Analysis
-
max time kernel
65s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 07:50
Static task
static1
Behavioral task
behavioral1
Sample
02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe
-
Size
283KB
-
MD5
02c33e220ec6a0df5a71cf30866e879f
-
SHA1
00e8a11a3720b25df09884eaabb55986f4fb927a
-
SHA256
7ce6ddee9192d4d51b389cf8da8d226b51082378253b1c36716fe50b039dea32
-
SHA512
eb1fe26a5221eaed7057d284eee39d93e01e8375aafc818a5f3b317cd1544940837927d010bafe8b6b419e044b6c7208edf15dce3cd7d494ab8cada9f808c559
-
SSDEEP
6144:TvEk52U+T6i5LirrllHy4HUcMQY68wzVdUsBbr/5Q:TEk5N+T5xYrllrU7QY68wzX/i
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
explorer.exe02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Processes:
explorer.exe02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe -
Processes:
02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe -
Modifies Installed Components in the registry 2 TTPs 5 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 4136 explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 4136 explorer.exe 1436 spoolsv.exe 1072 svchost.exe 1592 spoolsv.exe -
Processes:
resource yara_rule behavioral2/memory/4416-1-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-5-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-6-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-7-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-12-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-9-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-11-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-8-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-4-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-24-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-25-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-35-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-38-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-40-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4416-67-0x0000000002B20000-0x0000000003BAE000-memory.dmp upx behavioral2/memory/4136-88-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-90-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-93-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-94-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-96-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-97-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-95-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-91-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-92-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-98-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-99-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-100-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-101-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-102-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-104-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-105-0x00000000038F0000-0x000000000497E000-memory.dmp upx behavioral2/memory/4136-107-0x00000000038F0000-0x000000000497E000-memory.dmp upx -
Processes:
02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Processes:
02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exe02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exedescription ioc process File opened (read-only) \??\I: explorer.exe File opened (read-only) \??\K: explorer.exe File opened (read-only) \??\L: explorer.exe File opened (read-only) \??\M: explorer.exe File opened (read-only) \??\E: 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\J: explorer.exe File opened (read-only) \??\N: explorer.exe File opened (read-only) \??\O: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\H: explorer.exe -
Drops file in Windows directory 6 IoCs
Processes:
02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exeexplorer.exesvchost.exepid process 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 1072 svchost.exe 4136 explorer.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 4136 explorer.exe 4136 explorer.exe 1072 svchost.exe 1072 svchost.exe 4136 explorer.exe 4136 explorer.exe 1072 svchost.exe 1072 svchost.exe 4136 explorer.exe 4136 explorer.exe 1072 svchost.exe 1072 svchost.exe 4136 explorer.exe 4136 explorer.exe 1072 svchost.exe 1072 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 4136 explorer.exe 1072 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Token: SeDebugPrivilege 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe 4136 explorer.exe 4136 explorer.exe 1436 spoolsv.exe 1436 spoolsv.exe 1072 svchost.exe 1072 svchost.exe 1592 spoolsv.exe 1592 spoolsv.exe 4136 explorer.exe 4136 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 4416 wrote to memory of 796 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe fontdrvhost.exe PID 4416 wrote to memory of 792 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe fontdrvhost.exe PID 4416 wrote to memory of 388 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe dwm.exe PID 4416 wrote to memory of 2432 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe sihost.exe PID 4416 wrote to memory of 2444 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe svchost.exe PID 4416 wrote to memory of 2536 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe taskhostw.exe PID 4416 wrote to memory of 3268 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Explorer.EXE PID 4416 wrote to memory of 3580 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe svchost.exe PID 4416 wrote to memory of 3772 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe DllHost.exe PID 4416 wrote to memory of 3892 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe StartMenuExperienceHost.exe PID 4416 wrote to memory of 3972 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe RuntimeBroker.exe PID 4416 wrote to memory of 4088 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe SearchApp.exe PID 4416 wrote to memory of 4192 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe RuntimeBroker.exe PID 4416 wrote to memory of 4812 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe RuntimeBroker.exe PID 4416 wrote to memory of 4580 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe TextInputHost.exe PID 4416 wrote to memory of 5052 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 3984 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 2472 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 4824 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 3880 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 4112 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 4844 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 4136 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe explorer.exe PID 4416 wrote to memory of 4136 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe explorer.exe PID 4416 wrote to memory of 4136 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe explorer.exe PID 4136 wrote to memory of 1436 4136 explorer.exe spoolsv.exe PID 4136 wrote to memory of 1436 4136 explorer.exe spoolsv.exe PID 4136 wrote to memory of 1436 4136 explorer.exe spoolsv.exe PID 1436 wrote to memory of 1072 1436 spoolsv.exe svchost.exe PID 1436 wrote to memory of 1072 1436 spoolsv.exe svchost.exe PID 1436 wrote to memory of 1072 1436 spoolsv.exe svchost.exe PID 4416 wrote to memory of 796 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe fontdrvhost.exe PID 4416 wrote to memory of 792 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe fontdrvhost.exe PID 4416 wrote to memory of 388 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe dwm.exe PID 4416 wrote to memory of 2432 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe sihost.exe PID 4416 wrote to memory of 2444 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe svchost.exe PID 4416 wrote to memory of 2536 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe taskhostw.exe PID 4416 wrote to memory of 3268 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Explorer.EXE PID 4416 wrote to memory of 3580 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe svchost.exe PID 4416 wrote to memory of 3772 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe DllHost.exe PID 4416 wrote to memory of 3892 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe StartMenuExperienceHost.exe PID 4416 wrote to memory of 3972 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe RuntimeBroker.exe PID 4416 wrote to memory of 4088 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe SearchApp.exe PID 4416 wrote to memory of 4192 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe RuntimeBroker.exe PID 4416 wrote to memory of 4812 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe RuntimeBroker.exe PID 4416 wrote to memory of 4580 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe TextInputHost.exe PID 4416 wrote to memory of 5052 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 3984 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 2472 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 4824 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 3880 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 4112 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 4844 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe msedge.exe PID 4416 wrote to memory of 4136 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe explorer.exe PID 4416 wrote to memory of 4136 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe explorer.exe PID 4416 wrote to memory of 1436 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe spoolsv.exe PID 4416 wrote to memory of 1436 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe spoolsv.exe PID 4416 wrote to memory of 1072 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe svchost.exe PID 4416 wrote to memory of 1072 4416 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe svchost.exe PID 1072 wrote to memory of 1592 1072 svchost.exe spoolsv.exe PID 1072 wrote to memory of 1592 1072 svchost.exe spoolsv.exe PID 1072 wrote to memory of 1592 1072 svchost.exe spoolsv.exe PID 1072 wrote to memory of 3536 1072 svchost.exe at.exe PID 1072 wrote to memory of 3536 1072 svchost.exe at.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 07:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 07:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 07:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ff9d0222e98,0x7ff9d0222ea4,0x7ff9d0222eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2244 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2292 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2468 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5204 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5416 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
9Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
283KB
MD55e618bda3a55a3fe5d0826a3f02c2d0e
SHA1dced93c2dafca8d9cb30b89118703a5c152215fc
SHA256cc77abea462794703534b06c04a96bc215112c09eee576a19d1554a41a96e778
SHA51254835f80d31eae194576767f8111d72203df3465d3b4e3dd32a5a64d81fd4faae2c6a0c040280a954654963e4deb96e4368c13b8a4feb1bd7534f037834150e1
-
C:\Windows\SYSTEM.INIFilesize
257B
MD55971ae769f54d79619b6c793c5507f40
SHA1acc3d75397ba64cd3e056375be2658c3d0187b3b
SHA25683bae8f9dab9145f980117eb6e56f1ea006b239089994f2f0f7be57e946be4ce
SHA51284da67a8e520e0b3385ff06f4058d0c574ecb63bb3b31e73303e5325efb77dc8b77384a5eae3a73a7da34345b8792ea70dd03986eb932dfec1e8fa844565a346
-
C:\Windows\System\svchost.exeFilesize
283KB
MD5aca872e7fca0cb4b3dedded848aa1479
SHA1cd4a6dad640047c342eeae1038c768d2aaa0b10c
SHA256c396f5f8698bfa68c3802eba29004014d936604dcd2d4622e7dc4ea874646efc
SHA5128b3780de953eba99309455f364a09f9fb5fbc9c52b9f6f826ff1af7d3ee27606317d20ad7ddb93c799d62e69e22d26c91fb8b50299a4a1bf6e6661c09977515d
-
\??\c:\windows\system\explorer.exeFilesize
283KB
MD57c4ab2ad634181cefda1f26884a68080
SHA1aa01491844cc314d345d552edd9ee0430e31055e
SHA256c75aa5a6f211d91f60151da6f2ae8c23bd3fa427f079c9789eb314e36a2e7931
SHA512753603d778ac5703b8a8eeb380db8bd7e910849b9caac1b9b8a521c1596eb386e8cccae64a84daae394134087bbaeafd2e97314c2337f7d84944872e2037a0d4
-
\??\c:\windows\system\spoolsv.exeFilesize
283KB
MD52e3eaeec0e09157dd0c6a35f1b6aa3ae
SHA1558c028707524f0cf36d7c0858dd356c9ef02ec1
SHA2566bfcb0611a214d2953bd0218c38f1bb81fadecb6265b567b23d0619cc6890580
SHA512b99d95ef03f98cf289b8f36ab30c9430c46ffb4d12aebe268c2540a15d8d8d38447f593d229c662ee4aa060ba2ee2057b5b75c7ec777a87340c6fe17bc3ba697
-
memory/1072-58-0x0000000003810000-0x0000000003812000-memory.dmpFilesize
8KB
-
memory/1072-55-0x0000000003960000-0x0000000003961000-memory.dmpFilesize
4KB
-
memory/1436-86-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1436-57-0x0000000002030000-0x0000000002032000-memory.dmpFilesize
8KB
-
memory/1436-53-0x0000000002040000-0x0000000002041000-memory.dmpFilesize
4KB
-
memory/1436-34-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1436-83-0x0000000002030000-0x0000000002032000-memory.dmpFilesize
8KB
-
memory/1592-60-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1592-66-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/4136-56-0x0000000000600000-0x0000000000602000-memory.dmpFilesize
8KB
-
memory/4136-88-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-107-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-105-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-23-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/4136-104-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-102-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-101-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-100-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-99-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-98-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-92-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-91-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-95-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-97-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-51-0x0000000002B40000-0x0000000002B41000-memory.dmpFilesize
4KB
-
memory/4136-96-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-94-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-93-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-90-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4416-9-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-0-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/4416-71-0x0000000004790000-0x0000000004792000-memory.dmpFilesize
8KB
-
memory/4416-5-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-1-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-67-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-6-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-7-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-12-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-13-0x0000000004790000-0x0000000004792000-memory.dmpFilesize
8KB
-
memory/4416-15-0x0000000004790000-0x0000000004792000-memory.dmpFilesize
8KB
-
memory/4416-82-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/4416-14-0x00000000048E0000-0x00000000048E1000-memory.dmpFilesize
4KB
-
memory/4416-22-0x0000000004790000-0x0000000004792000-memory.dmpFilesize
8KB
-
memory/4416-11-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-40-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-8-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-38-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-35-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-4-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-25-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-24-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB