Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 02:04
Behavioral task
behavioral1
Sample
18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe
-
Size
875KB
-
MD5
18669652b47dc9bbacea0b790bc47e1c
-
SHA1
6b852f8c039052bfd7f5c94b486c4e7c040a8077
-
SHA256
76081536605f54e193127ce89901ec20dcb94782cc4c28a8c2cfb58521b23bf4
-
SHA512
d1023c4c071240b1ca01da705eeb83f7b4bd17adfa658982326cc293ee80f1a088b5c1adab7fbce4f24ce5189443e3901df98c786abd7cf2f0427ecc278f60ec
-
SSDEEP
24576:B5T0kUJQCdHVFQlyOW8oooiAhYJWtA7q:B53UVHVFQAp5iAOgtAG
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
cthost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" cthost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
Ww9OoYLk.exemeaje.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Ww9OoYLk.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" meaje.exe -
ModiLoader Second Stage 9 IoCs
Processes:
resource yara_rule behavioral1/memory/2984-10-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral1/memory/3040-15-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 behavioral1/memory/3040-14-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 \Users\Admin\athost.exe modiloader_stage2 behavioral1/memory/2580-69-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 \Users\Admin\bthost.exe modiloader_stage2 behavioral1/memory/2856-89-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral1/memory/3040-153-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 behavioral1/memory/3040-360-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1680 cmd.exe -
Executes dropped EXE 13 IoCs
Processes:
Ww9OoYLk.exemeaje.exeathost.exeathost.exebthost.exebthost.execthost.exedthost.execsrss.execthost.exeethost.execthost.exe99CF.tmppid process 2344 Ww9OoYLk.exe 2772 meaje.exe 2580 athost.exe 3056 athost.exe 2856 bthost.exe 2620 bthost.exe 1796 cthost.exe 2792 dthost.exe 332 csrss.exe 1300 cthost.exe 1708 ethost.exe 1680 cthost.exe 2556 99CF.tmp -
Loads dropped DLL 19 IoCs
Processes:
18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exeWw9OoYLk.execthost.exeDllHost.exe99CF.tmppid process 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 2344 Ww9OoYLk.exe 2344 Ww9OoYLk.exe 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 1796 cthost.exe 2180 DllHost.exe 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 1796 cthost.exe 1796 cthost.exe 2556 99CF.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/3040-3-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/3040-2-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/3040-13-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/3040-6-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/3040-15-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/3040-14-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/2620-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2620-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2620-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2620-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2620-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2620-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1300-148-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/3040-153-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/3040-360-0x0000000000400000-0x0000000000535000-memory.dmp upx -
Adds Run key to start application 2 TTPs 54 IoCs
Processes:
meaje.execthost.exeWw9OoYLk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /l" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /c" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /e" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /E" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /X" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /b" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /O" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /W" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /D" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /w" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /g" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /L" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /r" meaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\D63.exe = "C:\\Program Files (x86)\\LP\\C4CE\\D63.exe" cthost.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /U" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /o" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /h" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /K" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /q" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /T" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /G" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /F" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /J" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /t" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /H" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /y" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /x" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /B" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /m" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /k" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /n" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /a" Ww9OoYLk.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /P" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /Q" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /v" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /f" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /R" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /Y" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /A" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /N" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /d" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /C" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /s" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /V" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /I" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /M" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /p" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /S" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /z" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /j" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /i" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /Z" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /a" meaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\meaje = "C:\\Users\\Admin\\meaje.exe /u" meaje.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
csrss.exedescription ioc process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
athost.exebthost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 athost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum bthost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 bthost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum athost.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exeathost.exebthost.exedthost.exedescription pid process target process PID 2984 set thread context of 3040 2984 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe PID 2580 set thread context of 3056 2580 athost.exe athost.exe PID 2856 set thread context of 2620 2856 bthost.exe bthost.exe PID 2792 set thread context of 2080 2792 dthost.exe cmd.exe -
Drops file in Program Files directory 3 IoCs
Processes:
cthost.exedescription ioc process File opened for modification C:\Program Files (x86)\LP\C4CE\D63.exe cthost.exe File created C:\Program Files (x86)\LP\C4CE\D63.exe cthost.exe File opened for modification C:\Program Files (x86)\LP\C4CE\99CF.tmp cthost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2540 tasklist.exe 2800 tasklist.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Ww9OoYLk.exeathost.exebthost.exemeaje.execthost.exedthost.exepid process 2344 Ww9OoYLk.exe 2344 Ww9OoYLk.exe 3056 athost.exe 3056 athost.exe 3056 athost.exe 2620 bthost.exe 2772 meaje.exe 1796 cthost.exe 1796 cthost.exe 1796 cthost.exe 1796 cthost.exe 1796 cthost.exe 1796 cthost.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2792 dthost.exe 2792 dthost.exe 2792 dthost.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 3056 athost.exe 3056 athost.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 3056 athost.exe 3056 athost.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 3056 athost.exe 3056 athost.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 3056 athost.exe 3056 athost.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 2772 meaje.exe 3056 athost.exe 3056 athost.exe 2772 meaje.exe 2772 meaje.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1188 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
tasklist.exemsiexec.exedthost.exeexplorer.exetasklist.exedescription pid process Token: SeDebugPrivilege 2540 tasklist.exe Token: SeRestorePrivilege 2588 msiexec.exe Token: SeTakeOwnershipPrivilege 2588 msiexec.exe Token: SeSecurityPrivilege 2588 msiexec.exe Token: SeDebugPrivilege 2792 dthost.exe Token: SeDebugPrivilege 2792 dthost.exe Token: SeShutdownPrivilege 1188 explorer.exe Token: SeShutdownPrivilege 1188 explorer.exe Token: SeShutdownPrivilege 1188 explorer.exe Token: SeShutdownPrivilege 1188 explorer.exe Token: SeShutdownPrivilege 1188 explorer.exe Token: SeShutdownPrivilege 1188 explorer.exe Token: SeShutdownPrivilege 1188 explorer.exe Token: SeShutdownPrivilege 1188 explorer.exe Token: SeShutdownPrivilege 1188 explorer.exe Token: SeShutdownPrivilege 1188 explorer.exe Token: SeShutdownPrivilege 1188 explorer.exe Token: SeShutdownPrivilege 1188 explorer.exe Token: SeDebugPrivilege 2800 tasklist.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid process 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe 1188 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exeWw9OoYLk.exemeaje.exeethost.exepid process 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 2344 Ww9OoYLk.exe 2772 meaje.exe 1708 ethost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
csrss.exepid process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exeWw9OoYLk.execmd.exeathost.exebthost.exedthost.execthost.execsrss.exedescription pid process target process PID 2984 wrote to memory of 3040 2984 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe PID 2984 wrote to memory of 3040 2984 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe PID 2984 wrote to memory of 3040 2984 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe PID 2984 wrote to memory of 3040 2984 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe PID 2984 wrote to memory of 3040 2984 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe PID 2984 wrote to memory of 3040 2984 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe PID 2984 wrote to memory of 3040 2984 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe PID 2984 wrote to memory of 3040 2984 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe PID 3040 wrote to memory of 2344 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe Ww9OoYLk.exe PID 3040 wrote to memory of 2344 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe Ww9OoYLk.exe PID 3040 wrote to memory of 2344 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe Ww9OoYLk.exe PID 3040 wrote to memory of 2344 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe Ww9OoYLk.exe PID 2344 wrote to memory of 2772 2344 Ww9OoYLk.exe meaje.exe PID 2344 wrote to memory of 2772 2344 Ww9OoYLk.exe meaje.exe PID 2344 wrote to memory of 2772 2344 Ww9OoYLk.exe meaje.exe PID 2344 wrote to memory of 2772 2344 Ww9OoYLk.exe meaje.exe PID 2344 wrote to memory of 2800 2344 Ww9OoYLk.exe cmd.exe PID 2344 wrote to memory of 2800 2344 Ww9OoYLk.exe cmd.exe PID 2344 wrote to memory of 2800 2344 Ww9OoYLk.exe cmd.exe PID 2344 wrote to memory of 2800 2344 Ww9OoYLk.exe cmd.exe PID 2800 wrote to memory of 2540 2800 cmd.exe tasklist.exe PID 2800 wrote to memory of 2540 2800 cmd.exe tasklist.exe PID 2800 wrote to memory of 2540 2800 cmd.exe tasklist.exe PID 2800 wrote to memory of 2540 2800 cmd.exe tasklist.exe PID 3040 wrote to memory of 2580 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe athost.exe PID 3040 wrote to memory of 2580 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe athost.exe PID 3040 wrote to memory of 2580 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe athost.exe PID 3040 wrote to memory of 2580 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe athost.exe PID 2580 wrote to memory of 3056 2580 athost.exe athost.exe PID 2580 wrote to memory of 3056 2580 athost.exe athost.exe PID 2580 wrote to memory of 3056 2580 athost.exe athost.exe PID 2580 wrote to memory of 3056 2580 athost.exe athost.exe PID 2580 wrote to memory of 3056 2580 athost.exe athost.exe PID 2580 wrote to memory of 3056 2580 athost.exe athost.exe PID 2580 wrote to memory of 3056 2580 athost.exe athost.exe PID 2580 wrote to memory of 3056 2580 athost.exe athost.exe PID 2580 wrote to memory of 3056 2580 athost.exe athost.exe PID 2580 wrote to memory of 3056 2580 athost.exe athost.exe PID 3040 wrote to memory of 2856 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe bthost.exe PID 3040 wrote to memory of 2856 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe bthost.exe PID 3040 wrote to memory of 2856 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe bthost.exe PID 3040 wrote to memory of 2856 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe bthost.exe PID 2856 wrote to memory of 2620 2856 bthost.exe bthost.exe PID 2856 wrote to memory of 2620 2856 bthost.exe bthost.exe PID 2856 wrote to memory of 2620 2856 bthost.exe bthost.exe PID 2856 wrote to memory of 2620 2856 bthost.exe bthost.exe PID 2856 wrote to memory of 2620 2856 bthost.exe bthost.exe PID 2856 wrote to memory of 2620 2856 bthost.exe bthost.exe PID 2856 wrote to memory of 2620 2856 bthost.exe bthost.exe PID 2856 wrote to memory of 2620 2856 bthost.exe bthost.exe PID 3040 wrote to memory of 1796 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe cthost.exe PID 3040 wrote to memory of 1796 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe cthost.exe PID 3040 wrote to memory of 1796 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe cthost.exe PID 3040 wrote to memory of 1796 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe cthost.exe PID 3040 wrote to memory of 2792 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe dthost.exe PID 3040 wrote to memory of 2792 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe dthost.exe PID 3040 wrote to memory of 2792 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe dthost.exe PID 3040 wrote to memory of 2792 3040 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe dthost.exe PID 2792 wrote to memory of 332 2792 dthost.exe csrss.exe PID 1796 wrote to memory of 1300 1796 cthost.exe cthost.exe PID 1796 wrote to memory of 1300 1796 cthost.exe cthost.exe PID 1796 wrote to memory of 1300 1796 cthost.exe cthost.exe PID 1796 wrote to memory of 1300 1796 cthost.exe cthost.exe PID 332 wrote to memory of 2180 332 csrss.exe DllHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
cthost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cthost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" cthost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
C:\Users\Admin\AppData\Local\Temp\18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Ww9OoYLk.exeC:\Users\Admin\Ww9OoYLk.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\meaje.exe"C:\Users\Admin\meaje.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del Ww9OoYLk.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\athost.exeC:\Users\Admin\athost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\athost.exeathost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\bthost.exeC:\Users\Admin\bthost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\bthost.exebthost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe startC:\Users\Admin\AppData\Roaming\E6BC3\057C4.exe%C:\Users\Admin\AppData\Roaming\E6BC34⤵
- Executes dropped EXE
-
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe startC:\Program Files (x86)\C385C\lvvm.exe%C:\Program Files (x86)\C385C4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LP\C4CE\99CF.tmp"C:\Program Files (x86)\LP\C4CE\99CF.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\dthost.exeC:\Users\Admin\dthost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
-
C:\Users\Admin\ethost.exeC:\Users\Admin\ethost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe3⤵
- Deletes itself
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Loads dropped DLL
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Defense Evasion
Modify Registry
5Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\E6BC3\385C.6BCFilesize
600B
MD563abf1ebd2e33970e193fef3954ba00f
SHA11ad0c10ee2dfd881ff906e260d86269e90a59920
SHA25604bb2caaa4d284aca297f46b02325ffbdb16c705bab4a00551b9f67420288a14
SHA512c0a0ac7480eeb0cb8fbd526c71e62936a29c591a5fb50b81a29d38961dac8eb9dd0d7668c1ae8ecef13ec4944b6bff2e68d12aaf9e7fd78b4f678d479660b2ca
-
C:\Users\Admin\AppData\Roaming\E6BC3\385C.6BCFilesize
996B
MD5b7dd79ebce19baea1cd5a56f0c43e276
SHA1c99646384c64768ae0eec19590c88613ea5f5fc0
SHA256cb16fd7b894a7b5f4dd10f6766e11b3dde9fdf149f74bc5cf179fbb7f0c6a07c
SHA51247c1b08090ad1d74f6f47b62fd76a2dfde351e1fbe5db6d5938d8f4491ef411ae70ca0e308be04808f17b7ebb6c1e1e68ed677e89a4fcdc62a6bf60b9ed2cdb0
-
C:\Users\Admin\AppData\Roaming\E6BC3\385C.6BCFilesize
1KB
MD5ec802eb95a623352b878c28f6eafb9aa
SHA11bb28bad5f0a3c193a1267ab8143541708a02e7d
SHA256b086dfdea24cff4fbc19231aea0ce238e578a754d17d84153a0e41d4c7172a16
SHA512a7aa7b614e0dff67760618bf96cb05c12fddce0a87b4f45263b0859d7fcd04b8b15afd9ca8c7f465db587b51dad21f82444e02b22513f75e75e35066c33fe7fd
-
\??\globalroot\systemroot\assembly\temp\@Filesize
2KB
MD5c16dc29d91b5b1c157c7d2c4345026c7
SHA1c3f452539e22f5dd277e293cfd0bd7dbac353cc0
SHA256849d13f1c9cfb30832d3e449ede1203d3cca347669e15b8d084324ec1054424f
SHA512f864d20ee5cd8acd1d0e6a89f3e36ef9b1b645f93f36036686a4815b78d2a65f08afe8cee18a4161c3a9717b041a48f949af1cc0110b64703db76c43558a2705
-
\Program Files (x86)\LP\C4CE\99CF.tmpFilesize
95KB
MD5a1d80ed250788260ffd66258555a4876
SHA110b81c2cdc4a7d645f9058c220587fac79281351
SHA256d4d9a7028cda13828d7a6796dd12369ab1d4af80946776aa5b5c0369dd322fb3
SHA512fee72d46425a0c1f755de2e34ad742ff579a86b2a3bff3485a15ddcbcf55d60c6297bb588650a9a673aa0a5e8f35f1ae0bc1a454154d26848c49cab700d7e5d8
-
\Users\Admin\Ww9OoYLk.exeFilesize
256KB
MD577e425fe955cbc4b6245cf8a3ed645b3
SHA1921dad95a28283f2138e8c36d4cbf295572d33ac
SHA25686b35dd61f186218356ecced37723e647b612cb8c44ef904917f4c783e424809
SHA512ee0a6ac25c021baf6974a23afd999bcdd519da465ee849ebd52d99ff437812165650fe8f05e5ff72f6eadf8d5a44d5c7c73853e4d5e00f8fbab45444fd56a44b
-
\Users\Admin\athost.exeFilesize
263KB
MD56b7d559166467ef651497836feef65e3
SHA19edda6cd07a1960ba52abe17fc7402ff93d44ce6
SHA2566151ab998d7821e147551b5ff24b11d3194c207c3ff8322fe2e2860a8b978bb0
SHA512d58ddfe8ce3b9f4092d554713502065c351a46251ff0ce126dd05528771cd727bf636f15a4c76224d8db22117234d39b1a2bf8030b55aadcf98087a5a1814356
-
\Users\Admin\bthost.exeFilesize
153KB
MD5f28e94ce33674d8cf13f31bb5f20f745
SHA1e79332b18af7b31caa195956c23303d35c2808c8
SHA25642f40ac82f47f4eb009dbd11d7233ed2e67f80392dd4fa770faa68dd973ded2f
SHA5128bcb1311302bbf1b6cfbbb863cffa95d5934c9bfc613cd2dc2abd425fe39ad2ec9cae7dca1e5b60d2acec4c9d422a35aeb5ab7b0433f25c01202ab3b4ca96112
-
\Users\Admin\cthost.exeFilesize
278KB
MD5d0bf4ea3b6fc02afd2c6ed5f4b0d142e
SHA12187968df184c18f945497dd410f90f4b6ff186d
SHA2563c7ee6117b9c2e39593f452e163f16334ab1b9196b5b5616c9ff7496bb4676a0
SHA512e0efb8672a81a8aa6c11a0f1f871033b10c6a5c6b28d30eab4f8ef7509fca8710c417b9cbbbf7844888f02858295304c23bf217e41d157e2bed594a39c2641f4
-
\Users\Admin\dthost.exeFilesize
227KB
MD5d39d17b38909180b0c65cb4081154100
SHA1b7a11d389d940273b91dd9ddb11137404eedceea
SHA256590aaa3add5efffd271c2b9cfc10fc304faf6caf83f2f9dd494a40a35b1053d3
SHA5125a0ccc785b15e92d38bf1436522dbe81645d2b16093f20f09dfd81602e9f496693a6b27a62f88e50cdf027147b89a21db1e15532d0d4e7c2fd65710ee2071fa6
-
\Users\Admin\ethost.exeFilesize
24KB
MD5b38b2a8c25efb39b245dbfa6c1ccc29b
SHA162fda766006bfbccbfaade649ceb29764c216ea4
SHA2561fee129dadbd67f7fab68c8fa285b5da0141785100b35bc7b66d55b10d24364d
SHA5128cdbb4e9404783ad4a2665a05a1e64e8ab393689c2425834e854933f58904910e248dfebc57c717313abbc62105d76875ebafd206ada15417beedd58bbd7e22d
-
\Users\Admin\meaje.exeFilesize
256KB
MD54f9b7314543e88009f3c91507b693bf3
SHA1205da2d04a87f6a798c67e16a4b0055b7c673933
SHA256b256ddf8867690ddb66932ae28de75413f958c3eff3f05a2ce3c3809f11898d4
SHA5121d062d3e29cec1aafcf945143235855aa59bfbe0c6ce4f11c8a51adcfddec6247fbffcb7b6353236527b7136d71e47c55490537f5010e3d7c7c3a2179537f5bb
-
\Windows\System32\consrv.dllFilesize
53KB
MD563e99b675a1337db6d8430195ea3efd2
SHA11baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA2566616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f
-
\Windows\assembly\GAC_32\Desktop.iniFilesize
4KB
MD5758f90d425814ea5a1d2694e44e7e295
SHA164d61731255ef2c3060868f92f6b81b4c9b5fe29
SHA256896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433
SHA51211858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9
-
\Windows\assembly\GAC_64\Desktop.iniFilesize
5KB
MD592f9cdae857253a3895faffa85b3d8b9
SHA1d28352ff5a02eeb98334e3d0f845a259b2aacff3
SHA2565653db84679ab49eec2e32127271dacd802b8ed53a5199c5fd5fe998be32a36b
SHA512f23ec0a005b5d84d26527cd6c26d494b9ecff4b099adfd780fe7953f5affb0f295f92dc663d79bcb60d42f82d249b7e61acb39a38bdbd66185da5bf6126737a6
-
memory/332-132-0x00000000023C0000-0x00000000023D2000-memory.dmpFilesize
72KB
-
memory/1300-148-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2580-69-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2620-92-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2620-81-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2620-83-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2620-79-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2620-87-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2620-94-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2620-93-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2792-124-0x0000000002110000-0x0000000002155000-memory.dmpFilesize
276KB
-
memory/2792-118-0x0000000002110000-0x0000000002155000-memory.dmpFilesize
276KB
-
memory/2792-152-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2792-126-0x0000000002110000-0x0000000002155000-memory.dmpFilesize
276KB
-
memory/2792-113-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2792-123-0x0000000002110000-0x0000000002155000-memory.dmpFilesize
276KB
-
memory/2792-114-0x0000000002110000-0x0000000002155000-memory.dmpFilesize
276KB
-
memory/2792-122-0x0000000002110000-0x0000000002155000-memory.dmpFilesize
276KB
-
memory/2856-89-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2984-10-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3040-6-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-13-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-112-0x00000000005B0000-0x0000000000616000-memory.dmpFilesize
408KB
-
memory/3040-0-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-3-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-111-0x00000000005B0000-0x0000000000616000-memory.dmpFilesize
408KB
-
memory/3040-360-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-2-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-14-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-15-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3040-153-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3056-62-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-163-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-54-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-56-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-66-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-53-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-70-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-59-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB