expiro | 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
Size

816KB
MD5

aeacd6bfb480546d0ee3e14f0bb46f8c
SHA1

05574783017260e4d3dc0ca831161b5cabf51c30
SHA256

3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325
SHA512

6aa7e58beb9923690918de0c3634bc6ec170dff647fe5a381604b3e28c6f74ff5e12424175acecee21bf419f66060fd562d48a47ba72703c39e2b4aa0906e6f9
SSDEEP

24576:BJW2KjJ4Td3kJnbsPhnzqpKZdhRcloe4Mmz5:BInJ4Td3mbsPhnepYhRclkd

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 10 IoCs

backdoor

resource	yara_rule
behavioral1/memory/3168-0-0x00000000004CF000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/3168-1-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/3168-2-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/3168-4-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/3168-25-0x00000000004CF000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/3168-26-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/3168-27-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/3168-28-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/3168-30-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/3168-39-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 9 IoCs

pid	Process
1644	alg.exe
4460	DiagnosticsHub.StandardCollector.Service.exe
432	fxssvc.exe
184	elevation_service.exe
1624	elevation_service.exe
4608	maintenanceservice.exe
5096	msdtc.exe
3448	msiexec.exe
3640	TrustedInstaller.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\H:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\J:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\O:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\K:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\Q:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\U:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\W:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\Y:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\L:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\M:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\X:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\N:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\S:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\T:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\V:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\Z:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\P:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\R:	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\N:	alg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\nkgkcpik.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\diagsvcs\eiekepii.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\gjbgcmec.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\mfqnnomg.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\mbdhnlpc.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\fbmlgime.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\wbem\lbgngcie.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\SysWOW64\kfbekbgc.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\apeghpbj.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\lgggibmh.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File created	\??\c:\windows\SysWOW64\jkenogbp.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File created	\??\c:\windows\system32\migkeihi.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\ocejopjh.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\perceptionsimulation\amjjmidm.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\dqhdmgpj.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\clcciaph.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\dijfldln.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\qhohffaj.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\SysWOW64\hkifogoh.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\anhfgeon.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\system32\eljnjbqi.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\7-Zip\lncjookl.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\albbphgj.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\oejnokpa.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\cmqhnbaf.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	\??\c:\windows\servicing\haiocbin.tmp	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3168	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
3168	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe
1644	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3168	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
Token: SeTakeOwnershipPrivilege	3168	JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
Token: SeAuditPrivilege	432	fxssvc.exe
Token: SeTakeOwnershipPrivilege	1644	alg.exe
Token: SeSecurityPrivilege	3448	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aeacd6bfb480546d0ee3e14f0bb46f8c.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1644

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2648

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:184

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1624

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5096

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
8dc926df6c302533bfc5ee15aa091f38

SHA1
7665d696d08e1727d5fd2b3d2d87af19f3aa6b04

SHA256
6d4f4cc18f5c31dec073054069cc45d9d9c03e9eb40b28628da58864d75e7570

SHA512
3a7efd6af0061c34224af4b7fa9bd98f8c1a25f40e0ed51c1d30aab7ceb217857e9270e5be98aebf78c1dc3d1fe219f1b1125c4d04bfb067461960368383ec6b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
2bb162bc010a70c17966329a0ff8b201

SHA1
31af097a5e8149e02fa76bf0d68fe26df555854a

SHA256
16fc901eee3240c3be9776e4b9ab92b78d17393b11cf5c70f247d863860a1df3

SHA512
e819ee4d15d447cd0683dcfe7d07eb778f5645b40de6fee1d254e2d4a4fc80acab8b60feb2cc01c7d63a72c2aa9b9e57ec82a10fa080a5a80ee757aa974b23f1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
3fbaf757b462f6e60fe8126d139385f4

SHA1
6cb81cae948838bf5a1bdf922c7c79c5c7792d28

SHA256
6ba9d2521978722af9d4ec824eca4806d01ed383bb38a4fcd95532524227daa8

SHA512
4be174a9801c4e0c2f69f9c93026d44095988e1fabfba6bc629c31bf4a7aa05bdb15ddf6d490b092321e339acbf4ffa6aa72c6ccaca136c21e8020eacfcc9982

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
ad8bd45b86f6817deb0ddcc4b3791185

SHA1
870e54dea305d566e8865641dca531b1e563a266

SHA256
82eb5d98babc682db8be79331055e5d930ca04e1f1563e5a8cb91ba0ff4774bf

SHA512
62a066ada95fc3656fb2e10b0eebc2a90e263489ca958e66d6c63f378415f7777a2564301610c1a6f94c1628c87fb93fc2902ea9fbb7805c60884c2c2a4ba98f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
2376f2de2b1b70324cfbfc94b51781d0

SHA1
9066aafd306aa95920529639fcc1bc16ee7f98db

SHA256
284c7d2f2623c9d5f578f971a47e6a111ae545a75650c2ad66e89ffe0d649f8b

SHA512
501f8e2a2ebdd3534e360146302e89f1581d3c1058dd185d92faa6052f637695c8c2a33189a3851608e343bd3527a9e1fa05d2c6b88dabc0e0914ab06bbfc796

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
3d70580d4d9d99e27ac3b9bb5b7c42b6

SHA1
28361530988a7fa8d7c0f03ecffe3ab1bb4d10c4

SHA256
38912be802ec8218c9c04fe12b7b0c6eb1ce34c07dcdef94994a7201ed3fbc32

SHA512
7e6c58716d63933a70c3337b6f71ec35cd7ed0368c9f96f9cef175bba616e8f8b7cd52927d4fc0b35e1e680834a411351b1b4cb004d63be3f23de5e7347f9a20

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
7fd72275b4b7d896ccb7c1e442b1ef3f

SHA1
dcdf05514301a151053cdaa565979325b56d194d

SHA256
24c12c323792571b44dc06d49751f6b4b3f5969cea300c1617087e2673593251

SHA512
942cae18a22419890d51f4b940163d034e4360e11f1462e84ceaadf1d306859d855b6c9b15dd5fde622089bfe8f0378968c2357e1316925ca222a1252f3444c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
dd96d5815b973e85f39844939c276111

SHA1
f302d7ebedcb14ee94ffdd37efd61cfb93c41804

SHA256
6ae5a5a613c27e9db624ba97c44b9ffc5ec310af1c6237057bbdeb4dd704239c

SHA512
92ecae0fb2bfb565fe372776c03931e1a1acd7cf52ed4c7faa5ab4f1c9f6008c30abf1039fcac2e3491b3282632f877f72bb7caa6e546af59833887049860e7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
3f8e2b7f5a4877ada549b478f7cb2a68

SHA1
e737caaa33d156ffbe03c14b3eaea06a5fb1fbd6

SHA256
dddc7d6ed82a8d0cb02ce01d66a619fb1c55dada25d87172937368816fb2bc60

SHA512
686577335d620628f47c3470f2f22be22d604bb972151be0a2c453706bcc10facc4d45754fc55be50a02507a8e2483b6ccd1a8127a07368dc0ae0e73d07e7071

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
a204cae6f07d98a62acf4448e0653a98

SHA1
7cc6dd1ddaac04bdf782cb87c8a3e66fc2893815

SHA256
8bde9f66d43c82266d346039d3aca415205a23b5be415073a786d570cdacf0da

SHA512
691e08b57f6dd54c19af07922d8f59fcc568d2e51b0f87984b356198ddb7e470d9acd26489970813a240a4835be3670d786fa3e2e2463815daa79132fb0871c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
8694be26700cca2d83e3989b0ca03ae1

SHA1
8c5a60c21750400ffe1d6f256908de6c1be0aa80

SHA256
dbddd6e696b0cabd915346e1aa480ff479b69ba7c357637b2f239814f006f9fc

SHA512
c66b43ab5c45e8787adcb226d4e5eab4b9f664c4b9edba181c6cdfc26c66a36f2a5ce593c554c6ad7a8770c7660f7746faf48a153efad4cfecd8cdc3fe06db03

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\cjoifleb.tmp

Filesize
637KB

MD5
a14ac3ac5ccf5d3aede5a1078bf017c7

SHA1
72060d9804d5706fd63aeb0ebf4bfbd4cd8090b5

SHA256
c9473ccdea407217a40b419e75937a27b707cc2d51df182959638156f63fc735

SHA512
1487241acaecbf7726b4877f88275ff56c4f749720d9b33a006135cd3118a3b76d468a9643d36087df43662654f079907ae94e3ae24b2ae936894815908894f7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
9e2a2ecdf5df21dc2259ddf855673941

SHA1
84e504504afe1405048e7809ca2f255c6867ade0

SHA256
635059da30105bc3115df0a8da62cb91cddc7f8f9dd5241b8d99ca3c7adfec38

SHA512
213ba8ed4136432b92fb21673abf16f933c7fcc7165f9de72acf5cd77eb3cfe3a05b871ba7f89648200762a528a700b0dbcce7d75e1f76a70bfc4453c7913ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_av2jv5z3.5q2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\ppkeacfa\bjmgmoiq.tmp

Filesize
625KB

MD5
86ba5402ed291b24eec8754e6d905848

SHA1
a2d9cdfd2a2c7a601114d19b01ad7519648414b9

SHA256
f15c01d1af201727f8bb058529988c41f605ef16a12ce7ef8c87b3aacda6ef33

SHA512
f19af01b59b14a6a1314c431ce4457e4c09988b4b2f1136edc6fc7579fc59171432f2712caf30ec1a372479681dd8b5b21bbfbdf7cecd19f9b9f306dd2e23806

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
021c6ee239c98cbadec80bcdab05bbdf

SHA1
0917617db9356d3174b7c32e0213d26845b69c5a

SHA256
638bd9b7f08feb2ba1d47f4701c79f4f8ac577c8c16d2e1a92c2ffbcb48305b1

SHA512
06f09e361146c5a8c724843b4dd303ef110c899ea0916df6c50aadb6819b974a9dc06bd5f5eabf9acaae40a84f76d910ac3f698daab59b05316febb6444728e6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
b862e8c8709b2cc56e76a4f82edcfe1e

SHA1
62d8061a8b4aee39a2bb44467b7f68a16e6c511f

SHA256
991059e247e831ba0e8c38078a219becdc7f44c6f9bf90e0220a5cd355c1a8f5

SHA512
b7b39c8a1530d46e91001adf04678c3f2a72bacd6d7f0ab4edb768ca7b9f94519c958d72cddbe4ce0ae7f1c4c1cccbc5f063ca47a93832d852ee13f08e5e2b35

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
a4ab72157fc458c6144a50730ab1d1c6

SHA1
9b4916ebfb718b30c20b1296cb2d3b5497d7d355

SHA256
55d231fd1b29fc8155ff5ba60d247faf09e5c9a7ae99e23dbcff90d7f211083b

SHA512
2e33fcd5c849e9eff43acc6d0fef151c1a3f656639328ce4ede2199b175f8fc3a071de8c61950299115e7b9c2f1e5b8ece3eccc442fa986d15c86c87218f5bf1

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
71926a96e752f1702becfbf36c1ae662

SHA1
18b434354d6008ddcd803e55ab1886d7e345590e

SHA256
e046bca5bb5b1e7d49d46c1d0793d149ead670855a8763b3f291e6b969acb703

SHA512
9fdee16ec4d9cb4ed6a57b4af3c9ef57d56297e8b36cb3d5276c66f58159ccac7baa50d48a54d1ac2af938fbe0f0e6feafeb253ebdf59f29dab9fede2f1a5956

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
ab1e3d7c6a6a6a726586409c2ef015cc

SHA1
9d0e758f6c84ebdb63267c1cac3671807d479115

SHA256
3f986a6768f20e3d4496438a7248d411b91952acb38cfbb2002bdc92b3d173ed

SHA512
b3ef38f983248e7979fd4c1fc83e5f4e1aa205290119f3f9e10c00dfc1d73a23d53d08f85384eb435f107987d0ed929710b2a2c18938409247a36135aef3f0c9

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
87358e8bb60d3f3eebd89df3b0c58e26

SHA1
2a61eb2d65daeb2b337a4258580713d9382393aa

SHA256
7124cda5106c4b96f45665d14fa806cd02236bb17e33a04cd29f2ff858a2510d

SHA512
3a802fd719df579e098b5334630f4f0b440cdf9c41bb3cb29917db23dc76ce20bcfd2a65e532e59c57a4754f94f991586fac961d166ee8e68cee4d3bd8aeebac

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
c1bdc68190b06ab9f2a826791e123032

SHA1
ade3b0a981c112f41b1eed7689f2f43984557756

SHA256
c3221f7465dfe98957843488c66f98a26b9f7751de1439b635650b166ad82561

SHA512
6ec457f316dad6095343f95ea6811786470772b62510c6ceccd420575f06d27d97a2d13f0ee308a53846cad7ce514ec7a3713d19e3420007cf631728f2ec5fb2

Download Submit
memory/432-77-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/432-75-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1644-51-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/1644-84-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/1644-91-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3168-22-0x0000000007BD0000-0x0000000007C46000-memory.dmp

Filesize
472KB

Download
memory/3168-7-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/3168-28-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3168-27-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3168-39-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3168-26-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3168-0-0x00000000004CF000-0x0000000000562000-memory.dmp

Filesize
588KB

Download
memory/3168-25-0x00000000004CF000-0x0000000000562000-memory.dmp

Filesize
588KB

Download
memory/3168-24-0x00000000085A0000-0x00000000085BA000-memory.dmp

Filesize
104KB

Download
memory/3168-23-0x0000000007F10000-0x000000000858A000-memory.dmp

Filesize
6.5MB

Download
memory/3168-1-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3168-3-0x00000000027B0000-0x00000000027E6000-memory.dmp

Filesize
216KB

Download
memory/3168-19-0x0000000006B90000-0x0000000006BAE000-memory.dmp

Filesize
120KB

Download
memory/3168-20-0x0000000007150000-0x000000000719C000-memory.dmp

Filesize
304KB

Download
memory/3168-21-0x0000000007010000-0x0000000007054000-memory.dmp

Filesize
272KB

Download
memory/3168-14-0x0000000006360000-0x00000000066B4000-memory.dmp

Filesize
3.3MB

Download
memory/3168-30-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3168-8-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/3168-6-0x0000000005ED0000-0x0000000005EF2000-memory.dmp

Filesize
136KB

Download
memory/3168-5-0x0000000004EA0000-0x00000000054C8000-memory.dmp

Filesize
6.2MB

Download
memory/3168-4-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3168-2-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4460-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4460-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download