neshta | 40fac5790294ad94003aa1699169dd279f9cd74dced6e11ba1eca6e2138d8589

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Size

158KB
MD5

787efda7b50790043a4c525744fbd764
SHA1

18db458955674cf403f4d63b2755edeb22dfb1d0
SHA256

40fac5790294ad94003aa1699169dd279f9cd74dced6e11ba1eca6e2138d8589
SHA512

c83a0e5edab27aa8e070bb08d2ccd0d8d43d62a1ebbc8bb35340af267c8b402c3672b1c43df347b7b00403aa4970653574ffab06d1290625b57c886f5ed67dc9
SSDEEP

3072:sr85ChHSJPKL0GJoXNuWIO67v1smCicJp7T7kIkKWzmyj:k9hENuPOyv1smCRpXtWb

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-19.dat	family_neshta
behavioral1/memory/2324-522-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2324-526-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 1 IoCs

pid	Process
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe

Loads dropped DLL 63 IoCs

pid	Process
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\INTERN~1\IELOWUTIL.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPLAYER.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\WORDPAD.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\ADOBE\READER~1.0\READER\LOGTRA~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WABMIG.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\SETUP_WM.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSINFO\MSINFO32.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\INTERN~1\IEINSTAL.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMLAUNCH.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{61087~1\VCREDI~1.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPRPH.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPSHARE.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe

Suspicious behavior: MapViewOfSection 25 IoCs

pid	Process
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeChangeNotifyPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeTakeOwnershipPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeRestorePrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
Token: SeBackupPrivilege	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2800	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	31
PID 2324 wrote to memory of 2800	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	31
PID 2324 wrote to memory of 2800	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	31
PID 2324 wrote to memory of 2800	2324	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	31
PID 2800 wrote to memory of 380	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	3
PID 2800 wrote to memory of 380	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	3
PID 2800 wrote to memory of 380	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	3
PID 2800 wrote to memory of 380	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	3
PID 2800 wrote to memory of 380	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	3
PID 2800 wrote to memory of 380	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	3
PID 2800 wrote to memory of 380	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	3
PID 2800 wrote to memory of 388	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	4
PID 2800 wrote to memory of 388	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	4
PID 2800 wrote to memory of 388	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	4
PID 2800 wrote to memory of 388	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	4
PID 2800 wrote to memory of 388	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	4
PID 2800 wrote to memory of 388	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	4
PID 2800 wrote to memory of 388	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	4
PID 2800 wrote to memory of 428	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	5
PID 2800 wrote to memory of 428	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	5
PID 2800 wrote to memory of 428	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	5
PID 2800 wrote to memory of 428	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	5
PID 2800 wrote to memory of 428	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	5
PID 2800 wrote to memory of 428	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	5
PID 2800 wrote to memory of 428	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	5
PID 2800 wrote to memory of 472	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	6
PID 2800 wrote to memory of 472	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	6
PID 2800 wrote to memory of 472	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	6
PID 2800 wrote to memory of 472	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	6
PID 2800 wrote to memory of 472	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	6
PID 2800 wrote to memory of 472	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	6
PID 2800 wrote to memory of 472	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	6
PID 2800 wrote to memory of 484	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	7
PID 2800 wrote to memory of 484	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	7
PID 2800 wrote to memory of 484	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	7
PID 2800 wrote to memory of 484	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	7
PID 2800 wrote to memory of 484	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	7
PID 2800 wrote to memory of 484	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	7
PID 2800 wrote to memory of 484	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	7
PID 2800 wrote to memory of 492	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	8
PID 2800 wrote to memory of 492	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	8
PID 2800 wrote to memory of 492	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	8
PID 2800 wrote to memory of 492	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	8
PID 2800 wrote to memory of 492	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	8
PID 2800 wrote to memory of 492	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	8
PID 2800 wrote to memory of 492	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	8
PID 2800 wrote to memory of 608	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	9
PID 2800 wrote to memory of 608	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	9
PID 2800 wrote to memory of 608	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	9
PID 2800 wrote to memory of 608	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	9
PID 2800 wrote to memory of 608	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	9
PID 2800 wrote to memory of 608	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	9
PID 2800 wrote to memory of 608	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	9
PID 2800 wrote to memory of 688	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	10
PID 2800 wrote to memory of 688	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	10
PID 2800 wrote to memory of 688	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	10
PID 2800 wrote to memory of 688	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	10
PID 2800 wrote to memory of 688	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	10
PID 2800 wrote to memory of 688	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	10
PID 2800 wrote to memory of 688	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	10
PID 2800 wrote to memory of 764	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	11
PID 2800 wrote to memory of 764	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	11
PID 2800 wrote to memory of 764	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	11
PID 2800 wrote to memory of 764	2800	JaffaCakes118_787efda7b50790043a4c525744fbd764.exe	11

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:608
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1520
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1796
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:764
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:828
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1172
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:872
  - - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2104
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:984
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:296
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1028
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1084
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1108
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:392
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2368
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2196
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:484
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:492

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_787efda7b50790043a4c525744fbd764.exe"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_787efda7b50790043a4c525744fbd764.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_787efda7b50790043a4c525744fbd764.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
280KB

MD5
ccf1f2830c4010c43a67c33e1d8e7338

SHA1
c1f06c2b170e773bae4a94fc8f96933efbfbf136

SHA256
98ce31208466bb5f5b87025ed9a7a647c7966402caae8fb1c7fcb7cc527d7663

SHA512
e9ea1d1a026bf8df72a3dc97d6485277c6f51d9343ff370379fc9782c8c9db383302f39eeff509f921ad9c21c37c63a96f5611365cf6144e6c782dcd8bc83232

Download Submit
\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe

Filesize
323KB

MD5
ec3385e2b64f98fb949ddcdf0b334277

SHA1
fa708a5dea85ed2e1ab8eda73f7a00440770a368

SHA256
99881335e6702e883c7a1d96612493b7562f3de18603cca12a1371b2c43ccf91

SHA512
4e58b7498f49a23f415e1239385a80a4daf18c56d4d37da252d680a694a66eadda4d0d39bf6332ee6e327aad40c8469b9b9b6e9ef6ca14849a61a32db7b34ef9

Download Submit
\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe

Filesize
1.2MB

MD5
c3da6785450ad09681e35269079948a1

SHA1
2991cd5556bc17bc229ed1716e6ee452a6383cd8

SHA256
1839c982118457f500482df99fb4407e1fe427a4c635acfa1273b3590f7c1d54

SHA512
cd60533ad9b72ad06dbe5589181c94dec8bd7fa5cea29f05e62e17ee5abec29d78a6c4f27c4652b7ebec9bf1389e1966c35744b58ebd185fc0161d79eb602748

Download Submit
\PROGRA~2\INTERN~1\ieinstal.exe

Filesize
483KB

MD5
f87b366a3cbe882486eac9315746b7b9

SHA1
9b8f5b860177a767f73aeb692566ea5947eb5504

SHA256
a9e08fc9f90bc55be10f770d66494cf69b90ae7bb832309ba696f11c8e3d625f

SHA512
9e1a0ec510c02fe6ed7d21d8c0ecd03ea19f8531920cc971b5b7129032cd0d97d486c2b951fdaf1f64744f4b56cdcb95e6c3d31a2a7885e5a218e1b342fec660

Download Submit
\PROGRA~2\INTERN~1\ielowutil.exe

Filesize
244KB

MD5
0c8415ad1c0ac74ca7f2673b30b02246

SHA1
e3e747477b7b017385c2481be3f6974e35d9d0f6

SHA256
09c8f4effb2b5bb83cda3835e8d13321796949f58fea541b7a023b4981e65960

SHA512
447ccba03f08d6a9d3464892ae37d00af3741a1b7bd931af35b0a0ebfe80e820ce38732ed2ed25f92aae7032b66b53d328e2af350e33e8b5bf42549bded33553

Download Submit
\PROGRA~2\WI4223~1\sidebar.exe

Filesize
1.1MB

MD5
5df71d9ca1cea48a8cfff5414e837555

SHA1
9f8c97d40aae019ca85a1bc2c7a1e1371855d59a

SHA256
bad152dc90b9bc242f128546b158a9f063eac2e6ad3f4ba3402a18661d34ed9b

SHA512
169fda43175d1eedfb87629807b6c31f289315ae3e9b8c8984de2b481223425c56b6dfa8b7b6335000384d1d87c4bca5545b710fc8e3ad1f26b06ad2198e3a75

Download Submit
\PROGRA~2\WI54FB~1\WMPDMC.exe

Filesize
987KB

MD5
bf60e1b6724228e402f9026bd30628d0

SHA1
014be88e2a933c150888e7bf76f802aac1cf7388

SHA256
d3ee530d8e8714077f4702f449162206e8b82bd7893ec3b65dc3980ee6909a27

SHA512
99eb70961104f87b64194bf005887def551286a0727475c03a36f006916f79f0e1c06f8b421a80256b5c7f8b3ffffcd983c632d9d400619963a8cc422471b084

Download Submit
\PROGRA~2\WI54FB~1\setup_wm.exe

Filesize
1.9MB

MD5
9ca355e07eb74fa928afc1fce46eaf74

SHA1
3683dbe6bf48d58a2c14b29c5d6c472137774af9

SHA256
7c1f57df9da2c5c338d20fed1e2135795316bba2a923eaaddf6d6a55dc7ae835

SHA512
443d297373166f36eeefcdf8a63742ef8342178fe8ea52a905d589daac19333e6e57c934deb06a0027651d2700a96f11ffea90e8e45b87d350a7d124d070a4d8

Download Submit
\PROGRA~2\WI54FB~1\wmlaunch.exe

Filesize
250KB

MD5
2577d65f43a9a6951f7ba93fe42c8c3d

SHA1
2a0f5347914501e1495daf058d25abeb3388fbcc

SHA256
2ed7521d2653d5233ac02018c5189c3bfdc0a8d4e3befa80f8cda09cfef0e52a

SHA512
42119ce2e6c0b1bb46b9c5907cd83684034955ab681a1c54e6c2d15d15686e26add7d6bbdc5b09fb11f20591a30e422fd2e5c73afe5b0ff1e371173ffb6405f9

Download Submit
\PROGRA~2\WI54FB~1\wmpconfig.exe

Filesize
126KB

MD5
f111f7272591aa257f398ec874c4f45f

SHA1
7685929a970fad474714314c1f14116a5f06398c

SHA256
c9611343675f3463f5764f0f560edeeea2c05559be43029ec301216770e0f3a2

SHA512
5f66ae1c3da568f9f0369eacfbefd896cf4f52b5629aeec4ef719fe70dccd939bb71c73e1b56bd6061ecf545e997aa20b399e5e51f584100b7883b804683d664

Download Submit
\PROGRA~2\WI54FB~1\wmplayer.exe

Filesize
188KB

MD5
fecaa0f3e28a49b46daa5e0c195ab510

SHA1
069375c819410a196018c02aeba66d789d1bff37

SHA256
1fc3269252cca95b3724ac3187b93f2c8e6c67e728611aa9b569725d51d0e3a7

SHA512
0429fd950d22a5eb35dadb9a8f5940eef60b5e9b1495681391aa464fff6ccc1271c7a0f2e2bb67b1229c33b53d0bed5fa46f110da8b0371b23c7523cc93c0daf

Download Submit
\PROGRA~2\WI54FB~1\wmprph.exe

Filesize
88KB

MD5
53fdcf67138de0595ab1462c14d75f22

SHA1
da8924fb596b61dd26ea02796c9ed3ec79ef5e5c

SHA256
809af9a02a446622099f038db062c40fefcf682eb053e0aefd0243297fea52b8

SHA512
8b0f752de8fb132f4503c7955d3fa854cf6fbe2d397b03c57c9cfae9ea9057fda58738dc71dc9cca6765df030f99d2dc2b98e1360e6942e23cc3fce635b0c255

Download Submit
\PROGRA~2\WI54FB~1\wmpshare.exe

Filesize
127KB

MD5
b05bb655a3f7a27c875bc67bb879c2b0

SHA1
2094ac95b1332545d528db6fd8c3436e2dcbada4

SHA256
098f5919db12d7bad1ddb1e3d21466bd05b5e7a2950da8d0a5eb276b0af9fea3

SHA512
5b1b9f1cda9b0e26e9862d2fcfc2cf03dc3ef7ba97c5eb83e6576032cd294d9dd033fc68866ec46c779d2bc5795c54ed0ca8304cc990d3ce12b0a3d79e2c6535

Download Submit
\PROGRA~2\WINDOW~1\WinMail.exe

Filesize
414KB

MD5
4d3fb8dbdea992322dedccf45304672e

SHA1
fc4a4c20e9bc1e454a83a5aaed57331332edcc85

SHA256
b5e459ca23c0f16a42308c71c8ea1a4bd64fa3a5eb602aa7a13a32b7ec1cd932

SHA512
b26dbd9102edb28871e0f1a0341ffb7882fd4fce52cfad916bffc30edd745d9f1d044012490aad987af55306de0bf2355bf4bccb2b028f6891e0a071fe6666b3

Download Submit
\PROGRA~2\WINDOW~1\wab.exe

Filesize
531KB

MD5
f0d9ed4346b4e418cc0aff5acd59dc4a

SHA1
7c94fa4f1aa3e1c1c04fbcdae078a289fd47f55c

SHA256
c92319f4b39868e3551bf5809a78b71ed1348ec117873ada9e4f8a38caa7bf14

SHA512
67bc0475dc2af5b397d3698c250175c1af0945685f7364d56bcce63b9028c8c390245671541211ea65f76223467b9fb37ce97f8d546361565cb26d981c78ef5c

Download Submit
\PROGRA~2\WINDOW~1\wabmig.exe

Filesize
91KB

MD5
55caa6ce3d27c23062fea0529fb30f1a

SHA1
6258e7439fa3c35526f41d45b13fdb8b0afe2bac

SHA256
63d3a1d8cc3e8094c9c37f9b6957116655a29f9f3360bf0f76e6c0ce1ba4fd6e

SHA512
50dd57ce482d0a4770918d588bff7420a32d3aeee0b7036f19005a37297d5fe08359e99b607427a6a684277ad6eb153086d4270121242a1e53785fc37096a71b

Download Submit
\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe

Filesize
4.1MB

MD5
6fcfa32ef331c3864e09b06881749f26

SHA1
b3fb853c2549796321110be28433da69d654b7ab

SHA256
32f58e93fbd0d135e008d2dcda587fe949791f1a36334ea06ed2e0bbf4d3863d

SHA512
6c6bc51fb3e630d07f14c46a749b43995fe2c55e5358de3542ce78ff7cc7d91282c8211d54a63733c58b568f374b64038f118c024967398392028de4a6a7fccf

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_787efda7b50790043a4c525744fbd764.exe

Filesize
117KB

MD5
5cfb9d1a45914f190714f6bf4bed19bf

SHA1
8f3d7d0acf363bab444cc6238632fa07b77ed384

SHA256
552b812a8478a75c02e5737ca505221135e07bfcb62ba84db3e18233eb1131b0

SHA512
5986dd7a3e417904b387d750d7adb4ebef7dc1a1e87bf091e2673e1f40232461ee695739ab8c7e2aa466dc4f0575198a8ae0cc4a26edaee5f698d98b0d296d9d

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
memory/2324-100-0x0000000002670000-0x00000000026B3000-memory.dmp

Filesize
268KB

Download
memory/2324-112-0x00000000021F0000-0x000000000220A000-memory.dmp

Filesize
104KB

Download
memory/2324-91-0x0000000002670000-0x00000000026F8000-memory.dmp

Filesize
544KB

Download
memory/2324-96-0x0000000002670000-0x00000000026DC000-memory.dmp

Filesize
432KB

Download
memory/2324-95-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/2324-60-0x0000000002670000-0x00000000026B1000-memory.dmp

Filesize
260KB

Download
memory/2324-58-0x0000000002670000-0x00000000026EE000-memory.dmp

Filesize
504KB

Download
memory/2324-37-0x0000000002670000-0x00000000026CA000-memory.dmp

Filesize
360KB

Download
memory/2324-99-0x0000000002E60000-0x0000000003057000-memory.dmp

Filesize
2.0MB

Download
memory/2324-35-0x0000000002E60000-0x0000000002F96000-memory.dmp

Filesize
1.2MB

Download
memory/2324-102-0x0000000002670000-0x00000000026B8000-memory.dmp

Filesize
288KB

Download
memory/2324-103-0x00000000021F0000-0x0000000002214000-memory.dmp

Filesize
144KB

Download
memory/2324-26-0x0000000002670000-0x00000000026B8000-memory.dmp

Filesize
288KB

Download
memory/2324-106-0x0000000002E60000-0x0000000002F96000-memory.dmp

Filesize
1.2MB

Download
memory/2324-107-0x0000000002E60000-0x0000000002F5D000-memory.dmp

Filesize
1012KB

Download
memory/2324-527-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/2324-109-0x00000000021F0000-0x0000000002224000-memory.dmp

Filesize
208KB

Download
memory/2324-16-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/2324-111-0x0000000002670000-0x00000000026EE000-memory.dmp

Filesize
504KB

Download
memory/2324-93-0x00000000021F0000-0x000000000220B000-memory.dmp

Filesize
108KB

Download
memory/2324-526-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-115-0x00000000021F0000-0x0000000002215000-memory.dmp

Filesize
148KB

Download
memory/2324-114-0x0000000002670000-0x00000000026B1000-memory.dmp

Filesize
260KB

Download
memory/2324-524-0x0000000002E60000-0x0000000002F8B000-memory.dmp

Filesize
1.2MB

Download
memory/2324-117-0x0000000002670000-0x00000000026F8000-memory.dmp

Filesize
544KB

Download
memory/2324-118-0x0000000002E60000-0x0000000003277000-memory.dmp

Filesize
4.1MB

Download
memory/2324-120-0x00000000021F0000-0x000000000220B000-memory.dmp

Filesize
108KB

Download
memory/2324-14-0x00000000771FF000-0x0000000077200000-memory.dmp

Filesize
4KB

Download
memory/2324-121-0x0000000002E60000-0x0000000002F8B000-memory.dmp

Filesize
1.2MB

Download
memory/2324-15-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/2324-519-0x0000000002E60000-0x0000000003057000-memory.dmp

Filesize
2.0MB

Download
memory/2324-520-0x0000000002670000-0x00000000026B3000-memory.dmp

Filesize
268KB

Download
memory/2324-521-0x0000000002E60000-0x0000000002F5D000-memory.dmp

Filesize
1012KB

Download
memory/2324-522-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-523-0x0000000002E60000-0x0000000003277000-memory.dmp

Filesize
4.1MB

Download
memory/2800-13-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/2800-12-0x00000000771FF000-0x0000000077200000-memory.dmp

Filesize
4KB

Download
memory/2800-17-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download