3af9e4dfefcfd03c61839bcd0c039e470da5ebd1e0f5835311f412cc740048f |
| SHA512 | 0fdaa269c8a1a8b0d84e76aecf8b1190de1d85e80410b1e48aa7b1f2080f4f0185e1102aaa9c5d9e693d609cc556f8b1a5f31de8852b29fb6072781d28635b5a |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | 829dcee317eee14a176541c30b54b41e |
| SHA1 | c6768326c4875bf5f1d427c1e4266965da792d15 |
| SHA256 | 143a304c4fb7c04504ab2ff39c9efd9422e1c521eadae8abd91168d6438c35ff |
| SHA512 | 7dbe892579847a254fb9c9f3f2f583690e89ac153b810143e6778516b9e0893df212fa61d932376900be6b71f0b7cd8d8b135aaf3df636e1fc64dc6788cb0ac0 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | c8f0695e1a3af2664a2e0684e2881372 |
| SHA1 | 09f8b5eae8f9449fe8eecc32c7f6cf35c6d7f752 |
| SHA256 | 206ca5e757543932b9fea551a5a9b43ddb09db011b6d74ad45e7c74b1705f46f |
| SHA512 | 8df44e4eceb35afc215b70d6c796c2cb7d27aff410c33d5b75f3cc272fb19d0ba4d5c2e65c995430b902067e62708436762bb5bd55c8c1676b46444e38760c93 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | a02057deea476d45da6768d67dd9ac21 |
| SHA1 | d7860db1b3c3b79db3b3a5106e7d8b6bb6d058af |
| SHA256 | bdac1a6752fff28908330a3808ee739764b1201a1261e09c51cdff02a6557bcc |
| SHA512 | 273c1d652a4da63f10e9aa3b211715a324cdb87541aef5be4f7be82b8cc35b10964b850c4a471e298c90a5a9a6a59c313bf90a00f65425d167abf7016b4ce2d8 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | a04307fdae683da57a65180f67267cdf |
| SHA1 | 0ae0624d6cdeda5e612c1500d1fc9e42ee9c07e8 |
| SHA256 | 4d2ba9cb4130b921fa090919ef4b1ea7746f8b929fcca25712bcfb557569fca2 |
| SHA512 | 10df95b9c2e894386a6599bf09ca3095ade75ecba6b6e1c30ac3c7fcf187b5b2373925ab080794073fb2839516871a2fb101792c3228493c38d4cf1517c637ad |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | f2e503480c1e2b4da39c33d1aac48b47 |
| SHA1 | a60904e7ebbf05a100f69e39ed478a43d3c6cc56 |
| SHA256 | 6fc4c705bdde44ae1861c13443dc14fad9fd1c6cd6a1d0fa60c25b1402bdf2f1 |
| SHA512 | 1c3e21add4f6eea71972da432cf9dba87441e18eb817f8adcb6d25e7bea3f79fae30d8affc80d9796c19fca7da52c94464a2bf11297e093a5f258f20287f154d |
C:\Program Files\Internet Explorer\iexplore.exe
| MD5 | ede925d04fdc3f441c9dd296c3a7d712 |
| SHA1 | bbfbacb2032dde720a79053441b16f521c262d9f |
| SHA256 | d7083b2a6155beda9f7f75f3b015084e902cda6a9fc9007c753a0e832a5ebcf1 |
| SHA512 | 6352d023c867412167390a3a4277808591abb5043d8054093db4d3d2f492d42c67b68985f91d8ad1cf71e692b075c778ba50c8afc5b6480ade0b1fe84bbb54ee |