expiro | 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2025, 19:31 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
Size

625KB
MD5

d0880ec1ab1627d23202ee86d33b7356
SHA1

a8dae933bdf12ccdd8f1c763d3be932186fe8966
SHA256

3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af
SHA512

1d833b5f77b8cbb66224effe69daaa78e2b3fcfd2bde89c6d3bced4dcef83687b1cbeacd22f0055003ed0935a3cc83972f5b16a1fc476a896beae7d620c50549
SSDEEP

12288:bVt+w8wyv/566WoJMOYeRqmyfq5M7I4XbDhyGdPiMbSLJj2xshdFSRO:ht+w5yJDJGeRMhjdudaKh

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/1864-0-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1864-1-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1864-3-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1864-47-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1864-49-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
3992	alg.exe
724	DiagnosticsHub.StandardCollector.Service.exe
4052	fxssvc.exe
3668	elevation_service.exe
2900	elevation_service.exe
2136	maintenanceservice.exe
2804	msdtc.exe
868	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3442511616-637977696-3186306149-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3442511616-637977696-3186306149-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\Z:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\K:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\J:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\T:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\W:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\L:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\M:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\O:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\Q:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\R:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\P:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\S:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\V:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\X:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\Y:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\U:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened (read-only)	\??\L:	alg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\akooomiq.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File created	\??\c:\windows\SysWOW64\jmnoidab.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	\??\c:\windows\system32\gfdhojol.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	\??\c:\windows\system32\perceptionsimulation\icnjapoc.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	\??\c:\windows\system32\diagsvcs\iinlpjfj.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	\??\c:\windows\system32\igbjakbm.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	\??\c:\windows\system32\lopndghn.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	\??\c:\windows\SysWOW64\kclpkgaq.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	\??\c:\windows\system32\bekjokjo.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File created	\??\c:\windows\system32\ckjdalig.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	\??\c:\windows\system32\wbem\lgbhhobj.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	\??\c:\windows\SysWOW64\igmjlllq.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	\??\c:\windows\system32\bojmmqca.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File created	\??\c:\windows\system32\lgoqadoh.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	\??\c:\windows\system32\clidbjgp.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\lnpebapb.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\Java\jdk-1.8\bin\imamgieo.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ifpcoece.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	\??\c:\program files\windows media player\aahjgfce.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\7-Zip\lncjookl.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe
3992	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1864	JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
Token: SeAuditPrivilege	4052	fxssvc.exe
Token: SeTakeOwnershipPrivilege	3992	alg.exe
Token: SeSecurityPrivilege	868	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0880ec1ab1627d23202ee86d33b7356.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3992

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1468

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2900

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2804

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:868

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

22.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.49.80.91.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

22.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

22.49.80.91.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
6117b37549a59ffc2de46b30fa50e803

SHA1
ac520dd1ce42b324a19b0807310507894a8b58fc

SHA256
e0079f406ba4fa13c6118d54d46fc73c8a6d90f5b5950e602f0f236dff53ca98

SHA512
5537e4bad81804ebd1e9e8e0ce422d8edde2d52edc16946da39fbe666b8be9a986f0153ca6f939a30167f05f09e991a14e1faaf7ea5a146281ed21003c72bab8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
14cd42e583c8ec4e9161c409653496b5

SHA1
9f70ebb97b7df4b62797573cd58e2fde2ce354f1

SHA256
59c3de33a9e3586f954c65eedfb31ae413c069c9c9f4f6a2782213b964ef320f

SHA512
8adafafb2358f8d8fecd50e6fed93dfb8781b4c7cee6b554870db9ec3d36b282bef03c5f59058d4c82a943ef5b6dec98431e86ffa211727cb3c3afc9c12b2dad

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
04aeac909638aee43acddb5833fc4207

SHA1
7c0096ef3ea0cf44b09eb0f68195b42affa10742

SHA256
cfa2841d5733044b25bb8b680ee41e412ee645ee5f4b7d87fead672fed0e3551

SHA512
2113a05de97738be2a0721ff53360e31c8a2258d9078639ce0a20a763a2fad6ee26365824eaa57e435108c8891428a8904636ec4851271a2e40556f57354c006

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
205cb92b74171f11a46bf5d625af1aa0

