Analysis Overview
SHA256
29ccca4123f1cc91a090ab64befe6c7369d08cf5a943004071cf99e50d5a0c4a
Threat Level: Known bad
The file e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modiloader family
ModiLoader Second Stage
Modifies visiblity of hidden/system files in Explorer
ModiLoader, DBatLoader
ModiLoader Second Stage
Deletes itself
Checks computer location settings
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops desktop.ini file(s)
Adds Run key to start application
Maps connected drives based on registry
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Unsigned PE
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 15:12
Signatures
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 15:12
Reported
2024-04-07 15:15
Platform
win7-20240221-en
Max time kernel
167s
Max time network
180s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\dHY4IvP3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\boupom.exe | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\dHY4IvP3.exe | N/A |
| N/A | N/A | C:\Users\Admin\boupom.exe | N/A |
| N/A | N/A | C:\Users\Admin\azhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\azhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bzhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bzhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\czhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\czhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\dzhost.exe | N/A |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\ezhost.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /j" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /B" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /E" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /M" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /q" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /G" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /X" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /o" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /z" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /c" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /R" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /y" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /Q" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /x" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /f" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /e" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /v" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /h" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /t" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /r" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /k" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /J" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /V" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /O" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /w" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /S" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /g" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /D" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /u" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /l" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /i" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /b" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /d" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /P" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /A" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /N" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /h" | C:\Users\Admin\dHY4IvP3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /n" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /Y" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /C" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /Z" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /H" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /W" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /K" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /U" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /I" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /T" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /a" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /s" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /m" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /p" | C:\Users\Admin\boupom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\boupom = "C:\\Users\\Admin\\boupom.exe /L" | C:\Users\Admin\boupom.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | \systemroot\assembly\GAC_64\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
| File created | \systemroot\assembly\GAC_32\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\bzhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\azhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\azhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\bzhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2276 set thread context of 2076 | N/A | C:\Users\Admin\AppData\Local\Temp\e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe |
| PID 396 set thread context of 1880 | N/A | C:\Users\Admin\azhost.exe | C:\Users\Admin\azhost.exe |
| PID 844 set thread context of 1052 | N/A | C:\Users\Admin\bzhost.exe | C:\Users\Admin\bzhost.exe |
| PID 1168 set thread context of 1500 | N/A | C:\Users\Admin\czhost.exe | C:\Users\Admin\czhost.exe |
| PID 2300 set thread context of 1528 | N/A | C:\Users\Admin\dzhost.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\czhost.exe |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dzhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dzhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\dHY4IvP3.exe | N/A |
| N/A | N/A | C:\Users\Admin\boupom.exe | N/A |
| N/A | N/A | C:\Users\Admin\ezhost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Users\Admin\AppData\Local\Temp\e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe
e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe
C:\Users\Admin\dHY4IvP3.exe
C:\Users\Admin\dHY4IvP3.exe
C:\Users\Admin\boupom.exe
"C:\Users\Admin\boupom.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del dHY4IvP3.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\azhost.exe
C:\Users\Admin\azhost.exe
C:\Users\Admin\azhost.exe
azhost.exe
C:\Users\Admin\bzhost.exe
C:\Users\Admin\bzhost.exe
C:\Users\Admin\bzhost.exe
bzhost.exe
C:\Users\Admin\czhost.exe
C:\Users\Admin\czhost.exe
C:\Users\Admin\czhost.exe
czhost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 88
C:\Users\Admin\dzhost.exe
C:\Users\Admin\dzhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\ezhost.exe
C:\Users\Admin\ezhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| AT | 90.146.157.209:25700 | tcp | |
| KZ | 178.91.247.102:25700 | tcp | |
| FR | 82.231.206.72:25700 | tcp | |
| NL | 94.211.120.171:25700 | tcp | |
| RU | 79.165.149.95:25700 | tcp | |
| US | 74.73.163.152:25700 | tcp | |
| RU | 77.121.48.13:25700 | tcp | |
| RU | 188.168.206.55:25700 | tcp | |
| US | 69.125.22.247:25700 | tcp | |
| US | 98.198.30.69:25700 | tcp | |
| IR | 89.144.154.198:25700 | tcp | |
| KZ | 178.91.65.246:25700 | tcp | |
| IN | 27.251.37.217:25700 | tcp | |
| DE | 176.198.236.88:25700 | tcp | |
| US | 74.70.230.102:25700 | tcp | |
| KZ | 95.56.139.21:25700 | tcp | |
| US | 69.168.121.117:25700 | tcp | |
| RO | 89.42.252.125:25700 | tcp | |
| US | 173.21.36.182:25700 | tcp | |
| SA | 31.166.173.46:25700 | tcp | |
| IT | 2.193.202.105:25700 | tcp | |
| US | 71.234.169.227:25700 | tcp | |
| AT | 95.81.63.237:25700 | tcp | |
| US | 65.96.228.202:25700 | tcp | |
| IN | 223.29.194.220:25700 | tcp | |
| US | 174.60.118.225:25700 | tcp | |
| MD | 188.131.107.196:25700 | tcp | |
| RO | 95.76.146.76:25700 | tcp | |
| US | 68.111.193.173:25700 | tcp | |
| PK | 119.154.70.21:25700 | tcp | |
| FI | 85.76.124.141:25700 | tcp | |
| US | 128.237.121.95:25700 | tcp | |
| UA | 82.193.112.116:25700 | tcp | |
| UA | 77.52.69.134:25700 | tcp | |
| US | 24.47.68.89:25700 | tcp | |
| KZ | 87.247.55.15:25700 | tcp | |
| DE | 77.182.177.88:25700 | tcp | |
| US | 74.77.229.34:25700 | tcp | |
| US | 67.169.229.190:25700 | tcp | |
| US | 98.226.12.148:25700 | tcp | |
| US | 68.84.219.133:25700 | tcp | |
| PL | 91.207.60.22:25700 | tcp | |
| US | 68.186.242.169:25700 | tcp | |
| DZ | 41.107.58.96:25700 | tcp | |
| US | 68.187.138.228:25700 | tcp | |
| BR | 201.51.24.33:25700 | tcp | |
| KZ | 109.238.161.115:25700 | tcp | |
| US | 69.125.143.153:25700 | tcp | |
| US | 76.178.55.173:25700 | tcp | |
| KZ | 92.47.171.54:25700 | tcp | |
| KZ | 2.134.150.100:25700 | tcp | |
| US | 76.88.225.64:25700 | tcp | |
| KZ | 95.58.49.117:25700 | tcp | |
| US | 76.24.227.2:25700 | tcp | |
| US | 75.87.186.163:25700 | tcp | |
| KZ | 95.56.26.46:25700 | tcp | |
| US | 76.169.132.180:25700 | tcp | |
| US | 67.168.138.45:25700 | tcp | |
| PH | 112.204.125.129:25700 | tcp | |
| US | 71.206.72.215:25700 | tcp | |
| US | 67.10.112.153:25700 | tcp | |
| US | 75.56.212.200:25700 | tcp | |
| US | 70.122.106.37:25700 | tcp | |
| US | 24.255.144.163:25700 | tcp | |
| KZ | 87.247.59.129:25700 | tcp | |
| DE | 95.112.56.213:25700 | tcp | |
| US | 70.95.68.47:25700 | tcp | |
| US | 70.177.56.41:25700 | tcp | |
| US | 75.139.80.72:25700 | tcp | |
| US | 50.14.154.41:25700 | tcp | |
| KZ | 46.36.134.232:25700 | tcp | |
| US | 107.3.180.48:25700 | tcp | |
| UA | 93.72.59.17:25700 | tcp | |
| US | 76.178.88.122:25700 | tcp | |
| DE | 88.152.146.147:25700 | tcp | |
| US | 108.68.88.240:25700 | tcp | |
| US | 76.27.115.62:25700 | tcp | |
| US | 72.159.141.230:25700 | tcp | |
| US | 24.166.234.133:25700 | tcp | |
| US | 69.226.122.83:25700 | tcp | |
| IR | 91.184.94.101:25700 | tcp | |
| US | 68.53.148.33:25700 | tcp | |
| KZ | 84.240.215.81:25700 | tcp | |
| JP | 210.156.19.137:25700 | tcp | |
| KZ | 84.240.215.46:25700 | tcp | |
| US | 97.94.218.72:25700 | tcp | |
| US | 67.180.244.163:25700 | tcp | |
| RU | 31.134.24.233:25700 | tcp | |
| US | 76.122.64.105:25700 | tcp | |
| US | 98.199.34.30:25700 | tcp | |
| KZ | 92.47.167.122:25700 | tcp | |
| KZ | 92.47.50.54:25700 | tcp | |
| US | 174.101.221.238:25700 | tcp | |
| US | 174.109.41.23:25700 | tcp | |
| DE | 188.192.89.153:25700 | tcp | |
| RU | 188.187.88.113:25700 | tcp | |
| US | 74.62.70.92:25700 | tcp | |
| KZ | 178.91.52.94:25700 | tcp | |
| AE | 91.73.127.4:25700 | tcp | |
| NL | 62.45.131.66:25700 | tcp | |
| US | 68.173.134.226:25700 | tcp | |
| US | 98.236.187.170:25700 | tcp | |
| US | 74.197.146.76:25700 | tcp | |
| US | 69.118.150.80:25700 | tcp | |
| FI | 193.199.34.38:25700 | tcp | |
| US | 74.69.191.79:25700 | tcp | |
| IR | 188.212.200.8:25700 | tcp | |
| KZ | 92.47.119.150:25700 | tcp | |
| MY | 115.135.139.130:25700 | tcp | |
| PL | 78.8.20.58:25700 | tcp | |
| US | 97.115.99.209:25700 | tcp | |
| DE | 83.221.93.169:25700 | tcp | |
| PL | 46.186.42.107:25700 | tcp | |
| RU | 109.207.83.134:25700 | tcp | |
| SE | 94.254.54.150:25700 | tcp | |
| KZ | 178.89.67.24:25700 | tcp | |
| US | 75.97.122.87:25700 | tcp | |
| US | 67.235.142.225:25700 | tcp | |
| IR | 81.29.255.71:25700 | tcp | |
| US | 98.145.7.49:25700 | tcp | |
| IR | 188.159.134.149:25700 | tcp | |
| US | 66.214.3.66:25700 | tcp | |
| US | 69.112.1.158:25700 | tcp | |
| ZA | 41.151.48.193:25700 | tcp | |
| IR | 78.39.238.175:25700 | tcp | |
| US | 174.48.223.63:25700 | tcp | |
| US | 68.57.133.176:25700 | tcp | |
| US | 75.85.56.156:25700 | tcp | |
| US | 68.57.143.110:25700 | tcp | |
| ID | 139.195.231.157:25700 | tcp | |
| DE | 217.24.226.107:25700 | tcp | |
| IR | 31.171.220.16:25700 | tcp | |
| OM | 188.66.180.39:25700 | tcp |
Files
memory/2076-0-0x0000000000400000-0x0000000000507000-memory.dmp
memory/2076-2-0x0000000000400000-0x0000000000507000-memory.dmp
memory/2076-3-0x0000000000400000-0x0000000000507000-memory.dmp
memory/2076-5-0x0000000000400000-0x0000000000507000-memory.dmp
memory/2076-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2276-9-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2076-11-0x0000000000400000-0x0000000000507000-memory.dmp
memory/2076-12-0x0000000000400000-0x0000000000507000-memory.dmp
memory/2076-13-0x0000000000400000-0x0000000000507000-memory.dmp
\Users\Admin\dHY4IvP3.exe
| MD5 | e2a16fca33158332dbb3c66021fe8e3b |
| SHA1 | 9b784a05bf73e0bffbc2d6afe9acb4ca9d44a355 |
| SHA256 | 17b36341825621fdf4a959b52c510dbf1295e89d380499b2d02a87d76ed68a82 |
| SHA512 | 6ec42b9cbd79a0835abdb2e7e4484d143bea726d9d17929482d1efb16590d895bcbe24e7957dcfc26f093f7a6d1dc07644c649d5918227f101a2515dddb86550 |
\Users\Admin\boupom.exe
| MD5 | 8f91480acedbf1f585cef5db5d47dd5c |
| SHA1 | b135bc6603750d56e9d66eb53fda13a2cd857ada |
| SHA256 | 55b1b1b39b3c4661112bbb7c96203096af426ddce5f258f0e55448b46079bffb |
| SHA512 | 46c51020e0a6af2ad421a6353b968d77165583f03d5cb2889f5b0ab4e628f33d16f25aeb314d9c4677002fee7fc4942e38322e801a068260134534de1beb6abb |
\Users\Admin\azhost.exe
| MD5 | 27ef898ce7ec9c0b79a6996a0b419de1 |
| SHA1 | 4e8aed756fbc6133af13028c33366d2eaa43f954 |
| SHA256 | f08df8dd8e3fe3de4a1ba4ba3bd355a233cf7febd5917b982ec5a949726c36a6 |
| SHA512 | 5c7fa67e7ed1e8ce238e58f0b55618d1fc13af4e19d9267f6e88e277beb2f10e6c0f0027a532a2d1d4b6e40da1b31dfcacf50ccb71a75dc231ff876869b6787a |
memory/2076-49-0x0000000000400000-0x0000000000507000-memory.dmp
memory/1880-51-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1880-53-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1880-55-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1880-58-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1880-61-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1880-64-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1880-70-0x0000000000400000-0x0000000000437000-memory.dmp
memory/396-69-0x0000000000400000-0x000000000041B000-memory.dmp
\Users\Admin\bzhost.exe
| MD5 | 4e22775699416e81275fea3266e14bba |
| SHA1 | 32cc2479a30abd1b40b3b7e959ac32317fa124fd |
| SHA256 | 95dc812e94d5ba0842af45685ca7262b55607336fcf4becda83dbb6416beffa9 |
| SHA512 | 34b13e9142a9c4251c78d876f02f9e86f22253950d3f9126dacd8ec6f0f3bbd36146381ce16b130d794c4bbc1ba08aa4df8e2e7af0c3900035d486242c81e3bf |
memory/1052-81-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1052-83-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1052-85-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1052-87-0x0000000000400000-0x0000000000427000-memory.dmp
memory/844-92-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1052-95-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1052-96-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1052-97-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1052-98-0x0000000000400000-0x0000000000427000-memory.dmp
\Users\Admin\czhost.exe
| MD5 | fb7e8882346223dfbad778b5a7f74f32 |
| SHA1 | 8285032fbab2f9f52533657d46df457ab64d0e15 |
| SHA256 | 6d6fa60b26cd2fc87c94afb20e7f3b35d6eca76d5a46191b8df802d30d4cbc3e |
| SHA512 | 31e3963dd156da4a57b3ffd37b857ee1d433c61dc22eb56356f2171b282f3735a1c31d65b3a0b431151b55bfebf964f82c5aa13a12f1c2a8a580840a7ea5da32 |
memory/1880-106-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1500-109-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1500-111-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1500-113-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1500-116-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1168-121-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1500-127-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\dzhost.exe
| MD5 | 5b414fb77d0dbec97ee529ec0bbcbeaf |
| SHA1 | 359cd24cd341f75eb46b99375824f6b649443f8e |
| SHA256 | 62027b13d4918e5e644952c977960a5e6dfe241e2bb35b387de0bfd0b752e882 |
| SHA512 | 887b1b93e51d21927ffba49536f281003eef1dbee7634a08cab256f07701d54fe755acab7ae4a513c754067e4144c44c3580689ce187fd584ba440ab748a2360 |
memory/2076-134-0x0000000002640000-0x00000000026A4000-memory.dmp
memory/2076-136-0x0000000002640000-0x00000000026A4000-memory.dmp
memory/2300-137-0x0000000000400000-0x0000000000464000-memory.dmp
memory/2300-138-0x0000000000400000-0x0000000000464000-memory.dmp
memory/2300-139-0x0000000000400000-0x0000000000464000-memory.dmp
memory/2300-140-0x0000000000220000-0x0000000000284000-memory.dmp
memory/2300-141-0x0000000000224000-0x0000000000225000-memory.dmp
memory/2300-142-0x0000000000400000-0x0000000000464000-memory.dmp
memory/2300-144-0x0000000000400000-0x0000000000464000-memory.dmp
memory/2300-158-0x00000000004C0000-0x0000000000505000-memory.dmp
memory/2300-159-0x00000000004C0000-0x0000000000505000-memory.dmp
memory/2300-161-0x00000000004C0000-0x0000000000505000-memory.dmp
memory/2300-162-0x0000000000510000-0x0000000000555000-memory.dmp
memory/2300-166-0x0000000000514000-0x0000000000515000-memory.dmp
memory/2300-169-0x00000000004C0000-0x0000000000505000-memory.dmp
memory/336-173-0x00000000007F0000-0x00000000007F1000-memory.dmp
C:\Windows\system32\consrv.dll
| MD5 | 63e99b675a1337db6d8430195ea3efd2 |
| SHA1 | 1baead2bf8f433dc82f9b2c03fd65ce697a92155 |
| SHA256 | 6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9 |
| SHA512 | f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f |
memory/336-176-0x0000000000A90000-0x0000000000AA2000-memory.dmp
memory/2300-182-0x0000000000400000-0x0000000000464000-memory.dmp
memory/2300-183-0x00000000004C0000-0x0000000000505000-memory.dmp
memory/2300-184-0x0000000000510000-0x0000000000555000-memory.dmp
\Users\Admin\ezhost.exe
| MD5 | 46ede15ce82c221c24bf81b2de1be7e8 |
| SHA1 | c332a5ec7aeb213c13449626156f6623351a4393 |
| SHA256 | a360c27de3799bf85f2501d4b375744394643fd50f8ecf5241d170b5cb7f6782 |
| SHA512 | 517f497a4783a0f67ccfca641d93b7f20505c89d6252229f5b97df674f7be20ae48d4732c137ba081c2c1f8ec712371fa4ba4602873e11c0e02b109a00b6c316 |
memory/2076-209-0x0000000000400000-0x0000000000507000-memory.dmp
memory/848-228-0x0000000000930000-0x0000000000938000-memory.dmp
\??\globalroot\systemroot\assembly\temp\@
| MD5 | 3df3126d10d8b616e29187ba6cbd7435 |
| SHA1 | 1477e389967f10194634fa6d4cd95b70676e6eb6 |
| SHA256 | 293e858fd32ef7ae234fe9ddbca51ead0deb0a7e08e0f43dc51d84cebd8ea1ab |
| SHA512 | 345b675cc4c7d6d3e92830ce1c62947beed7501e29505e18c9fec2d4793b40a4ecc4bf29dcdaeaf954c85642acffff05aeb8d863f43c5d9074538ba563b74ab3 |
memory/848-236-0x0000000000950000-0x000000000095B000-memory.dmp
memory/848-243-0x0000000000950000-0x000000000095B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 15:12
Reported
2024-04-07 15:15
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\dHY4IvP3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\faulaef.exe | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\dHY4IvP3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\dHY4IvP3.exe | N/A |
| N/A | N/A | C:\Users\Admin\azhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\faulaef.exe | N/A |
| N/A | N/A | C:\Users\Admin\azhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bzhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bzhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\czhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\czhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\dzhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\ezhost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /J" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /Y" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /A" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /q" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /w" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /m" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /f" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /U" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /N" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /n" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /F" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /k" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /L" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /u" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /j" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /a" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /z" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /S" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /R" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /E" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /M" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /d" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /v" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /X" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /G" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /D" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /T" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /o" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /i" | C:\Users\Admin\dHY4IvP3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /x" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /W" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /K" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /s" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /V" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /i" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /O" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /e" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /B" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /P" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /g" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /r" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /H" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /h" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /l" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /y" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /p" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /C" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /t" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /Q" | C:\Users\Admin\faulaef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faulaef = "C:\\Users\\Admin\\faulaef.exe /I" | C:\Users\Admin\faulaef.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\azhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\azhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\bzhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\bzhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3608 set thread context of 2996 | N/A | C:\Users\Admin\AppData\Local\Temp\e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe |
| PID 316 set thread context of 2896 | N/A | C:\Users\Admin\azhost.exe | C:\Users\Admin\azhost.exe |
| PID 2640 set thread context of 2156 | N/A | C:\Users\Admin\bzhost.exe | C:\Users\Admin\bzhost.exe |
| PID 2824 set thread context of 4068 | N/A | C:\Users\Admin\czhost.exe | C:\Users\Admin\czhost.exe |
| PID 1616 set thread context of 1944 | N/A | C:\Users\Admin\dzhost.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\czhost.exe |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dzhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\dHY4IvP3.exe | N/A |
| N/A | N/A | C:\Users\Admin\faulaef.exe | N/A |
| N/A | N/A | C:\Users\Admin\ezhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe
e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe
C:\Users\Admin\dHY4IvP3.exe
C:\Users\Admin\dHY4IvP3.exe
C:\Users\Admin\azhost.exe
C:\Users\Admin\azhost.exe
C:\Users\Admin\faulaef.exe
"C:\Users\Admin\faulaef.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del dHY4IvP3.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\azhost.exe
azhost.exe
C:\Users\Admin\bzhost.exe
C:\Users\Admin\bzhost.exe
C:\Users\Admin\bzhost.exe
bzhost.exe
C:\Users\Admin\czhost.exe
C:\Users\Admin\czhost.exe
C:\Users\Admin\czhost.exe
czhost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4068 -ip 4068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 228
C:\Users\Admin\dzhost.exe
C:\Users\Admin\dzhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\ezhost.exe
C:\Users\Admin\ezhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del e53895d5cbd3323e2bd63d13dedabc59_JaffaCakes118.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/2996-0-0x0000000000400000-0x0000000000507000-memory.dmp
memory/2996-1-0x0000000000400000-0x0000000000507000-memory.dmp
memory/3608-3-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2996-5-0x0000000000400000-0x0000000000507000-memory.dmp
memory/2996-7-0x0000000000400000-0x0000000000507000-memory.dmp
memory/2996-6-0x0000000000400000-0x0000000000507000-memory.dmp
C:\Users\Admin\dHY4IvP3.exe
| MD5 | e2a16fca33158332dbb3c66021fe8e3b |
| SHA1 | 9b784a05bf73e0bffbc2d6afe9acb4ca9d44a355 |
| SHA256 | 17b36341825621fdf4a959b52c510dbf1295e89d380499b2d02a87d76ed68a82 |
| SHA512 | 6ec42b9cbd79a0835abdb2e7e4484d143bea726d9d17929482d1efb16590d895bcbe24e7957dcfc26f093f7a6d1dc07644c649d5918227f101a2515dddb86550 |
C:\Users\Admin\faulaef.exe
| MD5 | ae55e3a3fca3aa4d952766dbeee67f57 |
| SHA1 | 87541f3f973e65c1b524882d7e6c8be69cf711b1 |
| SHA256 | f8fbb2cb7039ccf3a3450fc521c0792be26b9ec3dad29126b391e2d59e5b5c95 |
| SHA512 | 0600bf538b79d876e940e33a770377cdbdb74d6f36fa0643a2cca82692c59120a584816b303ea249daafeaf4b2cce030a857bb9a62243969a942e9985a95115c |
memory/2996-19-0x0000000000400000-0x0000000000507000-memory.dmp
C:\Users\Admin\azhost.exe
| MD5 | 27ef898ce7ec9c0b79a6996a0b419de1 |
| SHA1 | 4e8aed756fbc6133af13028c33366d2eaa43f954 |
| SHA256 | f08df8dd8e3fe3de4a1ba4ba3bd355a233cf7febd5917b982ec5a949726c36a6 |
| SHA512 | 5c7fa67e7ed1e8ce238e58f0b55618d1fc13af4e19d9267f6e88e277beb2f10e6c0f0027a532a2d1d4b6e40da1b31dfcacf50ccb71a75dc231ff876869b6787a |
memory/2896-55-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2896-58-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2896-57-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2896-56-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2896-61-0x0000000000400000-0x0000000000437000-memory.dmp
memory/316-62-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\bzhost.exe
| MD5 | 4e22775699416e81275fea3266e14bba |
| SHA1 | 32cc2479a30abd1b40b3b7e959ac32317fa124fd |
| SHA256 | 95dc812e94d5ba0842af45685ca7262b55607336fcf4becda83dbb6416beffa9 |
| SHA512 | 34b13e9142a9c4251c78d876f02f9e86f22253950d3f9126dacd8ec6f0f3bbd36146381ce16b130d794c4bbc1ba08aa4df8e2e7af0c3900035d486242c81e3bf |
memory/2156-68-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2156-69-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2640-72-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2156-75-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2896-78-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2156-76-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2156-77-0x0000000000400000-0x0000000000427000-memory.dmp
C:\Users\Admin\czhost.exe
| MD5 | fb7e8882346223dfbad778b5a7f74f32 |
| SHA1 | 8285032fbab2f9f52533657d46df457ab64d0e15 |
| SHA256 | 6d6fa60b26cd2fc87c94afb20e7f3b35d6eca76d5a46191b8df802d30d4cbc3e |
| SHA512 | 31e3963dd156da4a57b3ffd37b857ee1d433c61dc22eb56356f2171b282f3735a1c31d65b3a0b431151b55bfebf964f82c5aa13a12f1c2a8a580840a7ea5da32 |
memory/4068-83-0x0000000000400000-0x000000000040E000-memory.dmp
memory/4068-84-0x0000000000400000-0x000000000040E000-memory.dmp
memory/4068-90-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2824-89-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4068-91-0x0000000000400000-0x000000000040E000-memory.dmp
memory/4068-93-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\dzhost.exe
| MD5 | 5b414fb77d0dbec97ee529ec0bbcbeaf |
| SHA1 | 359cd24cd341f75eb46b99375824f6b649443f8e |
| SHA256 | 62027b13d4918e5e644952c977960a5e6dfe241e2bb35b387de0bfd0b752e882 |
| SHA512 | 887b1b93e51d21927ffba49536f281003eef1dbee7634a08cab256f07701d54fe755acab7ae4a513c754067e4144c44c3580689ce187fd584ba440ab748a2360 |
memory/1616-97-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1616-98-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1616-99-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1616-100-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1616-101-0x0000000002100000-0x0000000002164000-memory.dmp
memory/1616-102-0x0000000002104000-0x0000000002105000-memory.dmp
memory/2156-104-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1616-105-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1616-108-0x0000000000400000-0x0000000000464000-memory.dmp
C:\Users\Admin\ezhost.exe
| MD5 | 46ede15ce82c221c24bf81b2de1be7e8 |
| SHA1 | c332a5ec7aeb213c13449626156f6623351a4393 |
| SHA256 | a360c27de3799bf85f2501d4b375744394643fd50f8ecf5241d170b5cb7f6782 |
| SHA512 | 517f497a4783a0f67ccfca641d93b7f20505c89d6252229f5b97df674f7be20ae48d4732c137ba081c2c1f8ec712371fa4ba4602873e11c0e02b109a00b6c316 |
memory/2996-125-0x0000000000400000-0x0000000000507000-memory.dmp