Malware Analysis Report

2025-04-13 23:46

Sample ID 250103-mq146asjdq
Target JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0
SHA256 8de785743381674a4212b91fcb1a876dbf6c830beb2e424d29729675aab60b43
Tags
cycbot expiro backdoor credential_access discovery evasion persistence rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8de785743381674a4212b91fcb1a876dbf6c830beb2e424d29729675aab60b43

Threat Level: Known bad

The file JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0 was found to be: Known bad.

Malicious Activity Summary

cycbot expiro backdoor credential_access discovery evasion persistence rat spyware stealer trojan upx

Expiro, m0yv

Detects Cycbot payload

Cycbot family

Modifies WinLogon for persistence

Cycbot

Expiro family

Expiro payload

Disables taskbar notifications via registry modification

Executes dropped EXE

Loads dropped DLL

Unsecured Credentials: Credentials In Files

Windows security modification

Reads user/profile data of web browsers

Enumerates connected drives

Checks installed software on the system

Drops Chrome extension

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-03 10:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-03 10:40

Reported

2025-01-03 10:43

Platform

win7-20241010-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe"

Signatures

Cycbot

backdoor rat cycbot

Cycbot family

cycbot

Detects Cycbot payload

Description Indicator Process Target
N/A N/A N/A N/A

Expiro family

expiro

Expiro, m0yv

backdoor expiro

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\A4D1F\\62FB8.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables taskbar notifications via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2039016743-699959520-214465309-1000\EnableNotifications = "0" C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2039016743-699959520-214465309-1000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\J: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\L: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\M: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\Q: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\I: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\K: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\P: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\T: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\N: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\R: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\U: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\V: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\W: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\Z: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\O: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\X: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\E: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\H: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\S: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\Y: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\msiexec.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\wbengine.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\lsass.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\system32\inldbimf.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\system32\gqbkmheb.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\system32\dfnhmame.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\system32\njccdcia.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\ui0detect.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\vssvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\SysWOW64\gjdkbjkh.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\msdtc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\SysWOW64\jbhmidab.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\locator.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\system32\qcjofeof.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\system32\mimegeoo.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\vssvc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\ieetwcollector.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\system32\ejjkjgom.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\msiexec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\ieetwcollector.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\vds.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\system32\mccgplla.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\system32\wbem\njkjlpmg.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\SysWOW64\ekkqhlgo.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\msdtc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\locator.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\wbengine.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\system32\cngjmolf.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\SysWOW64\mejoblnl.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\kihlpche.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\program files (x86)\microsoft office\office14\hdggolld.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\program files (x86)\common files\microsoft shared\source engine\ojlkabom.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ddnfppgh.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\program files (x86)\microsoft office\office14\hbbhnach.tmp C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\occlljkq.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\olemadei.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pgildlkb.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\program files\google\chrome\Application\106.0.5249.119\oeejgpmn.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\7-Zip\hlepeenn.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\jkgaipki.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Google\Chrome\Application\jmofaklb.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\DVD Maker\clmaedbq.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\miqfjfol.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lhbjhkab.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hhfjjgab.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\jfjkgccl.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\program files (x86)\mozilla maintenance service\inechdaf.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\7-Zip\mgecidfd.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\pijgofaf.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\program files\windows media player\mheoachq.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Internet Explorer\bdiaenko.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\7-Zip\cedpmnkl.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\7-Zip\mnmjadqg.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\kgacdccg.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nnbpngba.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\obkakffi.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\microsoft.net\framework64\v4.0.30319\mclhemcm.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFAF2.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\ehome\ehsched.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\iddoefmk.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\servicing\pjpccaiq.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\ehome\oiaiglql.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP696.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\servicing\nopbomgi.tmp C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\microsoft.net\framework64\v4.0.30319\jikbpppn.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\ehome\ehrecvr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\microsoft.net\framework\v2.0.50727\oldlhgjm.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\microsoft.net\framework64\v2.0.50727\bmmqngml.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\ehome\imeegkbd.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9D.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD0B.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2620 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
PID 2620 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
PID 2620 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
PID 2620 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
PID 2620 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
PID 2620 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
PID 2620 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
PID 2620 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe
PID 2956 wrote to memory of 976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2280 wrote to memory of 1780 N/A C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe C:\Windows\system32\WerFault.exe
PID 2280 wrote to memory of 1780 N/A C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe C:\Windows\system32\WerFault.exe
PID 2280 wrote to memory of 1780 N/A C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe C:\Windows\system32\WerFault.exe
PID 2956 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2956 wrote to memory of 992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe startC:\Program Files (x86)\LP\B8AA\2F2.exe%C:\Program Files (x86)\LP\B8AA

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe startC:\Program Files (x86)\1F575\lvvm.exe%C:\Program Files (x86)\1F575

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe

"C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 1a8 -NGENProcess 1ac -Pipe 1b8 -Comment "NGen Worker Process"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2280 -s 428

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 234 -NGENProcess 214 -Pipe 230 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 234 -NGENProcess 1fc -Pipe 1c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 220 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 258 -NGENProcess 1fc -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 234 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 270 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 25c -NGENProcess 228 -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1a8 -NGENProcess 258 -Pipe 1fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 214 -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 220 -NGENProcess 258 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 284 -NGENProcess 1a8 -Pipe 1bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 280 -Pipe 234 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 220 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 270 -Pipe 220 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 294 -NGENProcess 214 -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 28c -NGENProcess 29c -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 244 -NGENProcess 288 -Pipe 214 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 258 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 228 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 27c -NGENProcess 258 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 27c -NGENProcess 228 -Pipe 1a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 2a4 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 194 -NGENProcess 198 -Pipe 1a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a0 -InterruptEvent 20c -NGENProcess 214 -Pipe 218 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 290 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1c4 -NGENProcess 284 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1f0 -NGENProcess 268 -Pipe 230 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 198 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 1a4 -NGENProcess 284 -Pipe 214 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 26c -NGENProcess 284 -Pipe 1c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 228 -NGENProcess 2a8 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1a4 -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 268 -NGENProcess 2a8 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2a8 -NGENProcess 1f0 -Pipe 228 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a4 -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 274 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2b4 -NGENProcess 130 -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 130 -NGENProcess 2a4 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 130 -InterruptEvent 29c -NGENProcess 268 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 268 -NGENProcess 2b4 -Pipe 260 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 patentgenius.com udp
US 208.91.197.27:80 patentgenius.com tcp
US 8.8.8.8:53 fur6j76.cloudstorepro.com udp
US 8.8.8.8:53 2hh-v4.remindmeroster.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.164:80 www.google.com tcp
US 8.8.8.8:53 uwj.grizlybigtit.com udp
FR 172.217.20.164:80 www.google.com tcp
N/A 127.0.0.1:50081 tcp
FR 172.217.20.164:80 www.google.com tcp
N/A 127.0.0.1:50081 tcp

Files

memory/2620-0-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2620-1-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2620-2-0x0000000000403000-0x0000000000404000-memory.dmp

memory/2620-4-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2028-11-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2620-10-0x0000000003830000-0x0000000003B13000-memory.dmp

memory/2028-12-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2620-13-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2620-14-0x0000000000403000-0x0000000000404000-memory.dmp

memory/2028-15-0x0000000000730000-0x0000000000930000-memory.dmp

memory/2028-19-0x0000000000778000-0x0000000000790000-memory.dmp

memory/2028-18-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2028-17-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2620-24-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2620-34-0x0000000000400000-0x00000000006E3000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 301156097f6f978bd135fe316beb8dea
SHA1 868eba1e318dcf66b802bed68e4dbaec89532996
SHA256 389b34f5c10b9b0b31586b333f0ecb5fe9f4a915dab46580ab3ebcfb93abe13c
SHA512 a9e2deb9fb359cfa906ece80f5b3f52f1e6af06f62bff759a9e4ea2756936f47e9ccec32d78fd0cae557bf7500814c0488d877e7aead2466486b14d7c6d16a0d

memory/2820-45-0x0000000010000000-0x0000000010263000-memory.dmp

memory/2620-44-0x0000000003830000-0x0000000003B13000-memory.dmp

memory/2820-46-0x000000001000C000-0x000000001000D000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 8a03444ed0b16ff18b03c7b709b048c8
SHA1 aa38cd6c0b1308e748ba5533deb523ca0e7a4cd3
SHA256 05111a1fa5e17efe44430cee220b1ad375a520878b2ab6576f47264bf5bc7234
SHA512 e4ca92b4b1ca45d16b4b1312c378565c4b0a6d5320ec1081a5a7da42711bb358354cdaa04ae5f2d52e5a26940f1911497a27f601b659f6d34e47039a2c9ae48d

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 c791645be81776922b944f5c1919bd86
SHA1 7bb9070d76c79c89bdde2e56a1bd85ec7d15d7d7
SHA256 3725c2b49eae748992643dd206b2fadd8c241c0349970ec5766fe4a482c62eb3
SHA512 270300d87b04799cb15829119d2724a97093a5ddb2cfd45cb5ea16ce7be20be15e0b5344a41be42d79a9f530da8f70bae75cda6be18a29664de568f480f76ae0

memory/2560-60-0x0000000010000000-0x000000001029A000-memory.dmp

memory/2560-61-0x0000000010000000-0x000000001029A000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 4d418c92338dbf7d69fa509acb544a93
SHA1 ee548823da87fa71b47f003588ccd7d7602317db
SHA256 c8ed53a4b12f7e005015d94fc36d6d51e990b6b49d4852229b266f3bfba9a5fb
SHA512 1c4386f8262032f139b3e8de92e30874ab1bffdf3f67819353cb4ee08971dcfe6dcde72dd9e7800c8bf776dacef30a070f149b6a1bbaedf930fca7cfde3f2bb5

memory/2820-63-0x0000000010000000-0x0000000010263000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 61c240a8ab71d987744f679306ca416c
SHA1 a09df4e574f3806f8e0026d686a50cb02b4a0113
SHA256 064bc508fe079f480b3625b6eddda812ecf92ee42154977906d3e14b904d5f67
SHA512 dabf121c14cffe0f4d409bd4d718dc7572aef26c2b11be0809a5137def6e5c7279ec20d1dceb70a85edddd8efa8d65a6c0750314104f0364f946f8b54c43ce44

memory/2956-74-0x0000000000400000-0x000000000066C000-memory.dmp

memory/2560-75-0x0000000010000000-0x000000001029A000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 d3ea836aa29ce531830010cfea5a20cc
SHA1 3af566dd2164703e02151e15694efcb3f74b7de9
SHA256 c32913cbd9cf729d1af8ea04f513e90e257e0b52b4217ae7bc953ff2307a2969
SHA512 97fadd5acb5b6edb40e6d6e5e4c2669e0a3ffded28bf56d031137c0c57aa4b89dbbb537b318ab3b04a93b0e0d856219508610ac29d369fccfc212e5bfc45611a

memory/2740-85-0x0000000140000000-0x00000001402A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\A4D1F\F575.4D1

MD5 46bfb081ad684017acb93deedee6e2c9
SHA1 dbb8586bd0f60f9af4aab8ccbf362eed4e1ccec8
SHA256 1fbc2c09e882f09a0a6e6c7aefc7a22b54c0e0ae69cb5bb6ed8c276f324a5f56
SHA512 ada8dfa4d1ac9dd71da267e3c07dc20253eaf81158a76bdcc40828e7d935d7cc470244a82f947bfa75019ee43460e6bb3920c9c4d14d1140fa603681fb0c8ce4

memory/2620-194-0x0000000004020000-0x0000000004303000-memory.dmp

memory/1984-196-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2620-213-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/1984-216-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/1984-214-0x00000000007C0000-0x00000000009C0000-memory.dmp

\??\c:\windows\system32\alg.exe

MD5 f7975d3e4ca91898a952750841d7eed4
SHA1 c1549c11bc6dc688aae28ea17a7cbcd210757cd3
SHA256 d4be8505a0f78d62662e758c01d7676443f39c9744cc4efd78fa4e6f03742e53
SHA512 8126658eebe36ddefeeeaeae1b283ffdffa69d5487c4b83d0f7897e72134036809eb24efb1ccfdeab6697842ea05718522f3d46b53746575281416e8a565c598

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 85f6498cfa2822b5ad9d14e39471e821
SHA1 922ef04e5c241e21fc54c157e659d3499b88975c
SHA256 82062fd3088e2072cc8c79d8554a83484912041cc240625574137405ef5dd04a
SHA512 486ebdad4f713fd8555da2d2ba4f03f75ea603f013539f7217de11416803f1936fd36ab677d2489a84494c0f460b845ea56c52ae401aa52c2c2d233276a562c6

\??\c:\windows\SysWOW64\svchost.exe

MD5 856fcca3d7ce7042fa378641a60a9d57
SHA1 268f345683d887b4487b20418e50b9a858fa3b76
SHA256 4fbfeedbe9405fdf0fce4c330ed0ab173d232e1b4d64facd851abec43931c1da
SHA512 ad307f99fada7ff02dd0847122848e39f86664106344d4a4829b991f84969860ecd62a6c3c44d61f5a64bc9e9dd791925dceff4f5c6b91c532488015221f2ed3

memory/2956-227-0x0000000000400000-0x000000000066C000-memory.dmp

memory/332-225-0x0000000140000000-0x000000014042A000-memory.dmp

\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

MD5 df72e932dc73e09078ab306fd4553911
SHA1 f33bb41c29edfc7dee2a13c6cdedecb2baddc52b
SHA256 e2e3171e91e72a78fe2a23c1f305db8bb376150d81383095ab8d72dc9765b9e5
SHA512 c7bcc8d2db41b5a1e4d272a76d219b82ae24fd83d5d5d8dcd48b526dcf10b6b83920468415e339b8e337e72709f19aa26f27278fdb32f60867d4a20afe0438f1

\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe

MD5 d2a646038b9dd19096a3ca2edd2e8b27
SHA1 5495caaaaa7cef458b6a7b11998b9a0d3eeeb6a6
SHA256 faf32ce6f46353c820f68e9e7a39fff8a859dec3417ebf4ad469474152578798
SHA512 337f9d70ca8120628996c6c43f25e4eea9516d22497e19d2a782dd0050c5199ee9b5df2cf45e058e668776d6f31e980ee73889856f7257b84d04a9b1eb3b8b64

memory/976-239-0x0000000000400000-0x000000000066C000-memory.dmp

memory/2740-238-0x0000000140000000-0x00000001402A1000-memory.dmp

memory/2280-240-0x00000000027F0000-0x000000000287F000-memory.dmp

\??\c:\windows\SysWOW64\dllhost.exe

MD5 3b4a7e1c6127c89922c876b1e10c3ba9
SHA1 589983c3f98ba46faf5032153840626f1c3618b1
SHA256 7e960ca02e6a695d288cbc2aa8fe42ced92ca02c1d9197fdcbc1990a631d4ab9
SHA512 7318ccaed0b3274cb53c814f8dbbb508ac363c05383b2125bd07a9c20d4d40fb61cc3cd3ce425c195f33d7c62785ce7a993380b574b22cd0020eeb407770247c

memory/2620-246-0x0000000004020000-0x0000000004303000-memory.dmp

\??\c:\windows\ehome\ehsched.exe

MD5 35eca321328ee56160f3cc0a1ea71b1f
SHA1 e7cd6aa06a993337e0bb2c38faf8f12b03e465ac
SHA256 da501e0fa59f7a8b45f2565308204f5151ddcdbcd70828171adc08265b0ff125
SHA512 b0c0642cb7b659e0408a0350c09c61d8cf98420f05653ff7e305798669cfd7679fcebc7d03edf9a1466efac3a98f707625923b1fef42510677457a2782aae44c

\??\c:\windows\ehome\ehrecvr.exe

MD5 46fd7f934e86bd3e1f1abfd5e5154de6
SHA1 432ccb4c838d1f1d48f66a767268690e745039d9
SHA256 a7e0066712bb85f1e60a8fb7434b44131a4dfbd8dda8ca9bc1945e339b222d83
SHA512 30abeddfe8704091f7bdd642966368589d9fd65fecc88961582f7d47485084dfdc8f169a8f6ace108d2a00fdef8a0cb888b4a2466396812459c79c02669bb904

\??\c:\windows\system32\fxssvc.exe

MD5 d00ab1ff234de56541012d2c96a963f2
SHA1 e99a05cb0aca82e825ae7418ae8907a5cf874f4c
SHA256 2b81ad08eff84da9fd505489ef81e15ae81ae7c7048958ffef7f2b040aa8964a
SHA512 124eff6798dbf65ea4bf803d51a7eaf9225edfc99c017d0877ef0f1e7fcf17fdf47754aee0ed02d48204e524c0d67984413f0a328a471983ec02a140baa09736

C:\Users\Admin\AppData\Roaming\A4D1F\F575.4D1

MD5 4b3aae9bd6268677cff5f63eb5f7f29c
SHA1 30f1ea672e2f99c2a5fdc750ad8fc8f415af7597
SHA256 951cd26b66a4f9b7d3fd2fc0ce7836e65cc2644962ebdeaa084ddc6b9ae21854
SHA512 c6df2246c43312487205a22f3ec27f4109e217840ec1d23d20c9a3c0b13496ef3b72810218384c2cf3828370efeaf5d3395f17444a66fc1811f66405b89668a3

C:\Users\Admin\AppData\Roaming\A4D1F\F575.4D1

MD5 f71bab34bcfc0569b38829ea99d70300
SHA1 7ccf1a6fee7ffe8bd72fb1bbe691ae9dee69dcd2
SHA256 83f8a1928dd1da1c023576980c68d52948d456ed5d361b44742804c1a4c69bbf
SHA512 1373663a2b2658b77c7b07b21f046e95b2934d7d2e1d6863ac684fbcaee809f75ca1662027634aa2ec171122343dab49aa799fdcea6853e0ae799893d9e17742

\Windows\System32\ieetwcollector.exe

MD5 1c44ce6863701190719e6bf3c5cbe325
SHA1 be1a749a4c0d7bf335107c0e53e343eb4f1340c8
SHA256 8657d5d77e7399ae482a3033752cc0ba0e1877a69f797984c758c47673383da7
SHA512 ef794efeec5b0ce79390e24be58e96bdb8b5171b25ded3c21b2a4abe14f24e89a717981f3615e99b6fdcdb80ece54d64e1cc9c1be607062679b47501d0b15220

memory/484-368-0x0000000140000000-0x00000001402A1000-memory.dmp

\??\c:\program files (x86)\microsoft office\office14\groove.exe

MD5 6258a5f9351c7017f64234642e0ad2b3
SHA1 7886e48250a082ec7aa3c7eb47b80688090b916b
SHA256 c92014876b38c8bd1f8412b3bb4445a77c5a3be32532270969056d6458c39429
SHA512 9938cbbf876d37b34490c488e77f18d703f556ff8076456e05e21e418fe433fd6ff59050a9615d3ab107fa3e9117967d2dcab586861e1a22bcda75020f536dcc

\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

MD5 ed211b37b803628346faf365da023cf0
SHA1 acdbcc0820431c16a5300b8e37ada63a497285b5
SHA256 b724be1d1ecfa36f0d5c36f29707443dd17bb92627a20f222b1b7d7820581729
SHA512 f095ebc256cc988039efb1ee0ebe19fecf6b77576d9392acf0cf16d347a6cddd26417c7485f9e1f55c17992b5debd036a71b4690af6044f8c4015d365c6f8d69

memory/976-400-0x0000000000400000-0x000000000066C000-memory.dmp

\??\c:\windows\system32\msdtc.exe

MD5 abb45f21a2a6eaf4c56706b4a863ceda
SHA1 080730c2cea074073384a65b45bdb13fae7ccd27
SHA256 e1ca42d7837e286c4fb910a21bbeffc3ce60cada925f4c3154672c921609abe7
SHA512 4a375a79c388282cf435cb036920f53ee6cbae57542f0066414c4fc0ae27abf3fb684fa2b22e0c7c179ca5364ad160ecde908befed909f6a63602bbd0e23fe0a

\??\c:\windows\SysWOW64\msiexec.exe

MD5 7b989e36451f764bf505a59ec84ce7ce
SHA1 a682c1ba7b3c2b9c2fd1b77c6aa0d595e2a60c15
SHA256 07a49a8edb0eb0c25160d4e4911e14c83c37d3e9f38075e89147c99f3a0463b3
SHA512 7edc79bfee4b28925540d2d987c556c4f0529b5e86305d5379611225bfd1a961ed66a5de5509c0c927833ead6aa742d96594f12b0d3309bef2e0cee8f0614e1d

\??\c:\windows\system32\msiexec.exe

MD5 5a0663ba39c773404d94b617b9dd91ed
SHA1 99f21e38370432523126b4190271332f9e8d0451
SHA256 3e44baa6335b9822b2d92aca6d8027debbd9ced63dd06b074a4b70ed426191c9
SHA512 d2c9bdc22aadfcd881107a8a188a80521aeb9623dfcdd6c42a577c810681c479043d09e527087e10fb6e38cbbf9f4190da0fda047e0498e4f87e5699de2ebdc7

\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

MD5 71646b091212fcac22de4787e8400391
SHA1 237fc9e559389c4640373f9da6392c56d7d30b2c
SHA256 be8a778a115523f6f62c37a9081b0a6d248900049872c9f404a9ea768fa18bdf
SHA512 c73520d2e7fef8b5e0b84c68357d7c9468624d42a411059588a3d8ca8f39d5b5e579c2d336a465b02f7cb18b7fcf49aeede17ebecaf2a356fc16d33cbdcb2a9e

\??\c:\windows\system32\snmptrap.exe

MD5 c389beba777c017fa460cb83cd8438ca
SHA1 ea5de0923264ea399cfc2c78b3c1eaece1136086
SHA256 c2cacc1a7bd65b4360e547398e26c11fce4a54f0ee30dd9e27c5a8c793d332b3
SHA512 87af03788c49978d97caf82bcf46436a26a9ff2c9a283784aec6ce5bdcab8d61d624032efebc21647a94b82a739e8ce80e4e8761dada57a2a16454d5dd3923d7

\??\c:\windows\system32\ui0detect.exe

MD5 7d73c9a982fa0f48ece2db68632082b4
SHA1 1c5565da588a6f47553878e9312f84232c2a0cee
SHA256 a66e5c4c35f21a0e821afbbd34e4111b83046439b01ed8a2741493032d02d2a4
SHA512 53f6520390b11cd758cf4363b46e93036de16494c2e342e4a0752c6d87787ef95884144d7b696a9d741158c8f39927fba33456462d48f9e35b6d9e243be567c9

\??\c:\windows\system32\vds.exe

MD5 43033a936cafdd00a668a03f204774f5
SHA1 8572327787ddd54544f2a46c0c4fbcf43ce38075
SHA256 ecb7c900de827ef149601d9b6591cf6048e9f074a4e51b32c388f3c1945cfec6
SHA512 26179b88b559f2ab618cd4db4b2d1a408bce08f768e593b76b5a5287953c8ccc66ab8e7413aa5fc1c231dd5ff7102a4f4474177c17df66f9432681a1af021593

memory/484-421-0x0000000140000000-0x00000001402A1000-memory.dmp

memory/1496-427-0x0000000000400000-0x000000000066C000-memory.dmp

\??\c:\windows\system32\vssvc.exe

MD5 e4707a386df92022f7efc948d8e03277
SHA1 e9bc9ce59c065eaa128814a9e6558167fd6de236
SHA256 520744ca999a0c5fd58a2232e785d6e391df8c40df16f32072b07c8768645474
SHA512 728821eb7fa2154fc27648c34cd85e1b901b7e3c95809a7ac602d7e321f30bd21c7eb1f7877a1c89849dded840b6ef58c1be60fab9cb45286ad9024da7c41cb0

memory/976-449-0x0000000000400000-0x000000000066C000-memory.dmp

memory/924-456-0x0000000000400000-0x000000000066C000-memory.dmp

memory/1496-457-0x0000000000400000-0x000000000066C000-memory.dmp

memory/2620-459-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/924-460-0x0000000000400000-0x000000000066C000-memory.dmp

memory/1252-462-0x0000000000400000-0x000000000066C000-memory.dmp

memory/1808-464-0x0000000000400000-0x000000000066C000-memory.dmp

memory/1736-466-0x0000000000400000-0x000000000066C000-memory.dmp

memory/1328-468-0x0000000000400000-0x000000000066C000-memory.dmp

memory/2840-470-0x0000000000400000-0x000000000066C000-memory.dmp

memory/2716-472-0x0000000000400000-0x000000000066C000-memory.dmp

memory/1584-474-0x0000000000400000-0x000000000066C000-memory.dmp

memory/2856-476-0x0000000000400000-0x000000000066C000-memory.dmp

memory/2692-478-0x0000000000400000-0x000000000066C000-memory.dmp

memory/2796-480-0x0000000000400000-0x000000000066C000-memory.dmp

memory/992-482-0x0000000000400000-0x000000000066C000-memory.dmp

memory/1780-483-0x0000000003220000-0x00000000032DA000-memory.dmp

memory/1780-485-0x0000000000400000-0x000000000066C000-memory.dmp

memory/2932-487-0x0000000000400000-0x000000000066C000-memory.dmp

memory/1708-501-0x0000000000400000-0x000000000066C000-memory.dmp

memory/1440-503-0x0000000000400000-0x000000000066C000-memory.dmp

memory/1996-505-0x0000000000400000-0x000000000066C000-memory.dmp

memory/2180-507-0x0000000000400000-0x000000000066C000-memory.dmp

memory/2620-513-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2864-514-0x0000000000400000-0x000000000066C000-memory.dmp

memory/484-520-0x0000000140000000-0x00000001402A1000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 92e857b17d81552e1fc6743e071e4096
SHA1 0d0f19195a56f95f791d66d08a5c90d5fc7d0d7f
SHA256 df190a2dcb13038762eff05e15314aa5d434e6bfc18394da8593c768133a2f1f
SHA512 186fe80bd7089f320e7a7ace7a717e1fde1c7b6e336842c528ac150351a413ed942a3cf3462ce994d608bb3042dc7cca39939ea9c20ce61cf0560b2f0a4b8bd0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 bdad26e51b72d6c600417c0d9177f0f6
SHA1 90b3252291ee957f1a2fca8347acfacdc346a8bd
SHA256 aa44bb353ba9954d5cb2df1c5a582ae8414dd819be356eb6754077fa063a5066
SHA512 4ee13cfa155383e02aa3cfc7b60bfb2e717074d8bff88926166bdb1eed99f3172d0c09d66aaf6264779cd3eac2f8e989c2809152d9ae24c870e9d7cf656defdf

memory/1296-523-0x0000000000400000-0x000000000066C000-memory.dmp

memory/848-524-0x0000000000400000-0x000000000066C000-memory.dmp

memory/2052-527-0x0000000140000000-0x00000001402A1000-memory.dmp

memory/2052-528-0x0000000140000000-0x00000001402A1000-memory.dmp

memory/1052-529-0x0000000140000000-0x00000001402A1000-memory.dmp

memory/2620-534-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2956-671-0x0000000000730000-0x000000000073A000-memory.dmp

memory/2956-672-0x0000000000730000-0x000000000074E000-memory.dmp

memory/2956-673-0x0000000000730000-0x000000000074A000-memory.dmp

memory/2956-674-0x0000000003700000-0x000000000378C000-memory.dmp

memory/2956-675-0x0000000003700000-0x00000000037A4000-memory.dmp

memory/2956-676-0x0000000003700000-0x000000000389E000-memory.dmp

memory/2956-677-0x0000000003700000-0x00000000037EC000-memory.dmp

memory/2956-678-0x0000000000730000-0x0000000000740000-memory.dmp

memory/2956-679-0x0000000003700000-0x0000000003788000-memory.dmp

memory/2956-680-0x00000000007D0000-0x00000000007F4000-memory.dmp

memory/2956-681-0x0000000000730000-0x0000000000738000-memory.dmp

memory/2956-682-0x00000000007D0000-0x00000000007FA000-memory.dmp

memory/2956-683-0x0000000003700000-0x0000000003766000-memory.dmp

memory/332-688-0x0000000000400000-0x000000000066C000-memory.dmp

memory/2524-689-0x0000000000400000-0x000000000066C000-memory.dmp

memory/332-690-0x0000000000400000-0x000000000066C000-memory.dmp

memory/1288-691-0x0000000000400000-0x000000000066C000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

MD5 8c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1 b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256 a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512 825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

MD5 4f40997b51420653706cb0958086cd2d
SHA1 0069b956d17ce7d782a0e054995317f2f621b502
SHA256 8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512 e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

MD5 852d0c5a08e49107763f41e2ca4cb653
SHA1 049e37a8cfd32a4ce0ccbcf41b09442b9206debf
SHA256 802a123f64b872ae5afcd4f6eeef051d9d9f8a3a1981ff2b49a322c39953f115
SHA512 69f6589f8f6f9f8d4ae2665ed634a2897be392c72e5ba3a0ee311e9a94de36c3c4afa771a305a8ca0d20c9f5124fa74154e1c24ca9cecc9e2621e1f59318e737

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

MD5 71d4273e5b77cf01239a5d4f29e064fc
SHA1 e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256 f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA512 41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

MD5 3c269caf88ccaf71660d8dc6c56f4873
SHA1 f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256 de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512 bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

MD5 ac901cf97363425059a50d1398e3454b
SHA1 2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256 f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA512 6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

MD5 e3a7a2b65afd8ab8b154fdc7897595c3
SHA1 b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256 e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA512 6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-03 10:40

Reported

2025-01-03 10:43

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe"

Signatures

Expiro family

expiro

Expiro, m0yv

backdoor expiro

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\8E8F6\\F2ED4.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables taskbar notifications via registry modification

evasion

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4089630652-1596403869-279772308-1000 \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4089630652-1596403869-279772308-1000\EnableNotifications = "0" \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\M: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\G: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\H: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\L: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\N: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\R: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\S: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\T: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\X: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\E: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\I: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\K: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\Q: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\U: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\V: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\Z: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\J: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\P: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\W: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened (read-only) \??\O: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\Y: \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system32\spectrum.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File created \??\c:\windows\system32\pnoelngg.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\wbengine.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\SysWOW64\alg.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\system32\msiexec.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\system32\vds.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\SysWOW64\fmcagcmc.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\system32\njbfcjbd.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File created \??\c:\windows\system32\jhqenqqn.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\lsass.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\vds.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\vssvc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\egleqpib.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\system32\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\Agentservice.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\system32\dllhost.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\system32\msdtc.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File created \??\c:\windows\system32\dndbglga.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\system32\nqhiilmp.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\system32\openssh\dkfhcipb.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\system32\lnqifhkk.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\system32\WindowsPowerShell\v1.0\ibnbchfh.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\windows\system32\mghmajin.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\dllhost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\sensordataservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification \??\c:\windows\SysWOW64\locator.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\Agentservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\nkmjnipk.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Google\Chrome\Application\elidehmc.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\cbfkhjmg.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ifpcoece.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File created C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\dotnet\ddnfppgh.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File created C:\Program Files\Internet Explorer\hfoijjjp.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created \??\c:\program files\windows media player\epihdnme.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\7-Zip\jgpijieg.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\7-Zip\gkooamha.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File created C:\Program Files\Internet Explorer\dendjgfp.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
File created C:\Program Files\Java\jdk-1.8\bin\imamgieo.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeTakeOwnershipPrivilege N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe startC:\Program Files (x86)\LP\D488\C69.exe%C:\Program Files (x86)\LP\D488

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c0d49ae62fcae54b6a55ed54e2c4ab0.exe startC:\Program Files (x86)\F6883\lvvm.exe%C:\Program Files (x86)\F6883

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 complaintsboard.com udp
US 104.25.181.41:80 complaintsboard.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 41.181.25.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 ahkb.remindmeroster.com udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 qn3iat23.yordatazone.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 s29imf.yordatazone.com udp
N/A 127.0.0.1:63414 tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.164:80 www.google.com tcp
US 8.8.8.8:53 164.20.217.172.in-addr.arpa udp
N/A 127.0.0.1:63414 tcp
FR 172.217.20.164:80 www.google.com tcp
FR 172.217.20.164:80 www.google.com tcp
N/A 127.0.0.1:63414 tcp
N/A 127.0.0.1:63414 tcp
N/A 127.0.0.1:63414 tcp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp

Files

memory/3240-0-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/3240-1-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/3240-2-0x0000000000403000-0x0000000000404000-memory.dmp

memory/3240-4-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/3240-5-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2756-11-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2756-12-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/3240-17-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/3240-18-0x0000000000403000-0x0000000000404000-memory.dmp

memory/2756-20-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/2756-22-0x0000000000400000-0x00000000006E3000-memory.dmp

C:\Windows\System32\mghmajin.tmp

MD5 35912ef729e1c300726175dbe69fcfcd
SHA1 78136f2a78700425543d7744a5e06b9906b7c4ac
SHA256 164390d93229801f0d22c98d7552bc8a785ec2d2b2cc19e690ec22ffdc12c7a0
SHA512 d5a310c32ce603fa45d641e756c017cc954434edcb6838161f215cf501f36e49b53ac50fb9b57d88d43adc46ea7e4df7f7eda8adf1c066bd975a60a6c03b3730

memory/3240-30-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/3240-29-0x0000000000400000-0x00000000006E3000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 aa26e1f15b29ad7254c6e99635137362
SHA1 d5a9d10a90ecde8b6495c56ddbe4bcce046c0cd7
SHA256 613b4e702e2dbc6353501fd3da954021661cf9ea288f6969419908181199f54d
SHA512 1655e7708ca4564c667bbe1fb441e13d966606895bfbcd75b16e6728fe096a80c940e43fed5ec6276140619745a6a05a8cf54277c4f411ab4ba32603e99892d8

memory/224-42-0x0000000140000000-0x0000000140427000-memory.dmp

memory/224-43-0x0000000140000000-0x0000000140427000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 83f1e5f53680c224123faba21af10a60
SHA1 07cef0f90d5280cea8e61637d643e83c5bef0753
SHA256 46dd06395d2d8b2982de57feb47945504d575303bb565ebd365c44868828b175
SHA512 26f8af421463a5d2e300da371c05d7a25c52f02fa0affd18e1519e46ec06a45a4044ff8dddc7691eb0695775b56e86990d651c5bf2cf5384ca8b6b1e28421e9e

memory/2432-50-0x0000000140000000-0x000000014041E000-memory.dmp

memory/2432-51-0x0000000140000000-0x000000014041E000-memory.dmp

C:\Users\Admin\AppData\Roaming\8E8F6\6883.E8F

MD5 4f2e0a673cf31411164f4bd7b53ed485
SHA1 a82c3a8f3cf05910b5d738ca336b5ecdd8b4cffe
SHA256 af821120e08fc344169195a686a2ce1ef12ee5e02f7fb78381a3c5b9b9016a02
SHA512 6d2b9eb4530eedd4c2a96d2dfb51d63ff60ad954d0c5c1088262351ad78caf8e963477b8137f1670befaf84c710034762048b8c7bfb74820d87fd155e8937213

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 6e5ee10eda01266c12734ec19e812e85
SHA1 930b862fb8b3bb98343af374dfdaf3dcf3cd9a5c
SHA256 87073d6d539c191e5e1a540ef8ff252ce20060cc0bea0be3a19b4c0eb04c30fb
SHA512 595877d161215287aec1938e48d567114fb08b0f0e346d7055ddd9345f0e800287a40ac29b99b517e199aca4ef8e45278fa8faae1dc341db4799860c3838deba

memory/2372-165-0x0000000140000000-0x00000001402C2000-memory.dmp

memory/2372-166-0x0000000140000000-0x00000001402C2000-memory.dmp

memory/4368-177-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/3056-194-0x0000000140000000-0x00000001402C2000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 59fa61213847e413516f919e5af5663e
SHA1 e4e44984f1b44603064e2e45d30b9cce51e5a0b9
SHA256 acb4c4e72c7123024929bc8983c654ebc170b39c994e7c5bb73ecf440d63e6bd
SHA512 95e99b418eca07e66bd69159f4569657b620da2b37dcc449baccc1e197302a9c9b82f7be4a14e18e5a947bb87b6fd10d0b9a6be12506a9a12f788f53ad527b60

memory/4368-202-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/3240-203-0x0000000000400000-0x00000000006E3000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 f5b42743601bd64fee89b156a76d3719
SHA1 e6274d739e5620f885cd92a2bd47f4e984c775be
SHA256 dcf14657b6aa2c7ed8ca7bee05cca735cf2b9b34580a1a68eb88005bf13de7cd
SHA512 ff26957b9fb38302462ba73a7bce4170bf6bd3e6dc7f44564049b5cdd0f66cc95ca93891249e350fc616622850e232c41571099c03db18ee43f12f5ff96a8157

memory/3716-211-0x0000000140000000-0x00000001402F5000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 ef17edb39b671da05c27a6e58bba23cf
SHA1 2a0100283846f568294f41d5b58f4af79955e3bc
SHA256 7f8dac3d5e417d4ac0230daa9e0415df9d0e5e33ed8babcd25759b121b0acbff
SHA512 5c43f880aea6eedaa3527f30482490951a4814d4791dfc39e996ad7643ccabe1009c1bfb6bb522d3923481c81aabc75053d3c586c8ad4b167f122ff75b317eca

memory/1044-218-0x0000000140000000-0x00000001403B3000-memory.dmp

memory/1044-219-0x0000000140000000-0x00000001403B3000-memory.dmp

C:\Users\Admin\AppData\Roaming\8E8F6\6883.E8F

MD5 ab77a814f1a121f564d8f281dbaf3394
SHA1 42a1d15dde72bea34e277c94f67e70cbfaf5a7e2
SHA256 a023ef5ceedef1c36b294d0ad3c818f1b03c9f72ac64f4c90dd617379ee2186d
SHA512 7f522c2b4f85241549708a2d2f355d4132fc81ff21d9a464309f9cb28ad1d2cfef1fc8618ef590a3d778310d6fc748b494fd7334e21780a0f4f2d31d5d2aab13

C:\Windows\System32\wbengine.exe

MD5 6142751fd49396c7f9d2a21a82282bb3
SHA1 9546796197d3c98ae22b8061c19e8d2cbbf0b6dc
SHA256 a97c9d30dda2dce63b3ae306e9b8da0ee81b4f682962044e11d95669f3625d7a
SHA512 6777cdc3c75b89fc48f3958cb0ea0ba88343dcc864e4ee1d73bc1895744636d20a45fe89a6738715c475b7155d3346f26b1c5a141a044928167d51350446a055

memory/2600-338-0x0000000140000000-0x0000000140409000-memory.dmp

memory/3056-337-0x0000000140000000-0x00000001402C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\8E8F6\6883.E8F

MD5 94ca02c70dafd60e1d682b73b82358f4
SHA1 66f1978d878c49a6152b481f97613122a1357302
SHA256 3aa4cd584f15f3d0c233a588704a25aeca12e44dd35438630d101bcffbe7aeee
SHA512 b3e8bc2afd5c73d1b45791f3c62ee7d7ab47ff8443b5d70b277cdcf1a0262719cb5f647cd7049d1153e684383b1ce39466b845e39432be70894681f0c2053652

\??\c:\windows\system32\fxssvc.exe

MD5 8d97562693292cd4bb4a3a28715e9827
SHA1 1815e21fdf09e5f82466309a4aedab2a3dea143b
SHA256 3fc7e740132506207119db58d652a8c0d6bb1c4173821e7a42037b23e3ded5b1
SHA512 bca45617262b01cf7efb20049ae59d2929f25596689a4b14b073435f7f99440ba612facf4635c4c87275ad4ae17db767575868a5eb6c94e14110d9ad33c77e29

memory/3716-355-0x0000000140000000-0x00000001402F5000-memory.dmp

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

MD5 b8285bade6d0f35cdb783a3bcb63929f
SHA1 074032ab89c6b3c0c46bb92e187e19e0dc0a8bba
SHA256 a29d40c7e2871ef779cecea90351fad11b4e8d99638ccec9572bfca412423d6a
SHA512 83dc514e0914eaf56fee193c060012fadc515a7788838953d7339e1bf94385552d0cff280cadf46272b2e2261665df61b497b98cc889aa091a6b7fc8b52ebcae

\??\c:\windows\system32\msdtc.exe

MD5 0f92685ebcdf36e955040e90c01592d9
SHA1 873cfd16788158b1bc3a216ea9c1e852b8843d51
SHA256 7b3c65762d4e011a9a230bf23183979f926f894f77782806e6d61a7eaac8dc4c
SHA512 c9786be6c7f793a6678323b24304cf38e545ead784d87bec848ab9f6b4dc35e25b4591e4bdc77cfd709ed9584380c4fca83ac1aea4aac4bb2b527d6d7c069186

memory/2600-381-0x0000000140000000-0x0000000140409000-memory.dmp

\??\c:\windows\system32\msiexec.exe

MD5 54455826fef9f03ea16eb0b07418dad6
SHA1 c1d5a0f66063c5955f0fab7372147a892d69cbeb
SHA256 daab0f98e81d9a35a75f9dfb53537950079a15a91a2a74cba7eb9484b80035b2
SHA512 352b1828adfd5a890728f229daa0322ccad1f652366c8247d9b5c2aa4b0e4eae9eacc1163b4ef9af77d0616d02f7b51f9f336086ee2d1b1d9a49fb968de9a458

memory/3240-400-0x0000000000400000-0x00000000006E3000-memory.dmp

\??\c:\windows\system32\snmptrap.exe

MD5 37139aebbcba12b8a63b73dd64637f47
SHA1 0b84d44859f20e75c368a593677125b9f7e886e0
SHA256 2f6e4133692589adee4cbb802b49a9290f3f0df277c32a196c38fd7fc601b121
SHA512 686bab2adb1f7a1648ae31a5f30e56f714a3ddd91375d8d41547a4979411f73996aee3673f0ac6578c628857c27c7b841515628987435b9c38de80ccfb5f5f85

\??\c:\program files\windows media player\wmpnetwk.exe

MD5 4c8acf7a0aa0e965b13b70c38d3efabc
SHA1 cc147442a8afef59aea25cc9007ae0f9a7a8e532
SHA256 d47116535421cf8ee827224172f4ae400192c2d6134ae1a4bbc1130c54224002
SHA512 e821a52c65aa9ad1fce12a33027cee8cfffcd72f6eefdc821c8309f09baf00d790aecf9a30c1c732e40c99f2dad5ef1a6cff49e85ab5d03866ebc8d2c1394217

memory/3240-537-0x0000000000400000-0x00000000006E3000-memory.dmp

memory/3240-550-0x0000000000400000-0x00000000006E3000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 c47b351c3d1677c5d42b4634e8986a7b
SHA1 05ea4c7b7d080a37311bfc50a7b462d648f05a75
SHA256 5ca082901df1f18cbd065f3b5b987b6eb7b6e13a10dbc14eb207b0bd38324e6c
SHA512 3e0626acc1638bbb0ca07dd059cc66356247bd7b322598c2b984ad480f4c8e06564db334e23fc7885b7b7864b3f56efdba3ed667824941d10fd68e14cdb4d044

C:\Program Files\7-Zip\7zFM.exe

MD5 50b73f036a225703cbc859599b15adaa
SHA1 5d11c33550d31eff5dee3f5f6fbec0b4a56165d5
SHA256 4eaeccaea3a0e43f9617ae908c68ae98c3b64526b76d3054c97c749f33a2dc85
SHA512 183adb93ad7cbee07490823d70fc0afc18750c7987cd1b1012edbf61d227074ada4632ef21ebafe95ed0d55f5c5583b5201b6e6c139e6bc6ea3c7c5c81ff496f

C:\Program Files\7-Zip\7zG.exe

MD5 d0e7053518029c9c4fab11764002a88f
SHA1 e7afb34969989277ff48d590a79435aa19d6f55a
SHA256 dfece6a4e0dc093160c6f59f1340dc838361ce1ebb91d470691019acad92cf6d
SHA512 34042a1ce8c785536aed57884f4065c41093c64058421ff1efecbd35f52fba90ece290bc06bce2da49bb6a97c3c860007e9228955253a411277d5e1986e86364

C:\Program Files\7-Zip\Uninstall.exe

MD5 98285e8fd7f66b2e2334a342a8823b57
SHA1 ebefa022321de565cf363ec381a79f96caa01fe5
SHA256 d3af9e4dfefcfd03c61839bcd0c039e470da5ebd1e0f5835311f412cc740048f
SHA512 0fdaa269c8a1a8b0d84e76aecf8b1190de1d85e80410b1e48aa7b1f2080f4f0185e1102aaa9c5d9e693d609cc556f8b1a5f31de8852b29fb6072781d28635b5a

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 829dcee317eee14a176541c30b54b41e
SHA1 c6768326c4875bf5f1d427c1e4266965da792d15
SHA256 143a304c4fb7c04504ab2ff39c9efd9422e1c521eadae8abd91168d6438c35ff
SHA512 7dbe892579847a254fb9c9f3f2f583690e89ac153b810143e6778516b9e0893df212fa61d932376900be6b71f0b7cd8d8b135aaf3df636e1fc64dc6788cb0ac0

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 c8f0695e1a3af2664a2e0684e2881372
SHA1 09f8b5eae8f9449fe8eecc32c7f6cf35c6d7f752
SHA256 206ca5e757543932b9fea551a5a9b43ddb09db011b6d74ad45e7c74b1705f46f
SHA512 8df44e4eceb35afc215b70d6c796c2cb7d27aff410c33d5b75f3cc272fb19d0ba4d5c2e65c995430b902067e62708436762bb5bd55c8c1676b46444e38760c93

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 a02057deea476d45da6768d67dd9ac21
SHA1 d7860db1b3c3b79db3b3a5106e7d8b6bb6d058af
SHA256 bdac1a6752fff28908330a3808ee739764b1201a1261e09c51cdff02a6557bcc
SHA512 273c1d652a4da63f10e9aa3b211715a324cdb87541aef5be4f7be82b8cc35b10964b850c4a471e298c90a5a9a6a59c313bf90a00f65425d167abf7016b4ce2d8

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 a04307fdae683da57a65180f67267cdf
SHA1 0ae0624d6cdeda5e612c1500d1fc9e42ee9c07e8
SHA256 4d2ba9cb4130b921fa090919ef4b1ea7746f8b929fcca25712bcfb557569fca2
SHA512 10df95b9c2e894386a6599bf09ca3095ade75ecba6b6e1c30ac3c7fcf187b5b2373925ab080794073fb2839516871a2fb101792c3228493c38d4cf1517c637ad

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 f2e503480c1e2b4da39c33d1aac48b47
SHA1 a60904e7ebbf05a100f69e39ed478a43d3c6cc56
SHA256 6fc4c705bdde44ae1861c13443dc14fad9fd1c6cd6a1d0fa60c25b1402bdf2f1
SHA512 1c3e21add4f6eea71972da432cf9dba87441e18eb817f8adcb6d25e7bea3f79fae30d8affc80d9796c19fca7da52c94464a2bf11297e093a5f258f20287f154d

C:\Program Files\Internet Explorer\iexplore.exe

MD5 ede925d04fdc3f441c9dd296c3a7d712
SHA1 bbfbacb2032dde720a79053441b16f521c262d9f
SHA256 d7083b2a6155beda9f7f75f3b015084e902cda6a9fc9007c753a0e832a5ebcf1
SHA512 6352d023c867412167390a3a4277808591abb5043d8054093db4d3d2f492d42c67b68985f91d8ad1cf71e692b075c778ba50c8afc5b6480ade0b1fe84bbb54ee