SHA1
7654ceccc5d9220eea1ddf663d18b2a48c65f863

SHA256
c9a28e50d2b57896e185063f215bba980304ea23cda9b83d84f82878e756241f

SHA512
54f7b81b2909352182b28c469b4817fce830ce34df0b2e9b446de00317f7f4d509fe28e0e2794ff9e397b658e4ddc689c361a916c5d02d13618bf7dd345f599c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
dea09547ba96de90d61b37adf0b4fc67

SHA1
ba9be74b45649f9a812eb9402169918170607577

SHA256
da10496491cc0ff8faa1f0e35c616672533a1cabde7d68dbfda809a080773da6

SHA512
8cf851bd1407f176432cca16e39b3c6d94e22e984ea41c8039f93318c5e5472511ceb27a434670078bdce68f460074bf384b786af6eeb75f8eff6ed2800b0954

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
7776832995b3e30f757beb5d66433f38

SHA1
128acb25bf1d2919179930edf9b75b6d940ea9f3

SHA256
41b1081c1efa486136d91e0d10b17f52eddf12e425aa9b17a0490dacc5041044

SHA512
8e87993512124110ca6f5fc256f8a645c5ea16bdad57c621e0e56d2ca1415ae17ea57eb552cf5b2366d530d1b44c920845a5b7ad310d5e9f00861099440972be

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
8748b307e297382f5fa5eb44ebb2a971

SHA1
a521155634a5f8b05c32b96edee41b52031e342a

SHA256
81a80f827eebc82aaf174af86e773cd0bef6e5726776ac360fde5a4cc1ec02b2

SHA512
67efccbf9c73fe517614983a32b1da39a38314c15b151909f1fa94f910203a2ccc769cbc631b493f9d90390698509b10deeaeb63209d18fcd1d523b5c4c3cee2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
c5c148ea805961f1b3f92e4f662142af

SHA1
594f3c81e9047c47676cb4387114a66080b920eb

SHA256
26b525d0f45c10a23bf4c3487a2c4a1d8ebe16115a9d16a0ba0ec7705e835838

SHA512
1df40ce6754694bda85dbe84f8ab9d5e26d571de3107ec1e81313e1bc0d7fa79e655711ef6a7b8fea9928d01441d6caf0188d7e562b4a9582e5fd15f51a7f385

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
2c85e12bf48cd47f0f7603a46a649a66

SHA1
d594947d16d029cdd8e8fd0a98dcff1eb00b9938

SHA256
8190c49e50d5fdddb6e253edda5b408f60cf1bc54c7e754504fbf1455dfa8a23

SHA512
b1ac1d870c61346906a2f59dc14d55d54a11091421c061b1f7c3f19c8db49d9fb21dbf0848f90fa518edbd98951ec412f923b70084d9787589fad6bccbddae01

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
5d6800283fc0a339b9dcaf17168a7ed5

SHA1
aee8ffcabc943b6135008b0c7febcb4bc95e49e4

SHA256
e7d6495c99ca67d737463f8c251d5b7abe7f829cdb0dc0d7d33b029a935ad12d

SHA512
47a3f03a31a6cc3239bc24f1c8543270129e69a425093676e515eba57417d5a963d1373935b4f3b8b8e29686d425d737cf18761a2488dc1d7b57b4629bbf3a59

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
ac0897d022d3c27248370685370ae1ec

SHA1
24bf22db804346de25d32f4eaf0a34ce2f583e4c

SHA256
143f6a0d9e2e73ea44fd8eb1e55dde308c7c90bdb9cff88bc16bb65be2ee683d

SHA512
42dda251364cc78866c2f1746d907be2256774d5b3430d6f6d582d51a7f222a46cc57b4ce6ba4113c756cf51cb71fa097a350476f40b5f558a1e00a204a67987

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\mdjgaklo.tmp

Filesize
637KB

MD5
faf92286737462ca34b12df4a040241e

SHA1
456666d179b14c49cc529d8728e209b7430fdea1

SHA256
d1a68c486af0ec4c71f02c3c15ae257a7dddc6b58f88a44d483841396d00e5bf

SHA512
2683ef16b63a650bb0a5b1eaaa8351cd6e3ef74c8474a28a8b53855d5ef2e8451256fd62dd5a5746c73ff81da68f2f7ed59f22aca629370876ebddc809ab7760

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
58fceed72a321b6ee2dd913f77f5c617

SHA1
28eb930983d5018837a9affda011b8d460a70a51

SHA256
516e0a8798393026fa4deed38fec609add6a34788ababe68309697bd699f4533

SHA512
c541b9a008beebe2478d84b44d80b18b0f23329b821516eda6b10b603532742500253e95d8cc6357e8b24c0738f389a0b0c7c7d38c335fe6036d0e6e7e934d90

Download Submit
C:\Users\Admin\AppData\Local\capajbli\hoiiiaok.tmp

Filesize
625KB

MD5
5505669aadfe7e32c449fa691d663074

SHA1
55d5223d0e8f92863c27e86cb0c6b0935f52d251

SHA256
1a4ba8b293f9bd3701d81d68b5d887392a03bf8c8e6c9e0c2a4131e85567fd37

SHA512
0d1d0c8201c1280b4521d98e9efeca4b9c653a62d20e2405b02f4a9cbef594c034cdb239ce8ee534bf3a0c84694e080b8500aa8b10ebfb75eab98bf74c44858f

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
da141045c534023a2fd2d7544ceb7e03

SHA1
dc3e7f82a6ae08ff33fe698ee11fb43743c1737a

SHA256
abec3c5631e89aba81b45915a40c2b1c1d5f8f7eeb2cb40d228f5ac5360f400c

SHA512
90df782806b6af895187c619e3358ca2ca2dce77a2af0569f0ebe2659e0a1b5190da2621d7ccb2205018e8ec5cd7d97e4497f89bb69fa8d02f3b495798bae0af

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
83a2c12c6aa313079b564f1ec651c7f9

SHA1
02cd3a3e5859906d0e79388757d37858173b5e0d

SHA256
d62e92fd00c54154aee03d5eab94b7220d3371bb94e0f57518c801df39dc02d0

SHA512
edeb47b3bff4bfbd745cc62275a61e6fe49e349daf4e2fc1a98fd1645e4b5c28b245fbb920d97d6fe2735805f4306614f50a87aa9507e05986b052255259bff5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
28d7be638302233502ff69feaa625a83

SHA1
ae8168062194cac74c5a5ac988060d26f2c255f8

SHA256
6eb5b75afe6c6b7c34fb2fcc5ae303225a8a58d6aa53a51417b54d195441bd93

SHA512
a7af6087d81bd5c158f5aa5afd814f3789d90fc8ddb2709ff4ee6e54d4361daa32e8a2220216dadbb04bea21b9d8a7169382fd1022a4a3842dfa761c49dc3440

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
3ceae8faafa78d0636f736c774d1cc38

SHA1
a91c2c141ab485ace992c1e2f666d4e8aa1090b5

SHA256
5e59f2cf77a29bfe2e6c84ec983ddb4c84fccf51f7bbe68053aabdcf752e7c3e

SHA512
4106d23e8d62a3c9c9634011169350794f93d02ab6d41b7467b4be74f208701addcbf224f99bd6a34c836d79ae0028e064c32c27d41212471b02c6e02e5bd43a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
61759c6493264d9f9fda07a21c1debf3

SHA1
5e7d937ac5f3c8d730c40a8cb1cb8034f0ec64c8

SHA256
eec8288ecc37a8f4e68f634e45a983fd58050873d3ef4a80c3fd5950593ce27f

SHA512
1a23093dc3d853f4afcbde00fb472754fb9e41d0945574a908bc0d6e4005f441ecd71cc794e2a68ef1d299315a6fb40f3c7c80b56d7d09f86e9329548656c2a5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
463KB

MD5
3808c2a9a99b5d3dc6d08b080a302297

SHA1
5d048e778e668ac57a58c994b5f80d5da4e9476c

SHA256
e986b77fbb133b7686f503c89464f86e29d162d6e4d0c89a88887d06011ecd1e

SHA512
95ec70a30dad5a4cdd48a31b3d5ae846b130fbc57afa8e4bdebd66b1995f83f311d631bf06a5091b0847f156788425344f1463994a8b7d4c90816f0124ed35cc

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
dae8cff263ff368184cb1f80f75e1689

SHA1
bd7d9067a0b6f7a9669cad756f1ff04dbe2ba27e

SHA256
220fc0b4b126131490751992f3443ea566a0bbc6b8472a7a7f9c1fac73149f46

SHA512
91e54a6d3230f3be96e2c523d6af7ee0e333271ac2adeef1ccc1cce99f62cd72a93d096cfb3e4ebee3235b77184acb0643ce98a5e0ccfc13caa8fd431c650121

Download Submit
memory/724-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/724-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1864-47-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/1864-49-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1864-0-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/1864-3-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1864-1-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3992-57-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/3992-23-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/3992-64-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4052-50-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4052-48-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.