Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 19:20
Behavioral task
behavioral1
Sample
6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe
-
Size
768KB
-
MD5
6f91cb1add0cd6ab354136abea8aeaf6
-
SHA1
32aa99408052c3d02f5ae7e3d7febe8b8efa1d31
-
SHA256
d98b360e720475ce31f7c4166e070aebeabdbc93030638471bd46830e357ac2b
-
SHA512
40c24da1054bfcd310f66ab85d130f7a489efc3bcad96e323448408455064f749642b3210a2a9601f1cb79d5d2ce585717713463fcfd5400f1ec16f6d674e927
-
SSDEEP
6144:k9yTy7uBrWgbDM1SWF3BrKFo9djMwaKmejO0PfUR/45YW4oZ1:9u7u0hV3Ldj8KmejFa/W4oZ1
Malware Config
Extracted
nanocore
1.2.2.0
ayewhatsgoodbrolmao.duckdns.org:1689
ed58a5b4-4802-46f0-9695-e5f1b9681af3
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-05-03T02:59:00.930314836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1689
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ed58a5b4-4802-46f0-9695-e5f1b9681af3
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
ayewhatsgoodbrolmao.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Detect Neshta payload 49 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta behavioral2/memory/1884-50-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/892-51-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe family_neshta C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe family_neshta C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe family_neshta C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE family_neshta C:\PROGRA~2\Google\Update\DISABL~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{C0257~1\MicrosoftEdgeUpdateSetup_X86_1.3.187.37.exe family_neshta C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE family_neshta C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE family_neshta C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE family_neshta C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE family_neshta C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe family_neshta C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe family_neshta behavioral2/memory/216-191-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4892-192-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/216-193-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4892-194-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/216-195-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/216-198-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4892-197-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exesvchost.comsvchost.comsvchost.comsvhost.exepid process 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe 4892 svchost.com 1884 svchost.com 892 svchost.com 3668 svhost.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
svhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svhost.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exedescription pid process target process PID 1392 set thread context of 3668 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svhost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.com6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exedescription ioc process File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe svchost.com -
Drops file in Windows directory 10 IoCs
Processes:
svchost.com6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exesvchost.comsvchost.com6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\assembly 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\cboobs\cboobs.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exesvhost.exepid process 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe 3668 svhost.exe 3668 svhost.exe 3668 svhost.exe 3668 svhost.exe 3668 svhost.exe 3668 svhost.exe 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 3668 svhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exesvhost.exedescription pid process Token: SeDebugPrivilege 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe Token: 33 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe Token: SeDebugPrivilege 3668 svhost.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exesvchost.comsvchost.comsvchost.comdescription pid process target process PID 216 wrote to memory of 1392 216 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe PID 216 wrote to memory of 1392 216 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe PID 216 wrote to memory of 1392 216 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe PID 1392 wrote to memory of 4892 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svchost.com PID 1392 wrote to memory of 4892 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svchost.com PID 1392 wrote to memory of 4892 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svchost.com PID 4892 wrote to memory of 2336 4892 svchost.com cmd.exe PID 4892 wrote to memory of 2336 4892 svchost.com cmd.exe PID 4892 wrote to memory of 2336 4892 svchost.com cmd.exe PID 1392 wrote to memory of 1884 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svchost.com PID 1392 wrote to memory of 1884 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svchost.com PID 1392 wrote to memory of 1884 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svchost.com PID 1392 wrote to memory of 892 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svchost.com PID 1392 wrote to memory of 892 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svchost.com PID 1392 wrote to memory of 892 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svchost.com PID 1392 wrote to memory of 3668 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svhost.exe PID 1392 wrote to memory of 3668 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svhost.exe PID 1392 wrote to memory of 3668 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svhost.exe PID 1392 wrote to memory of 3668 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svhost.exe PID 1392 wrote to memory of 3668 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svhost.exe PID 1392 wrote to memory of 3668 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svhost.exe PID 1392 wrote to memory of 3668 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svhost.exe PID 1392 wrote to memory of 3668 1392 6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe svhost.exe PID 1884 wrote to memory of 4848 1884 svchost.com cmd.exe PID 1884 wrote to memory of 4848 1884 svchost.com cmd.exe PID 1884 wrote to memory of 4848 1884 svchost.com cmd.exe PID 892 wrote to memory of 1964 892 svchost.com cmd.exe PID 892 wrote to memory of 1964 892 svchost.com cmd.exe PID 892 wrote to memory of 1964 892 svchost.com cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/3582-490/6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe" "%temp%\cboobs\cboobs.exe" /Y3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c copy C:/Users/Admin/AppData/Local/Temp/3582-490/6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exe %temp%\cboobs\cboobs.exe /Y4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\cboobs\cboobs.exe:Zone.Identifier3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c echo [zoneTransfer]ZoneID = 2 > %temp%\cboobs\cboobs.exe:Zone.Identifier4⤵
- NTFS ADS
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c ren "%temp%\cboobs\cboobs.exe.jpg" cboobs.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ren %temp%\cboobs\cboobs.exe.jpg cboobs.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exeFilesize
175KB
MD5576410de51e63c3b5442540c8fdacbee
SHA18de673b679e0fee6e460cbf4f21ab728e41e0973
SHA2563f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exeFilesize
2.5MB
MD512fd9fcb97cb1e45c020e7bac06b2c91
SHA190c6fce6c9c40666ecc0c3964308bb2401676703
SHA2568cec6976f1f5c004627ac249302e29127f4c7d2cda4df8263bf75281edec7a25
SHA512c805cc4ca9bbc3e4c961e2685712d44c85aed275cdfd2f6c3c20898c647efbd442fb0b8da0186d06fce88288e9fdec25830c48cb107b73da466098ab19353953
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEFilesize
183KB
MD59dfcdd1ab508b26917bb2461488d8605
SHA14ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA5121afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exeFilesize
131KB
MD55791075058b526842f4601c46abd59f5
SHA1b2748f7542e2eebcd0353c3720d92bbffad8678f
SHA2565c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394
SHA51283e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXEFilesize
254KB
MD54ddc609ae13a777493f3eeda70a81d40
SHA18957c390f9b2c136d37190e32bccae3ae671c80a
SHA25616d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950
SHA5129d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXEFilesize
92KB
MD5176436d406fd1aabebae353963b3ebcf
SHA19ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a
SHA2562f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f
SHA512a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exeFilesize
125KB
MD5cce8964848413b49f18a44da9cb0a79b
SHA10b7452100d400acebb1c1887542f322a92cbd7ae
SHA256fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXEFilesize
142KB
MD592dc0a5b61c98ac6ca3c9e09711e0a5d
SHA1f809f50cfdfbc469561bced921d0bad343a0d7b4
SHA2563e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc
SHA512d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXEFilesize
278KB
MD512c29dd57aa69f45ddd2e47620e0a8d9
SHA1ba297aa3fe237ca916257bc46370b360a2db2223
SHA25622a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880
SHA512255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exeFilesize
598KB
MD56cc99a65b7c999fe6db0d32b8eb40e3d
SHA1b4dbbd38d250a38380270c4521dfdc15ecdcc99f
SHA256a048ef7c49f89a8d2e68085d353447fca6d3893456506a1b8fefe26697e1c001
SHA512564a45500561c25662d132a7f82f17b4075f2b5710d3fd1586762e7777749f8a1701a79a2db9f8d0b1b66129264abecf55dd7b7f884d9eeceb0919c8c8ca13fa
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exeFilesize
773KB
MD5e7a27a45efa530c657f58fda9f3b9f4a
SHA16c0d29a8b75574e904ab1c39fc76b39ca8f8e461
SHA256d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5
SHA5120c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54
-
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exeFilesize
325KB
MD50511abca39ed6d36fff86a8b6f2266cd
SHA1bfe55ac898d7a570ec535328b6283a1cdfa33b00
SHA25676ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8
SHA5126608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346
-
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exeFilesize
366KB
MD5a1375c9b38e9ae32430d407d9c5bb19a
SHA1f3c1d818de90d52f3f0d6e43349abf8949692e9f
SHA256b4d08c4ac9cbdd2364f47754d6f6d9daf9f8b67452c447ef6c004cf27c4637fd
SHA512690a257689c294f548418ddabb4b0c88aee6dc0e5b335013c31bbe7f059b10c2706620fcf05bb848b0be2d9ce0ee3fe9df554b4e652d9f981abced305b61aff4
-
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXEFilesize
155KB
MD596a14f39834c93363eebf40ae941242c
SHA15a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc
SHA2568ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a
SHA512fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2
-
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXEFilesize
230KB
MD5e5589ec1e4edb74cc7facdaac2acabfd
SHA19b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA2566ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a
-
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXEFilesize
155KB
MD5f7c714dbf8e08ca2ed1a2bfb8ca97668
SHA1cc78bf232157f98b68b8d81327f9f826dabb18ab
SHA256fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899
SHA51228bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c
-
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXEFilesize
265KB
MD525e165d6a9c6c0c77ee1f94c9e58754b
SHA19b614c1280c75d058508bba2a468f376444b10c1
SHA2568bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217
SHA5127d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf
-
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXEFilesize
342KB
MD55da33a7b7941c4e76208ee7cddec8e0b
SHA1cdd2e7b9b0e4be68417d4618e20a8283887c489c
SHA256531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751
SHA512977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6
-
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXEFilesize
439KB
MD5400836f307cf7dbfb469cefd3b0391e7
SHA17af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8
-
C:\PROGRA~2\Google\Update\DISABL~1.EXEFilesize
207KB
MD53b0e91f9bb6c1f38f7b058c91300e582
SHA16e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA25657c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXEFilesize
298KB
MD5a7b2c42baccc6e7ab86c02a0f715d5c6
SHA10125b9de11e022920aca4299cb101cf0f29e47fa
SHA256821d67001c7e125aadf00a9272869981ed9082ac01d9f7f405047a9e74c50c4f
SHA512d3ab4fc325154039510d5e68d2b0cb263f5a1560ab79fea9b274e3f9ff25ed7f7cb2801ae83be9e6396f16a0cd7ed87622484de8969f3536df6d4b89e077ff66
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{C0257~1\MicrosoftEdgeUpdateSetup_X86_1.3.187.37.exeFilesize
1.6MB
MD50a17ce73dce10a28856c9f5ad052a4df
SHA1467522c87a4e3fd1f7b690aaeaa57cfa0b407bb0
SHA2561971d71fd68cf61420813b19b577184efa918c556cf131ab27359d6af6dc0656
SHA5127c038dcedc4d8c58f3dbe0d36e5670d04aa24b452547dfd2bb7cebc69d25d0fefb59a788ae356f95db427ff1391604643cba7600f1d84c181ba09b3d25290f25
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXEFilesize
1.3MB
MD527543bab17420af611ccc3029db9465a
SHA1f0f96fd53f9695737a3fa6145bc5a6ce58227966
SHA25675530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c
SHA512a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exeFilesize
3.2MB
MD55119e350591269f44f732b470024bb7c
SHA14ccd48e4c6ba6e162d1520760ee3063e93e2c014
SHA2562b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873
SHA512599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4
-
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
674KB
MD597510a7d9bf0811a6ea89fad85a9f3f3
SHA12ac0c49b66a92789be65580a38ae9798237711db
SHA256c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea
SHA5122a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb
-
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
674KB
MD59c10a5ec52c145d340df7eafdb69c478
SHA157f3d99e41d123ad5f185fc21454367a7285db42
SHA256ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA5122704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f
-
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
495KB
MD59597098cfbc45fae685d9480d135ed13
SHA184401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA25645966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA51216afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164
-
C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXEFilesize
650KB
MD5558fdb0b9f097118b0c928bb6062370a
SHA1ad971a9a4cac3112a494a167e1b7736dcd6718b3
SHA25690cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924
SHA5125d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c
-
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
485KB
MD587f15006aea3b4433e226882a56f188d
SHA1e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA2568d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1
-
C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXEFilesize
650KB
MD572d0addae57f28c993b319bfafa190ac
SHA18082ad7a004a399f0edbf447425f6a0f6c772ff3
SHA256671be498af4e13872784eeae4bae2e462dfac62d51d7057b2b3bebff511b7d18
SHA51298bcde1133edbff713aa43b944dceb5dae20a9cbdf8009f5b758da20ccfbcdf6d617f609a7094aa52a514373f6695b0fd43c3d601538483816cd08832edd15ab
-
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exeFilesize
494KB
MD505bdfd8a3128ab14d96818f43ebe9c0e
SHA1495cbbd020391e05d11c52aa23bdae7b89532eb7
SHA2567b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb
SHA5128d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da
-
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEFilesize
6.7MB
MD563dc05e27a0b43bf25f151751b481b8c
SHA1b20321483dac62bce0aa0cef1d193d247747e189
SHA2567d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3
-
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
485KB
MD586749cd13537a694795be5d87ef7106d
SHA1538030845680a8be8219618daee29e368dc1e06c
SHA2568c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA5127b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c
-
C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXEFilesize
650KB
MD52f826daacb184077b67aad3fe30e3413
SHA1981d415fe70414aaac3a11024e65ae2e949aced8
SHA256a6180f0aa9c56c32e71fe8dc150131177e4036a5a2111d0f3ec3c341fd813222
SHA5122a6d9bdf4b7be9b766008e522cbb2c21921ba55d84dfde653ca977f70639e342a9d5548768de29ae2a85031c11dac2ae4b3c76b9136c020a6e7c9a9a5879caeb
-
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXEFilesize
495KB
MD507e194ce831b1846111eb6c8b176c86e
SHA1b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA51255f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5
-
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXEFilesize
499KB
MD5346d2ff654d6257364a7c32b1ec53c09
SHA1224301c0f56a870f20383c45801ec16d01dc48d1
SHA256a811042693bc2b31be7e3f454b12312f67bc97f2b15335a97e8d8f2ba0a6b255
SHA512223545e3fc9f3cd66c5cbcb50dd7103743788f03a9db398da6dd2744ccaeee291f385ce4f2758d4504fc0f6b968fabbfe16ba03b5f546b743c51dacad7a049c3
-
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXEFilesize
293KB
MD5f3228c24035b3f54f78bb4fd11c36aeb
SHA12fe73d1f64575bc4abf1d47a9dddfe7e2d9c9cbb
SHA256d2767c9c52835f19f6695c604081bf03cdd772a3731cd2e320d9db5e477d8af7
SHA512b526c63338d9167060bc40ffa1d13a8c2e871f46680cd4a0efc2333d9f15bf21ae75af45f8932de857678c5bf785011a28862ce7879f4bffdb9753c8bc2c19b5
-
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXEFilesize
2.4MB
MD51319acbba64ecbcd5e3f16fc3acd693c
SHA1f5d64f97194846bd0564d20ee290d35dd3df40b0
SHA2568c6f9493c2045bb7c08630cf3709a63e221001f04289b311efb259de3eb76bce
SHA512abbbb0abfff1698e2d3c4d27d84421b90abba1238b45884b82ace20d11ddfdd92bf206519fc01714235fb840258bb1c647c544b9a19d36f155bf3224916805b8
-
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exeFilesize
1.6MB
MD53a3a71a5df2d162555fcda9bc0993d74
SHA195c7400f85325eba9b0a92abd80ea64b76917a1a
SHA2560a023355d1cc0a2348475d63aaf6aa0521d11e12a5c70102d7b3ebde092849e8
SHA5129ad76ccce76ccfe8292bca8def5bc7255e7ea0ba6d92130c4350da49a3d7faef2d46b08aaef1955f3f4ea0a2e22451562b5e08783a79f794724584e409cf7837
-
C:\Users\Admin\AppData\Local\Temp\3582-490\6f91cb1add0cd6ab354136abea8aeaf6_JaffaCakes118.exeFilesize
727KB
MD5ec3ff21f19f66cbf04eaef83bcb98d48
SHA19396d73edf6456cb066aebd73763b164b99eafc7
SHA2565cc202d31a7052450bc13b1c09495c4257760e562c9644cb4526a128d14fa507
SHA512b3f322bd5e1799190bf5c4cc5857192a3b0441082a0e7e6bd53ca72eeaadf575f61de5cb17cce41c72eba4c0ccfa08ec16a0b3c8b6c18d41690bdba1ac8c84f7
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
C:\Windows\directx.sysFilesize
150B
MD584a777da2725f7fb3a71ff68b9c166df
SHA19172c90e9cc411e1e53ced0d7f699e8fea0862d9
SHA25648d98f378167f942997041774c8909f7019fb5626da2f23779b93a8b6026e1af
SHA512983a6195c9a14840450ca0ffc849e02edb136fbd14b07981ae17df4d4539b9694596cd3ceef7a7699cd42870c6bc19810b2ab21d9466197f5f8dd098bd009817
-
C:\Windows\directx.sysFilesize
136B
MD51795a85da774f95a323355fe76c48788
SHA1e09777700a51f1f4a5d374a0b560e122b584d1ce
SHA256855992f20c71b83f086ec477a5ba37bd951a18fd88a443d1c034f47dff941ace
SHA51247f6302cdf8debdbb0f67dc4c804da650a4a14e21c7a3d075c2d6e2e778fffdad4251b420349f74d994c896c10235f047f60f0281db05db3beff20fb9dfa2dd1
-
C:\Windows\svchost.comFilesize
40KB
MD561b1cab0553d262f543aa99726b020bf
SHA1b08414daedaf7c10bfb6a009db989a08c57e9db1
SHA2565b9585fcc15aab1938e6d88f859734ff346f01259f952b0b67d15316de5d6c02
SHA5120908ed84271dc87409d07720bd24e7c8e0a24e6c84420501b4696a109f6f45ae7444c801794237308da5a64ec742bddc80629291a58a9d694621354191fa7400
-
memory/216-191-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/216-195-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/216-193-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/216-198-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/892-51-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1392-190-0x0000000073600000-0x0000000073BB1000-memory.dmpFilesize
5.7MB
-
memory/1392-14-0x0000000073600000-0x0000000073BB1000-memory.dmpFilesize
5.7MB
-
memory/1392-13-0x0000000073600000-0x0000000073BB1000-memory.dmpFilesize
5.7MB
-
memory/1392-12-0x0000000073602000-0x0000000073603000-memory.dmpFilesize
4KB
-
memory/1884-50-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3668-33-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4892-192-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4892-194-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4892-197-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB