Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 08:21
Behavioral task
behavioral1
Sample
1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe
-
Size
807KB
-
MD5
1a94bba2273274d0f93731436bc1bb30
-
SHA1
543eddbadf14a9aeab0affde1e7d7f7b2360d710
-
SHA256
709d95ad585b444dc62d9fabec674210cb2baacec84a6a477ed37e2787a8833e
-
SHA512
8e6567e54555dd41983274ad40f5f01348401afbfa7462d45cb9c4f9c7fb88ab67da94cb2233f05b6d73ed9e6db268e34b1b89ca1ff7efdf3229d6b8cfef95a3
-
SSDEEP
24576:FYkjllgR+tmbs1t9qgYohxfloUZhjaoJKwbgy:FYslhtmMKcoUvPJKwbgy
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
eQDewf74.exexnhaiv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" eQDewf74.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xnhaiv.exe -
ModiLoader Second Stage 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1936-10-0x0000000000400000-0x0000000000417000-memory.dmp modiloader_stage2 behavioral1/memory/2068-14-0x0000000000400000-0x0000000000515000-memory.dmp modiloader_stage2 behavioral1/memory/2068-15-0x0000000000400000-0x0000000000515000-memory.dmp modiloader_stage2 \Users\Admin\aihost.exe modiloader_stage2 behavioral1/memory/2720-70-0x0000000000400000-0x0000000000416000-memory.dmp modiloader_stage2 C:\Users\Admin\bihost.exe modiloader_stage2 behavioral1/memory/2888-89-0x0000000000400000-0x0000000000416000-memory.dmp modiloader_stage2 behavioral1/memory/2068-112-0x0000000000400000-0x0000000000515000-memory.dmp modiloader_stage2 behavioral1/memory/2068-402-0x0000000000400000-0x0000000000515000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2844 cmd.exe -
Executes dropped EXE 13 IoCs
Processes:
eQDewf74.exexnhaiv.exeaihost.exeaihost.exebihost.exebihost.execihost.exedihost.execihost.execihost.execsrss.exeeihost.exeC497.tmppid process 2340 eQDewf74.exe 2640 xnhaiv.exe 2720 aihost.exe 3020 aihost.exe 2888 bihost.exe 3036 bihost.exe 1316 cihost.exe 2844 dihost.exe 1676 cihost.exe 2060 cihost.exe 332 csrss.exe 2252 eihost.exe 2628 C497.tmp -
Loads dropped DLL 17 IoCs
Processes:
1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exeeQDewf74.execihost.exeC497.tmppid process 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 2340 eQDewf74.exe 2340 eQDewf74.exe 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 1316 cihost.exe 1316 cihost.exe 2628 C497.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2068-3-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/2068-12-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/2068-13-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/2068-2-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/2068-14-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/2068-15-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/3036-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3036-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3036-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3036-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3036-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3036-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2068-112-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/1676-155-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1316-157-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2068-402-0x0000000000400000-0x0000000000515000-memory.dmp upx -
Adds Run key to start application 2 TTPs 52 IoCs
Processes:
xnhaiv.exeeQDewf74.execihost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /f" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /P" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /p" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /H" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /K" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /r" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /w" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /y" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /U" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /h" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /s" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /Z" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /F" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /u" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /X" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /J" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /T" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /O" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /l" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /V" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /A" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /d" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /W" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /g" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /j" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /B" eQDewf74.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /B" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /k" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /G" xnhaiv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\59C.exe = "C:\\Program Files (x86)\\LP\\2B65\\59C.exe" cihost.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /M" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /D" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /z" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /E" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /m" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /v" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /Y" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /C" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /t" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /i" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /q" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /I" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /L" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /N" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /n" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /Q" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /b" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /o" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /c" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /S" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /R" xnhaiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnhaiv = "C:\\Users\\Admin\\xnhaiv.exe /e" xnhaiv.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
csrss.exedescription ioc process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
aihost.exebihost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 aihost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum bihost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 bihost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum aihost.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exeaihost.exebihost.exedihost.exedescription pid process target process PID 1936 set thread context of 2068 1936 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe PID 2720 set thread context of 3020 2720 aihost.exe aihost.exe PID 2888 set thread context of 3036 2888 bihost.exe bihost.exe PID 2844 set thread context of 760 2844 dihost.exe cmd.exe -
Drops file in Program Files directory 3 IoCs
Processes:
cihost.exedescription ioc process File created C:\Program Files (x86)\LP\2B65\59C.exe cihost.exe File opened for modification C:\Program Files (x86)\LP\2B65\59C.exe cihost.exe File opened for modification C:\Program Files (x86)\LP\2B65\C497.tmp cihost.exe -
Drops file in Windows directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2628 tasklist.exe 1632 tasklist.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
eQDewf74.exeaihost.exexnhaiv.exebihost.execihost.exedihost.exepid process 2340 eQDewf74.exe 2340 eQDewf74.exe 3020 aihost.exe 3020 aihost.exe 3020 aihost.exe 2640 xnhaiv.exe 3036 bihost.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 1316 cihost.exe 1316 cihost.exe 1316 cihost.exe 1316 cihost.exe 1316 cihost.exe 1316 cihost.exe 3020 aihost.exe 3020 aihost.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 3020 aihost.exe 3020 aihost.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 3020 aihost.exe 3020 aihost.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 3020 aihost.exe 3020 aihost.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 2844 dihost.exe 2844 dihost.exe 2844 dihost.exe 2844 dihost.exe 2640 xnhaiv.exe 2640 xnhaiv.exe 1316 cihost.exe 1316 cihost.exe 1316 cihost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2872 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
tasklist.exemsiexec.exedihost.exeexplorer.exetasklist.exedescription pid process Token: SeDebugPrivilege 2628 tasklist.exe Token: SeRestorePrivilege 352 msiexec.exe Token: SeTakeOwnershipPrivilege 352 msiexec.exe Token: SeSecurityPrivilege 352 msiexec.exe Token: SeDebugPrivilege 2844 dihost.exe Token: SeDebugPrivilege 2844 dihost.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeDebugPrivilege 1632 tasklist.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exeeQDewf74.exexnhaiv.exeeihost.exepid process 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 2340 eQDewf74.exe 2640 xnhaiv.exe 2252 eihost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
csrss.exepid process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exeeQDewf74.execmd.exeaihost.exebihost.execihost.exedescription pid process target process PID 1936 wrote to memory of 2068 1936 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe PID 1936 wrote to memory of 2068 1936 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe PID 1936 wrote to memory of 2068 1936 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe PID 1936 wrote to memory of 2068 1936 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe PID 1936 wrote to memory of 2068 1936 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe PID 1936 wrote to memory of 2068 1936 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe PID 1936 wrote to memory of 2068 1936 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe PID 1936 wrote to memory of 2068 1936 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe PID 2068 wrote to memory of 2340 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe eQDewf74.exe PID 2068 wrote to memory of 2340 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe eQDewf74.exe PID 2068 wrote to memory of 2340 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe eQDewf74.exe PID 2068 wrote to memory of 2340 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe eQDewf74.exe PID 2340 wrote to memory of 2640 2340 eQDewf74.exe xnhaiv.exe PID 2340 wrote to memory of 2640 2340 eQDewf74.exe xnhaiv.exe PID 2340 wrote to memory of 2640 2340 eQDewf74.exe xnhaiv.exe PID 2340 wrote to memory of 2640 2340 eQDewf74.exe xnhaiv.exe PID 2340 wrote to memory of 2100 2340 eQDewf74.exe cmd.exe PID 2340 wrote to memory of 2100 2340 eQDewf74.exe cmd.exe PID 2340 wrote to memory of 2100 2340 eQDewf74.exe cmd.exe PID 2340 wrote to memory of 2100 2340 eQDewf74.exe cmd.exe PID 2068 wrote to memory of 2720 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe aihost.exe PID 2068 wrote to memory of 2720 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe aihost.exe PID 2068 wrote to memory of 2720 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe aihost.exe PID 2068 wrote to memory of 2720 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe aihost.exe PID 2100 wrote to memory of 2628 2100 cmd.exe tasklist.exe PID 2100 wrote to memory of 2628 2100 cmd.exe tasklist.exe PID 2100 wrote to memory of 2628 2100 cmd.exe tasklist.exe PID 2100 wrote to memory of 2628 2100 cmd.exe tasklist.exe PID 2720 wrote to memory of 3020 2720 aihost.exe aihost.exe PID 2720 wrote to memory of 3020 2720 aihost.exe aihost.exe PID 2720 wrote to memory of 3020 2720 aihost.exe aihost.exe PID 2720 wrote to memory of 3020 2720 aihost.exe aihost.exe PID 2720 wrote to memory of 3020 2720 aihost.exe aihost.exe PID 2720 wrote to memory of 3020 2720 aihost.exe aihost.exe PID 2720 wrote to memory of 3020 2720 aihost.exe aihost.exe PID 2720 wrote to memory of 3020 2720 aihost.exe aihost.exe PID 2720 wrote to memory of 3020 2720 aihost.exe aihost.exe PID 2720 wrote to memory of 3020 2720 aihost.exe aihost.exe PID 2068 wrote to memory of 2888 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe bihost.exe PID 2068 wrote to memory of 2888 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe bihost.exe PID 2068 wrote to memory of 2888 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe bihost.exe PID 2068 wrote to memory of 2888 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe bihost.exe PID 2888 wrote to memory of 3036 2888 bihost.exe bihost.exe PID 2888 wrote to memory of 3036 2888 bihost.exe bihost.exe PID 2888 wrote to memory of 3036 2888 bihost.exe bihost.exe PID 2888 wrote to memory of 3036 2888 bihost.exe bihost.exe PID 2888 wrote to memory of 3036 2888 bihost.exe bihost.exe PID 2888 wrote to memory of 3036 2888 bihost.exe bihost.exe PID 2888 wrote to memory of 3036 2888 bihost.exe bihost.exe PID 2888 wrote to memory of 3036 2888 bihost.exe bihost.exe PID 2068 wrote to memory of 1316 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe cihost.exe PID 2068 wrote to memory of 1316 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe cihost.exe PID 2068 wrote to memory of 1316 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe cihost.exe PID 2068 wrote to memory of 1316 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe cihost.exe PID 2068 wrote to memory of 2844 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe dihost.exe PID 2068 wrote to memory of 2844 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe dihost.exe PID 2068 wrote to memory of 2844 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe dihost.exe PID 2068 wrote to memory of 2844 2068 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe dihost.exe PID 1316 wrote to memory of 1676 1316 cihost.exe cihost.exe PID 1316 wrote to memory of 1676 1316 cihost.exe cihost.exe PID 1316 wrote to memory of 1676 1316 cihost.exe cihost.exe PID 1316 wrote to memory of 1676 1316 cihost.exe cihost.exe PID 1316 wrote to memory of 2060 1316 cihost.exe cihost.exe PID 1316 wrote to memory of 2060 1316 cihost.exe cihost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
cihost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" cihost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\eQDewf74.exeC:\Users\Admin\eQDewf74.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\xnhaiv.exe"C:\Users\Admin\xnhaiv.exe"5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del eQDewf74.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\aihost.exeC:\Users\Admin\aihost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\aihost.exeaihost.exe5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\bihost.exeC:\Users\Admin\bihost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\bihost.exebihost.exe5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\cihost.exeC:\Users\Admin\cihost.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\cihost.exeC:\Users\Admin\cihost.exe startC:\Users\Admin\AppData\Roaming\5B530\6B32B.exe%C:\Users\Admin\AppData\Roaming\5B5305⤵
- Executes dropped EXE
-
C:\Users\Admin\cihost.exeC:\Users\Admin\cihost.exe startC:\Program Files (x86)\3057E\lvvm.exe%C:\Program Files (x86)\3057E5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LP\2B65\C497.tmp"C:\Program Files (x86)\LP\2B65\C497.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\dihost.exeC:\Users\Admin\dihost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
-
C:\Users\Admin\eihost.exeC:\Users\Admin\eihost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe4⤵
- Deletes itself
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\5B530\057E.B53Filesize
300B
MD5a779256e54b5030b9c94a645e580651b
SHA12ca288b70a83a4af1ce2051147be630d3256c814
SHA25646dd0b3d285585a64a7281e0551585f04cdf2cf9fd89a0cc1903cf89b11097e6
SHA512b8ffd27622a38ee837facd242b7e6b979df3c61bcca1a22e7ef1988e1ed47ee24c0d5128ec159062491348793e4f6eeb926779230c0d76d9ad88c27c8a5cf012
-
C:\Users\Admin\AppData\Roaming\5B530\057E.B53Filesize
600B
MD5a80625fc042897c4a0ac756b4dbb3bd5
SHA17c9557ec868036c7a7313b952e52468940324b67
SHA256c90889dd6dd36a66fb6ada69f1cc229be4306cd5279b3d6fb233a03eb0199cb7
SHA51254861a7b1b2fa6522fab929083287fd130adcd2cd1bc3591bdb7b13217783d706d6b2682aea4f070a421e88901f22c0e885d03c72853379e339cc82232c57236
-
C:\Users\Admin\AppData\Roaming\5B530\057E.B53Filesize
996B
MD5bbaf8c9101795c97a95d3e8d71fe554e
SHA1f6a8071ff5978854741f53d56f2b0e4fdadce1d5
SHA2563474148ea62a2cb694a6925bb777b79dc4bd9587fa7161bf6955697f44da7e0d
SHA5128b30eb99628f9a86d6e46acd5dac7da8f01cf55d67fca0736e6c83ab83f1e08395176e3869e860962c0a4d4e0524a29b781c0c4afe0a216387d2a1320852aa68
-
C:\Users\Admin\AppData\Roaming\5B530\057E.B53Filesize
1KB
MD5b0b97b55d707944be0d61f6e3970637d
SHA1f3c1fd425db509ffb398c94014dfdc4f0371c9f1
SHA256b1c3d5dcba801babbdc9312317a7fb53fd5e8941c239232b060641b3423bf04e
SHA51272043af5cfbffb2182407b0cbe563d40d1ca9012bcba462b03d9fabd164a007071b17b851acd8f104d4ccdc438ce39e8f8d8bd2a527a93d1b60bfba59ce5bbcc
-
C:\Users\Admin\bihost.exeFilesize
119KB
MD5386fef8fdb975e7c102921910db7f9fb
SHA1cdf3f86411189db08c8c0f887f26c2572ecc0889
SHA256ae06d784c51702aff587d235d48de3b1162872069fac4602d921d023527efae0
SHA5126ab8c2721c81bdff414e8cdbd7ca006abf3ed8c0155510d6c92555885038f33c1cf08372302b6465196f69aa15a7305fb05eb2e12026f1fc96a797646b8d2352
-
C:\Windows\system32\consrv.dllFilesize
53KB
MD563e99b675a1337db6d8430195ea3efd2
SHA11baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA2566616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f
-
\??\globalroot\systemroot\assembly\temp\@Filesize
2KB
MD50b39ec8019d049c552aa5d1d7bd43d76
SHA130d39045635f8f4710a2a7baaf410c4547bc6474
SHA2568d50403cc9efe0dbf9ed735f0ec8fc89b9524c82f8b5885ad5439f661e0a5828
SHA5120f924615afec563d254547a0f4490b962e67cc6dbf08effedecf61ea5359f7e9ed95ac777ffa1043153dbbf16ac10b092590879eedbb07ca2a71220a74d7d67f
-
\Program Files (x86)\LP\2B65\C497.tmpFilesize
100KB
MD54c04ec47c44bc997519e18ce5f20e9d6
SHA1680968fe85eaa19ac68b8dabf3371dd81684ed83
SHA256446ddf0822deef56cedbfa0910143c744835ed765d128408d9ea994a569581a2
SHA512e33e959e25d09152c1f64d60a7733f7c7a1dfd9f0bee6ed1f8aa18cf5e5248442e365d211c4555e0723b4e23e97c0a99d43b8fe6538cc9c77f0d39fd73616279
-
\Users\Admin\aihost.exeFilesize
229KB
MD5c7b9733430c4bf7f56a0c89d7f2dd9cf
SHA10a894c98e17a8c81a378a37c2230cf188932d21e
SHA2568047916855a52a9b5e97c010e8fc2dc01a9ed91d2798a6869f8669ea4a92940d
SHA5124aefe0746e896c00bc908128ba63e13d2abed9e839d13da14042365afb81d85bf75537292f7323a56694258ddec7a88b57202721b62651cfcbef2932c0cb2464
-
\Users\Admin\cihost.exeFilesize
279KB
MD54df3241b8f53ad2d1c0bba6dc1b97e02
SHA1f0c43893143a3442a453f56c9c4f740941b1d097
SHA256407e0425757e28262c3054c1dc981a9f41cf83cd67ecfbf37d3b8fe74db54199
SHA512e90e4a8b708fb9d3213f73e641fa39625a38fa969270ef1123206fb30d04837f018b9838aa02a234265c0b9ba765f567b748a7b73c437b96daba7a15e5e38663
-
\Users\Admin\dihost.exeFilesize
244KB
MD588537f3fd69e60683c4467e89b7651af
SHA12c14a9010bed93b0622efe283a34de343ca33244
SHA2564a7897e22ad30c516920e6441dc360a98114f15d9652b89909758f4966029692
SHA512b3d070628092558770e08386eeabf69efc613ce163ce1f50cc00a81a78cbec6b667a84a4f09144b7f0c145ec28929b78deee4f7cab10ce7ac9a2f9c536ce8084
-
\Users\Admin\eQDewf74.exeFilesize
180KB
MD542836a2ee8ce9deef8d846272ef3949f
SHA179f698c53e56c96c859a0155e02a24c93e120145
SHA2565569f623253918233149531fbd49bd624af013695bf0f7d8b53ef58b062e6a37
SHA512786802f71512228215ddac4d23a7eec6e8cfb8ab4c02ba0a03b06241431e70c202e845ce08222945f668218d91dd6630e9e5499be0b44fda7b3dc29e98231d85
-
\Users\Admin\eihost.exeFilesize
28KB
MD5f06f7a3945f4f78ee2c6d1ed35cbb5be
SHA1ac1ab0f60a94286b6f01b40431e6f87f6e9899bf
SHA256a2c720d07e18b73143b040ab817bad7da98ed2a262d55e6119b9cbd8b93dbbe3
SHA51223f1fc1f15aab030c3d19a1c166479a52659b91dac00fff1301ddfd6e5e62279d45ec176f2e891098eb0d613d1f148952bf71341227b35f52c3bc2bf5fcdad14
-
\Users\Admin\xnhaiv.exeFilesize
180KB
MD57c6f5212f5a2bc7b571643a7b02b9b49
SHA128e437183dd7d60a8a316ffc60f7a8c7d1b24c42
SHA2567fddb89bc0c64dc7c027218a70914b4f1fe04312d95a09ecba6d696bdd07e42f
SHA512adaf46f998111a9fa594c08f17350cacab7510ab41df48fbf52092c03f073954c7c389713767b9b226573cd66bb6c6c98715ed7505eaf1481eada942e010157c
-
\Windows\assembly\GAC_32\Desktop.iniFilesize
4KB
MD5758f90d425814ea5a1d2694e44e7e295
SHA164d61731255ef2c3060868f92f6b81b4c9b5fe29
SHA256896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433
SHA51211858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9
-
memory/1316-157-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1676-155-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1936-10-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2068-14-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-402-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-3-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-15-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-0-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-2-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-13-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2068-112-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-12-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2340-44-0x0000000003EB0000-0x000000000496A000-memory.dmpFilesize
10.7MB
-
memory/2720-70-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2844-166-0x00000000020E0000-0x000000000211C000-memory.dmpFilesize
240KB
-
memory/2844-237-0x00000000020E0000-0x000000000211C000-memory.dmpFilesize
240KB
-
memory/2844-168-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2844-158-0x00000000020E0000-0x000000000211C000-memory.dmpFilesize
240KB
-
memory/2844-162-0x00000000020E0000-0x000000000211C000-memory.dmpFilesize
240KB
-
memory/2888-89-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/3020-153-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-63-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-53-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-71-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-67-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-60-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-57-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-55-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3036-80-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/3036-88-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/3036-93-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/3036-82-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/3036-95-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/3036-84-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/3036-94-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB