Analysis Overview
SHA256
588a5d43cf9f324f25564657f86be24176a042d0b13e73b32d2e6c18c0f75c3b
Threat Level: Likely malicious
The file a20f69c06759e562875765997616efd7_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Modifies file permissions
Drops desktop.ini file(s)
Writes to the Master Boot Record (MBR)
Unsigned PE
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Checks processor information in registry
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 19:49
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 19:49
Reported
2024-06-12 19:52
Platform
win7-20240611-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a20f69c06759e562875765997616efd7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a20f69c06759e562875765997616efd7_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\a20f69c06759e562875765997616efd7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a20f69c06759e562875765997616efd7_JaffaCakes118.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nst1112.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 19:49
Reported
2024-06-12 19:52
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a20f69c06759e562875765997616efd7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a20f69c06759e562875765997616efd7_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\a20f69c06759e562875765997616efd7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a20f69c06759e562875765997616efd7_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| BE | 2.17.107.122:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 122.107.17.2.in-addr.arpa | udp |
| BE | 2.17.107.122:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsi40D3.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 19:49
Reported
2024-06-12 19:52
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-12 19:49
Reported
2024-06-12 19:52
Platform
win10v2004-20240611-en
Max time kernel
125s
Max time network
130s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3628 wrote to memory of 3276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3628 wrote to memory of 3276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3628 wrote to memory of 3276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3276 -ip 3276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4232,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-12 19:49
Reported
2024-06-12 19:52
Platform
win7-20240611-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Downloads MZ/PE file
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre-1.8.0_144-win32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\unpack200.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\unpack200.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\unpack200.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\unpack200.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\unpack200.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\unpack200.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\starter.exe
"C:\Users\Admin\AppData\Local\Temp\starter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c execute.bat
C:\Users\Admin\AppData\Local\Temp\jre-1.8.0_144-win32.exe
..\jre-1.8.0_144-win32.exe
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\unpack200.exe
bin\unpack200 lib\ext\localedata.jar.pack lib\ext\localedata.jar
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\unpack200.exe
bin\unpack200 lib\jfr.jar.pack lib\jfr.jar
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\unpack200.exe
bin\unpack200 lib\jsse.jar.pack lib\jsse.jar
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\unpack200.exe
bin\unpack200 lib\management-agent.jar.pack lib\management-agent.jar
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\unpack200.exe
bin\unpack200 lib\resources.jar.pack lib\resources.jar
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\unpack200.exe
bin\unpack200 lib\rt.jar.pack lib\rt.jar
C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe
jre\bin\java -Xshare:dump
C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe
"C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe" -version
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage\2fa90c54b7a8ee7e.timestamp /grant "everyone":(OI)(CI)M
C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe
"C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe" -XX:+UseFastAccessorMethods -XX:+UseConcMarkSweepGC -Xmx900M -XX:+HeapDumpOnOutOfMemoryError -splash:synchronizer\splash.png -cp "C:\Users\Admin\AppData\Local\Temp\synchronizer\synchronizer.jar" com.fontec.synchronizer.MegaInitializer apps\multiplayer.conf
C:\Windows\SysWOW64\cmd.exe
cmd /c tasklist /v /FO csv | find "javaw" | find "MegaJogos"
C:\Windows\SysWOW64\tasklist.exe
tasklist /v /FO csv
C:\Windows\SysWOW64\find.exe
find "javaw"
C:\Windows\SysWOW64\find.exe
find "MegaJogos"
C:\Windows\SysWOW64\cmd.exe
cmd /c wmic process where (processid="2588") get parentprocessid
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where (processid="2588") get parentprocessid
C:\Windows\SysWOW64\cmd.exe
cmd /C copy /Y "C:\Users\Admin\AppData\Local\Temp\synchronizer\starter.exe" "C:\Users\Admin\AppData\Local\Temp\starter.exe_new"
C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe
C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java -XX:+UseFastAccessorMethods -XX:+UseConcMarkSweepGC -Xmx887M -XX:+HeapDumpOnOutOfMemoryError -cp synchronizer/synchronizer.jar -DMEGAJOKER_HOME_PATH=C:/Users/Admin/AppData/Local/Temp/ -DLOCALE_MEGAJOGOS= -DDISABLE_ALREADY_RUNNING_CHECK com.fontec.synchronizer.MegaInitializer apps\multiplayer.conf
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C vol C:
C:\Windows\SysWOW64\cmd.exe
cmd /c tasklist /FO csv
C:\Windows\SysWOW64\tasklist.exe
tasklist /FO csv
C:\Windows\SysWOW64\cmd.exe
cmd /c tasklist /FO csv
C:\Windows\SysWOW64\tasklist.exe
tasklist /FO csv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | downloads.unitedjoy.com | udp |
| US | 35.186.205.17:80 | downloads.unitedjoy.com | tcp |
| US | 35.186.205.17:80 | downloads.unitedjoy.com | tcp |
| US | 8.8.8.8:53 | downloads.megajogos.com.br | udp |
| US | 8.8.8.8:53 | downloads.megajogos.com.br | udp |
| US | 8.8.8.8:53 | downloads.megajogos.com.br | udp |
| US | 8.8.8.8:53 | downloads.megajogos.com.br | udp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:443 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:443 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:443 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 8.8.8.8:53 | jams.unitedjoy.com | udp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 146.148.89.146:22077 | jams.unitedjoy.com | tcp |
| N/A | 127.0.0.1:53669 | tcp | |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
| US | 35.186.205.17:80 | downloads.megajogos.com.br | tcp |
Files
memory/1792-1-0x0000000000B60000-0x0000000000BDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\execute.bat
| MD5 | 9e7948d27bfbf2eef1ebc9b99b4a97ff |
| SHA1 | 7908ab428187e779016b76428389048856e47ee8 |
| SHA256 | 1b1a643bd770f253e2115e39309f8008ed30843f508a76eb3f5938ef178df697 |
| SHA512 | 513dfd4b6a863d63aa3a2a32170220e107d63365682799a0b94d0e903531bc2291781a2748697caf8af67111f986348b70a2e36a3aa69eafe3450b20bdcdc084 |
\Users\Admin\AppData\Local\Temp\jre-1.8.0_144-win32.exe
| MD5 | c28b7a508c1d4f6a62cfce651c49bb09 |
| SHA1 | df42cb448e36208e6b74bfd39b9e3783e08c0f1e |
| SHA256 | 858c33f13a3146bc97cbaee73fc71284b0966dbfde0006710e3448a547f318a9 |
| SHA512 | 8fee853069c272e2417ab41eca9bb93107fd608590272cec5143f662b85be0564bd89a8d4394b68325e0e98b9013ddd49e413c00e7ba43070d7793d3aca6f647 |
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\lib\images\cursors\win32_LinkNoDrop32x32.gif
| MD5 | 1e9d8f133a442da6b0c74d49bc84a341 |
| SHA1 | 259edc45b4569427e8319895a444f4295d54348f |
| SHA256 | 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b |
| SHA512 | 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37 |
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\unpack-jars.bat
| MD5 | 6bc13ee710b1b075a1a8f209545ad681 |
| SHA1 | da7bbbbe0862ed4d59b4a76b24a3d2d17db376c6 |
| SHA256 | ae428f73b9b5d7a8f851990fb99b25281a42264ed9104e64c292d41f21079cb7 |
| SHA512 | b07fb364716abc135bb92d5826b40c989c54ea343de0101cba6009276bf18455cd1ea412b8e8bfacd4f31bd258e8be78862ef11afbd70e28db5de0a39910dcf0 |
\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\unpack200.exe
| MD5 | c9e3919b616fde01bab3d3bcad6f2d78 |
| SHA1 | cc4803356da48386c7aac95485cdc6f140b5a250 |
| SHA256 | 52fbc5995d133c21ab99889ec0b522d9adb5809657bcda6222750168f6c76059 |
| SHA512 | b9f884697bf773f0949d4821a183db3b7f502ad10bbc5ff375d9f334f5a7874c030b6b121231d86a22ffdbb24b4f7f93322219af02615c50ffd826b5998dac98 |
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\bin\MSVCR100.dll
| MD5 | bf38660a9125935658cfa3e53fdc7d65 |
| SHA1 | 0b51fb415ec89848f339f8989d323bea722bfd70 |
| SHA256 | 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa |
| SHA512 | 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1 |
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\lib\ext\localedata.jar.pack
| MD5 | 6474e78e6e442dbfc0eb2931ecfdf22c |
| SHA1 | 43f049efc6a152f97b2697d4a947cd288f03f5fd |
| SHA256 | d304d1eaec279ca65934562d219a610431ca1ff30c61cb0ae3872cd774bcd502 |
| SHA512 | 1d782f44446df9f405b103d1ac6029a92b6ea52ea2ff19cf954010e1bf452c066edf692c5c4f2703539f19caf64ea288a165709cdc3b257fb70faf86cf05f63c |
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\lib\jfr.jar.pack
| MD5 | dae19bb9ef4d15325d8cc20d6062d695 |
| SHA1 | 86bb722defdf02f49794d792589c92b8b4a65248 |
| SHA256 | 5aa27bd36665fd8566e56751c303bbbc897aa66a099be8c843b08b8fafc3d186 |
| SHA512 | 9a0b79a7b809bf8013f35d2dd9026c8fddc0f02c7a6c740aac3364f8731ccef0bbd9a692c0fa00206e3b9096347a6ea5337ef0ef4351e5e751276b4047cbabc3 |
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\lib\jsse.jar.pack
| MD5 | 09a61aeb608f6a65899126c0945e50fc |
| SHA1 | fffef2ed89edf483337a3e95921f606072ff1a8a |
| SHA256 | 9c65e93bf2e9d7958a28f8106a2f1cc64817ac47daac9f5ecbcddb544a03f1fa |
| SHA512 | e317f23c379245828412e3c875b69107584f09073af82d0ac6431f7690901febcfe224bb76ca2e34351fbc0f492d3d696d0a34ca6d3b3682e082ca7e5c89bc03 |
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\lib\management-agent.jar.pack
| MD5 | de3088806d40f9545206c2aaa373a450 |
| SHA1 | 09facc51d575638d70e53e08126571ab9e5eee67 |
| SHA256 | f0925074ac3e72684a4d8bb25ce08e0225a675fd05844a5a0e53a7c3a6526399 |
| SHA512 | 02ddcccb41f06ac0e7bb328a90050e79ec220db83d87a6a709a98abc8ae96b888bfef0a22e592ffbbd169ced50495a3a51a8f8d90cf8e746276556358fcf0e51 |
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\lib\resources.jar.pack
| MD5 | 2d30c2c7cdb54b2410d704d643090fc7 |
| SHA1 | 08ebc3e2f711303c7121bf8f9a07c8cf10e4c4ab |
| SHA256 | 73c95aa28f5b89715497cc51584d4dcbe9a204941996c7f1966d164815555827 |
| SHA512 | 58bcc1dc37ecff22f0e97b4960abc381033135fead673a44457c643d58c7a614d7e85901d3adb6b54825cb2fecee3aacdf8f5d165fe7c16160996158ae89f06d |
C:\Users\Admin\AppData\Local\Temp\jre\jre1.8.0_144\lib\rt.jar.pack
| MD5 | 8b8805ce7130aadcafdf637cc6e25143 |
| SHA1 | 0292e113e3ef509a724ec219be5afa9a43dc5760 |
| SHA256 | a9aa1b7299d5a6ab64ac31a4c4c2e911d99fbe9a15e2f9a26b36691a3a441ab7 |
| SHA512 | a9b14574747caa2f06b742c6d6e94a11465ebd69234e7f09962bbc95a1be31f743f1f001fc39e9266a9edad82186959495af75623176cf069ff523647076c6f8 |
\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.exe
| MD5 | f6c3bf245de50ca3e9205f8ea993ee0c |
| SHA1 | c52e6c3ada747d9f6b4f0fa0774baa6d8505b685 |
| SHA256 | 0c7e5cb66e6a6f5b10a9e353d4e4449bffb8b90a7fbc583ac0a240f833b7c32b |
| SHA512 | 43b39dde31e689b5662dc7e079b17099944c3a3f4d43917c56fce0ae61f6e2d5d04861ac733c1ca60fbd36b803bb4256ad49bb94bfde1181613bf42ac5ee2c32 |
C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\java.dll
| MD5 | 2bc55b407460d6c9138d4b95c712df4e |
| SHA1 | 8e7ae8300cd804d8577527ad2bcfc31142faf3f5 |
| SHA256 | 17a76fb4b0ecd64a47b87be827f683800178e723b97990772c9d5b79b01ae33b |
| SHA512 | fd931e0056eef55c3c72f2f2cb14a0d1fbb06a18061742cf5f40ab9b04a05d400e08485fd39255397b60baab63ee64f82c539a097c30ede71a1ec062db99530c |
C:\Users\Admin\AppData\Local\Temp\jre\jre\lib\i386\jvm.cfg
| MD5 | 9aef14a90600cd453c4e472ba83c441f |
| SHA1 | 10c53c9fe9970d41a84cb45c883ea6c386482199 |
| SHA256 | 9e86b24ff2b19d814bbaedd92df9f0e1ae86bf11a86a92989c9f91f959b736e1 |
| SHA512 | 481562547bf9e37d270d9a2881ac9c86fc8f928b5c176e9baf6b8f7b72fb9827c84ef0c84b60894656a6e82dd141779b8d283c6e7a0e85d2829ea071c6db7d14 |
C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\client\jvm.dll
| MD5 | 1e0edf131e5ff64fabf8d89a9eb54b74 |
| SHA1 | d1926ed037abd2fe921d2c04f2e4d9f68a0ca11f |
| SHA256 | 95de2b2d615dae6c6e1496617678f8ff55a0340e67a96c9808385d77df5d28b1 |
| SHA512 | f80f0e25dc21a63e6647e042fd5ba1e9190a62adf6b2d1acca49b9de7bb15d68b203c7b33b7b4f98fdd8e8abaa0e2db7f3c5d6d00277c3945109ec3531e31323 |
\Users\Admin\AppData\Local\Temp\jre\jre\bin\verify.dll
| MD5 | af32add5acc715f8e9042a7135dc52bb |
| SHA1 | dac3b801745e74496802db25fe562cfa222eec44 |
| SHA256 | 3a83a7bc485eecf06831d68bebaf0ffcebde891d1f46a928b4b68808ea141995 |
| SHA512 | 1d8ad76766cabc99833103931f4c4629bb8471f995181a31fee70c19b518f45a5b74f8b1e6778e7746fa2ababd22f767201c45e89a3667c946060d1a09c38af5 |
C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\zip.dll
| MD5 | c3c89e3f8a68763a34adde8005a53f64 |
| SHA1 | 633946e8d654aecd5e1c49bef01619eb04269d70 |
| SHA256 | 2035ad15404f03d2fd21e145b9f459ae7a622bc248e1442732b8923d61fd4dea |
| SHA512 | fec196032ce40a20000213a71faa913723491890668ce46bbd8479055687e86de670bc5c8c6a9d2353e046990aa4216bafb18cb59d4828d0c9e3637498d5e699 |
C:\Users\Admin\AppData\Local\Temp\jre\jre\lib\resources.jar
| MD5 | 44181db5722a460c792d6c6a09d33ee1 |
| SHA1 | 2b2582fcbbf129aff0a650dbdcec74d2acfab439 |
| SHA256 | 493b9e62cde2cefbfef11967c051b05083c55a52981e8bb366aa4f0a9b4cec2b |
| SHA512 | 4dcf50d90ee8f9c649b3cd65b368641dc9efeb017bc06f2b6abc9282ff47257c0a54b5e5fb049de614a805d2aee639aaa0a33491c783d35637d9335c39410167 |
C:\Users\Admin\AppData\Local\Temp\jre\jre\lib\meta-index
| MD5 | 91aa6ea7320140f30379f758d626e59d |
| SHA1 | 3be2febe28723b1033ccdaa110eaf59bbd6d1f96 |
| SHA256 | 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4 |
| SHA512 | 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb |
C:\Users\Admin\AppData\Local\Temp\jre\jre\lib\classlist
| MD5 | 7fc71a62d85ccf12996680a4080aa44e |
| SHA1 | 199dccaa94e9129a3649a09f8667b552803e1d0e |
| SHA256 | 01fe24232d0dbefe339f88c44a3fd3d99ff0e17ae03926ccf90b835332f5f89c |
| SHA512 | b0b9b486223cf79ccf9346aaf5c1ca0f9588247a00c826aa9f3d366b7e2ef905af4d179787dcb02b32870500fd63899538cf6fafcdd9b573799b255f658ceb1d |
C:\Users\Admin\AppData\Local\Temp\jre\jre\lib\jfr.jar
| MD5 | 8f3e442ef4a2cf7dc6a74b6cba944e46 |
| SHA1 | 2e0abd0de03baad777beed863f75467bc1c238e3 |
| SHA256 | b9dc8a0830240ecdaf8bc611f71298b6e930100d1625148dd1eddd595c2b1bbd |
| SHA512 | 9903b7d3160125f3d3f5c67aa915247e2984b509c165f70a9cff9249af138f2bf0b1cc4da7d076f55be97cb06ce6a553a03122231e95effe8ccb77fa55ee1cba |
C:\Users\Admin\AppData\Local\Temp\jre\jre\lib\jce.jar
| MD5 | 70eb04d21d1639b5d92165cd9d3940ba |
| SHA1 | d958adac5f1edefa22045a1409ccdeff154779c1 |
| SHA256 | 15c40db7ab18423a7b653b64033d4639a8ba5f201c20232c6f5dce0102887231 |
| SHA512 | 2124ad54b1b10cbaf9e06bcc63cf8b2b8479b9787be5ca94f425b0a506c3722a11c68a073718b9f57b6ac9b84ca87ba2838e843c0536fb0769ba64f2a2bd4b58 |
C:\Users\Admin\AppData\Local\Temp\jre\jre\lib\jsse.jar
| MD5 | bd661a03275f81710ac96020104787f7 |
| SHA1 | c55ce37719ffd481144f6d740ee113bdee4cf1e3 |
| SHA256 | 684965f101f311fda252cc3704c47e6f6cd7712c483f43d550f3ed92548b0c8b |
| SHA512 | a045ee68fca0e77511e5121d62e1e74c77b484a9e23919b384dd51de2ba31577f8a1bc9e8ada199413cfc3617c03dc6e58b5fade7b53d9e9df951dae2316ee95 |
memory/1780-378-0x0000000002640000-0x0000000002668000-memory.dmp
memory/1780-381-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/1780-383-0x0000000074980000-0x0000000074A3F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jre\jre\bin\client\classes.jsa
| MD5 | 1b5b2e307bb61a2e2f7303f0fc266363 |
| SHA1 | e9e0b723ed185bcb2bf76b8e981c38673a3afb52 |
| SHA256 | 943a59b24d2abe5e2bb580ffcd2daa201cb3882ac5ecd4565a280012002b3a78 |
| SHA512 | bf3b8d67dc7160d1907126d5c3672fc7dd0ead53e13f9af57efffd3b8f62d62a9ad82e78e909ab019505e8a95516b789623891364830ce5ca123ed578a5c3c57 |
memory/2948-420-0x0000000074990000-0x0000000074A4F000-memory.dmp
memory/2948-419-0x00000000001A0000-0x00000000001A1000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\2fa90c54b7a8ee7e.timestamp
| MD5 | 06ee1d337729c18b12a16cff89855377 |
| SHA1 | a11b097290f1617a18c972a84ef94a5cc5a65e36 |
| SHA256 | fd14c0670098400560b0647256fc9e577b42cb0579a46212e74da26043b89aad |
| SHA512 | ad449ebfec3f4d6bc1d253cfaca4859be01a15c9a7998a2593a2123ee0932e01771732a91886222a31dc028cc6a66fefc22587fa2d39ae6e289a415520153b56 |
memory/2588-457-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2588-466-0x0000000000510000-0x000000000051A000-memory.dmp
memory/2588-465-0x0000000000510000-0x000000000051A000-memory.dmp
memory/2588-490-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2588-500-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2588-514-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2388-557-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-565-0x00000000003D0000-0x00000000003DA000-memory.dmp
memory/2388-564-0x00000000003D0000-0x00000000003DA000-memory.dmp
memory/1792-563-0x0000000000B60000-0x0000000000BDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\imageio3105475058760391340.tmp
| MD5 | 2dd2315a917e894c9ebb36a17294bfbe |
| SHA1 | 4677184818ef5b364e35d687a1c5834225325ec2 |
| SHA256 | b9f6c8bea26e6e4da680da7d91c79847f2ee4a2076a2e1e1685702807f638ae2 |
| SHA512 | e6c0c689962e5ab8ca136440c563af2b00eefeb584b5da3086432736bcab5e95edcaddf49ae660eff5fc771217dd52c1e9d00f76e77d508fff4ff9f240d990fe |
memory/2388-580-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\synchronizer\starter.exe
| MD5 | da73591eb3c1d381627ca800263aa605 |
| SHA1 | 487943ae05d72087bbb3b4f4ff4e7b8a7c4f7be2 |
| SHA256 | 451b974d0b739baac9710af47b3e7bcd3a6a4e1f1648a68ae9a0bbeb8603e1e4 |
| SHA512 | 273ad668a49303309ad187e5a187b98dfd5aa0b289f491d1766f2a4ca48d29172e887e20a4b40e4125a0ba78362c7a796bb1d4a422d13cf0ee1a51331c31e52c |
memory/2388-589-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-599-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-604-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-610-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-634-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-640-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-664-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2588-673-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2388-674-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2588-677-0x00000000748D0000-0x000000007498F000-memory.dmp
memory/2388-676-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-678-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-679-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-681-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-680-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-684-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1792-686-0x0000000000B60000-0x0000000000BDF000-memory.dmp
memory/2388-683-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-688-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-702-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-711-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-755-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-762-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-771-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-781-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-780-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-795-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-796-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-805-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-812-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-816-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-824-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-833-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2388-842-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\avatar2020\MessagesBundle_pt_BR.properties.tmp
| MD5 | b756b4d1b3ada45b3967995a38aaf065 |
| SHA1 | a171b41beb701d73c461477ee82b963d803608ad |
| SHA256 | fcf2ea66735c1ac350bec4140bf6e69b9aeabb74c516b4ba7c61f07e757cc685 |
| SHA512 | 467492fc642041fef64e083f6ada4d29283e3852992dbec130b5a2863224fe80e003b9e20f1dd1ea31a3f28488af571625db4dfc3d2e6c219669a2454d3207e3 |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\RoomConfig_pt_BR.properties.tmp
| MD5 | b7124cf4f998e81d02bf5bda274b4246 |
| SHA1 | e41389b62580e4d2b661ede1a54f593c911e3b34 |
| SHA256 | ebb0198e0f737431b98315a942533c59a9a131eb5e02e111493e914f021c9343 |
| SHA512 | a0683367b72c8a28b818f063dfafad5a83be2618b3dda44c756d724c034e3fc5cf818f43993589c0f8d6820715fc391cafeeade1475ae9566b48cec4bb0ce43d |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\avatar2020\MessagesBundle_de_DE.properties.tmp
| MD5 | 70f8e143b0fa33ce5839718a1420b94f |
| SHA1 | 290e0de6a6606946d51ba68a30e4843f2c7d46d8 |
| SHA256 | 678a09a8381b6e5a55fc4d012e8115b75f43248065991347f7cb937cdeeb0ade |
| SHA512 | b20ae25b05d39ba7cd9c805ead3e3ab670efa69387a6c9cdad9de36452c5208f4290a768bc4a71e45e38c9bb94483530cf80770d9a82a5deeff914a6880d85cc |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\RoomConfig_es_ES.properties.tmp
| MD5 | 6c2e959399c84f7cd50a663f570265c2 |
| SHA1 | 03332997d3f1cd992a472f05ae97e6f3a5901691 |
| SHA256 | ba62ceeb37923b1c6ecca7a057580e9eb8a470999d2d287dd47a1dcd39f68366 |
| SHA512 | 7b5b120556bd48d0209215538545f07fc8657d380bd50a0a59c8560185c413f266d3d9298882337cea53c04439fb1572cda20a68119f8ad04688f6071c363d6f |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\console\graphics\CountryCodes_de_DE.properties.tmp
| MD5 | 9ad07d77d71bdeb68c3998b114e20dea |
| SHA1 | 3c253c31a53ad973236f72c70ec28a9c98141c29 |
| SHA256 | 5f1a2e79322bf58371b3ddb8f8d5d3b9b4b21fa3a0d085f71c4577dc213ad8fe |
| SHA512 | 27d51d71ca4d33d5e7ec10f239733651208cca4fdb94d0cba06c7a2b1157000f061a94d7213ea15d9e1f2a36b75a5172aebe1c54bcd06bb14d81871de47bf3fc |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\premium\resources\bundles\MBAchievements_de_DE.properties
| MD5 | 93b885adfe0da089cdf634904fd59f71 |
| SHA1 | 5ba93c9db0cff93f52b521d7420e43f6eda2784f |
| SHA256 | 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d |
| SHA512 | b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee |
C:\Users\Admin\AppData\Local\Temp\imageio8813930502756758057.tmp
| MD5 | 092452ba0f2772f5bd25b9cdc6257a5d |
| SHA1 | 5563a53da694575b0dc28b90d52ed8437d2726ce |
| SHA256 | 6fac918de8eaf17494bb087eab87585eacc38e1dd9c0ad43d7abaa025772fe9f |
| SHA512 | e021c8adc08f2c98b522550bcaa0162dbf69d6647130fb7893159ab44fcc2a8f101f4c03b47835835d80651df3992d9d07f7d6765827b8026576a27fee73f3a0 |
memory/2388-3778-0x0000000073820000-0x00000000738A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\RoomConfig_es_ES.properties
| MD5 | 0e382f6739c66e7b1bee860170029d0e |
| SHA1 | de45f8f3dabe9a757aaf2319c10719758f3c4b98 |
| SHA256 | a5c9fd65b2e10613882bcc6d7973c3e16d14527836fcbf0d3c05bf6df07df535 |
| SHA512 | 8573be4fe4eb2cf75831af1d0fdaca3f39cfab97a5fe63c76e24a86499388faf3bd2431094702e521e3b3136602e598bf75c0d95d11eac4c27af15a70c395b57 |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\mjclassloader2.dll
| MD5 | 5420cacb5cc194737f2a6efa93d575ef |
| SHA1 | 8d5cc0c581663e542fae5a99e48b334a61f693f7 |
| SHA256 | 6ca0ad9c20158b1d889f90e419742d27ab86f5fae4a1e086f75cb9716db38a21 |
| SHA512 | 401781f6a77ad1fe5f9848722895e24ea94b76d8ef43da36c6a773e4cd0b2293ce25c6361c17c1edd2b906006e4e5e4ef67b60b98862c6fe1053807049e1da21 |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\megajammer2\MJClassLoader2.class
| MD5 | 2d2fb5e6fea22fe22ae8db07825d19b5 |
| SHA1 | 766882cb7c3a81ef35ad5770aac982cea9ba6e20 |
| SHA256 | 0ddea7d85625456d4f92e50b092500825aa036928205d1b8bbac9f411a618cbe |
| SHA512 | 126c132ae93c274d29244c4d3531b255e4609102ec29df99c96cbc361dfb3a8cc3b7c982c11847714632c19d02cdd056144bfc18c4f226f79955a17546cbcb5b |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\MessagesBundle_pt_BR.properties
| MD5 | ac4fdcda3ab6a0c36af981bb9f6910e5 |
| SHA1 | 36bcb899d446417e8046fe886024803874c78bad |
| SHA256 | f8a88dd2f45076e73a2574de28ca3a5090adba5b3e7918d3347a5f3f4e977c17 |
| SHA512 | bbc1f45fc0ae77160183566c34d5b61ec84a47c1e4d109ca6fbd89ee79439fb866d1946246e8fc59ecd7a584c0fbfd8cf3291b0e15969856e87f1d43d55858d4 |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\MessagesBundle_en_US.properties
| MD5 | 586dc19dc88ca5fc9c3609934f893ad8 |
| SHA1 | 643354cf26e16ca5f77aae3a88d05c7793043e0f |
| SHA256 | 65093b16734d615c3f534692dc3e1fd7af9116bed5b7417759a7648001f56fb7 |
| SHA512 | 6ee24eec8e687185203a09dce7074b423c037e1cb1cb8b9da9ff989d8a5dd3e07d6298ba28d87d59c3f2b4396a10240c354b755f03decda9ea0d765e27d62e90 |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\megajammer2\MJLoadLibrary2.class
| MD5 | 4a016edadef328c9c6006809326a9b2f |
| SHA1 | 22b40a051207f055f25e4ded233fd585d6872ef5 |
| SHA256 | 52952e6f44a80ca7a4aad472d4d427dd66501ba7738908301f7916d1beb862d0 |
| SHA512 | 5c3c548bb8dc6c8d6ed946e28c89eeff305f16dac118e61fba8db74a5ce3da0767119f2cc2529bb8018cee4666af658e2729212cf1e4a03694c630905bde04de |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\megajammer2\MJKeyClientConnectingWindow.class
| MD5 | f32dc8f5013931a8512bead67d9ff7d4 |
| SHA1 | 24cef8d6ea012d5e7ccc476d8987b31696a788d4 |
| SHA256 | 4c4b308574fc728bf35beae8c8380e140a9a77dbedcf1d7fd30f40cb5369194b |
| SHA512 | 7518505305d66e7caa2eb7a9edf57105e89a8a14c2b08acd45d425a1bbfc2b26ccda42d8cb7c14e2679bb6ab0c5cd484c762a3f715024b02fce39631fee259b6 |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\megajammer2\MJKeyClient2.class
| MD5 | 4c27797b075c9dd6b6e3c97581df7b38 |
| SHA1 | f2a093019eaaf45f95b5e8c0cab40d87169c938b |
| SHA256 | e3cd518a6887ec4139ad65ba3c6a9852190e47ad78a65244321934e2f966b737 |
| SHA512 | e378aa8a86061fbabf201f9aa7d897b0352b97f9742f6f247ce9d7f17835bb704c27567fd68c4ed937e5c6be10552eb97bbaf631fe3f1379179dbb7469374323 |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\megajammer2\MJKeyClient2$KeyClientRequest.class
| MD5 | 649d0edc2aebb43f587f28a48bacc1e7 |
| SHA1 | 0fe531fe9021ff8a8d2b94c306262925259fe5d9 |
| SHA256 | 31f2cf157f158e8eb3d463bbbb7095c0997ea7116479927cb28cf5d6cf9d114e |
| SHA512 | 122da97cdcd93fe3413ae4e73e8d34f12f3484b563364fccb93b2ecb37e3d5ba21d33da2c4fb5d559305b94e1ad2488a14a65d24796cf41eafe31e09bb7797f3 |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\megajammer2\MJClassLoader2$MJJamReader.class
| MD5 | d788aae9a4f4b634fe998a44b6f6d2d2 |
| SHA1 | 69f233ed743e4aabb286fe5339f0fd2287ebf5f8 |
| SHA256 | b266f05ae8c695783f94d1fdac63d11fe37fff46c63c92cd2e900acb667fecdf |
| SHA512 | a083ca91299dd52282bb1e1997974de1f8269892b2b42db94ef6799ed59834025e7678f9f7b796e6f97c39ba55e29bb65b3f00ec638c4a0e280d7897f7277370 |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\pngfix.dll
| MD5 | 372139e2f0b7e479f20021f00862777f |
| SHA1 | a2d110c12c440fa557cc52011e30dd7ffa460ab1 |
| SHA256 | a0fb7c7fd7b7efecd890f2a7735d0301fdde826977ecc0c2079a7e56cbcb2114 |
| SHA512 | 9e67a1a0b773e99d56188a68778fc0a35df7ceee2f4d8c6f5c8ee8728aca584fc9ad567ffa0c92717f4e0900b531f1bdc449744204e343bffacd3d35b51bbf05 |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\console\resources\premium2014\rscpack.jar
| MD5 | d1de06babae3cd9cbb4b3e58055cfeee |
| SHA1 | f333697d2ed683a9c0d81767c46e9eb456685e96 |
| SHA256 | baac472773e5cb95f58743b6861d033f6594d484650ba849fd7b95da0254d29a |
| SHA512 | 87b2e14c8be52f0c076042c57a3abc540e97dbd065c326f33f3b4802dc6efe5b21ecd2055e06bd493e48f427245fb14c0f563e94d94745af5a1ddd410a80d68c |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\maumau\resources\sound\mau_mau_animation_pt_BR.ogg.tmp
| MD5 | e459cf217f7ec5eca6ab0c0840e71407 |
| SHA1 | 903e965875067c1c8c4203cd0000ea772ed1cd45 |
| SHA256 | f9d6cbe2a9ed0d3cbd9d65f71b63dddc124438bc28ec07966a568e38c596477f |
| SHA512 | 594e1baa87d250053b7b6b6f29f39ed650c43a2c1751dfbbaa9745f1323e18807f9f670e0c08a19b5419413b1f1885e76518443da48b3347af5eda88cfbbedd9 |
memory/2388-6366-0x00000000003D0000-0x00000000003DA000-memory.dmp
memory/2388-6364-0x00000000003D0000-0x00000000003DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\stratego\resources\noMoves.wav.tmp
| MD5 | fc513edab02171658a180c888d5677fd |
| SHA1 | 621cc805e85a95d1f964fb27f4b273bb245350d9 |
| SHA256 | bea06c049309192266460e5b4999bd93f052adb948286f4b7544723e474fc7b6 |
| SHA512 | 5d89a047b7dffff896424d5892c1dd77094f9c444dd7b71ccb76b7c40746e5a5a426a498c2c401ca30a3edff9ca99f47024e0c0e7af1a557cb2f1477aeb617a1 |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\battleship\resources\explosion.wav.tmp
| MD5 | 13b819915bce5ec1ac2ad6ab5fb37870 |
| SHA1 | a60f2dee2612665298a8196f437db3984f764fc1 |
| SHA256 | f335518cb3768ed1152a00736b467d6657de5568d28951f6c12fa9969e8df4ff |
| SHA512 | be37dd0b496778446bbe68bac1e1215b764b0a0d0951eb1e339fb033baea0236205e405d03f14ff85917df2156208b41ea32c556d07446678f3d61fb2eaf3914 |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\eureka\resources\eureka_prefix_dicionary_en_US.mj.tmp
| MD5 | 1531c049b84095b68acc727a55ad7590 |
| SHA1 | 2ff46700638b6df69ce45c5b9bea81eac1476aad |
| SHA256 | bb03356e531c521c10bc0c1171272de60afd85fa798ffa4ce0831219e5e20cb5 |
| SHA512 | a4230ce16959e5f5a0c94c8c315690a64a2f1d322c857c81ca734c2532afe1b31bf1d613f6135ea36c39cc534c430b4958e893d7086c9e71dc09631b6e5ec3ca |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\console\resources\login\rscpack.jar
| MD5 | fb35d880652595d692bc94dbe0b1f9d3 |
| SHA1 | 6b901394d9dac5d078d897299be690d1105a61ef |
| SHA256 | 3938af8272f004425f1e28c5b655436119a6819f5b69e576d9553286ab9cff7b |
| SHA512 | 3a7466a04c5c4fe52dc5cccc306c174c97b611f355f65762bfbf98616f2e797c67d9db1611c6c0b06e2e563c27c39da9d18a40654ce27e6898e9313a29da765f |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\megajammer2\MJErrorReportDialog.class
| MD5 | 81e4b1dd123226aced7bfd55306708fb |
| SHA1 | 311db80aa2c601cd409bbbd500800a2b4d05e994 |
| SHA256 | 532c396e88c5bd386d0022659e6a496a5568b12d5438df6133a9372225608afb |
| SHA512 | f9d11ed61971b0bcd5c4b500b2413dc216fb671f0d8182dbb6e345ef7ffd28037cc385beb1e74a04b43d925c16f26eee09c6ec34d13cb6db047316dd47fa57cb |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\avatar\MessagesBundle_de_DE.properties
| MD5 | 717838261767387ce8d175d7d877d94b |
| SHA1 | aadcd4200e74d1a17bc33538b2fd50e1d2d84079 |
| SHA256 | 9a0879cbb3f0afc10b195861f659cf6d55753f2f3a4816a40806b6ad82bd6f6e |
| SHA512 | 5b3c0f6d963b6435ba9baad06074aa5904881086a24a995b57fe1bffe1ae4874dfae720b6a5a5cd30252014539bf7dc33e2fdbd8f31c309827bd076004c68429 |
C:\Users\Admin\AppData\Local\Temp\apps\multiplayer\com\fontec\games\avatar\MessagesBundle_pt_BR.properties
| MD5 | 9261c57cbc966135b3412d39932d6616 |
| SHA1 | 850b83f661b9afcc55283620a7b870558ff090fd |
| SHA256 | fd5d7713ab91c3a03fda4ca9b5fe427ef03565ca1784c6d054b1298cfb0f477b |
| SHA512 | f45201f51ee5d89ea25292d20519b4e48a2ffb828419bb7cd5203edbad1cf1f7fec51b712596474ebf1e8d769c4b46ae16eb85adbf0e1daf8d9cb012e5231c9b |
memory/2388-9790-0x0000000073820000-0x00000000738A9000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-12 19:49
Reported
2024-06-12 19:52
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
53s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Videos\Captures\desktop.ini | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3558294865-3673844354-2255444939-1000\{95169B07-5454-459F-92B2-6F1DC59A02EF} | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3558294865-3673844354-2255444939-1000\{63EBFD6A-9534-4417-B6B4-983F54397B06} | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\starter.exe
"C:\Users\Admin\AppData\Local\Temp\starter.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
"java.exe" -XX:+UseFastAccessorMethods -XX:+UseConcMarkSweepGC -Xmx900M -XX:+HeapDumpOnOutOfMemoryError -splash:synchronizer\splash.png -cp "C:\Users\Admin\AppData\Local\Temp\synchronizer\synchronizer.jar" com.fontec.synchronizer.MegaInitializer apps\multiplayer.conf
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Windows\SYSTEM32\cmd.exe
cmd /c tasklist /v /FO csv | find "javaw" | find "MegaJogos"
C:\Windows\system32\tasklist.exe
tasklist /v /FO csv
C:\Windows\system32\find.exe
find "javaw"
C:\Windows\system32\find.exe
find "MegaJogos"
C:\Windows\SYSTEM32\cmd.exe
cmd /c wmic process where (processid="3032") get parentprocessid
C:\Windows\System32\Wbem\WMIC.exe
wmic process where (processid="3032") get parentprocessid
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | downloads.unitedjoy.com | udp |
Files
memory/4204-0-0x0000000000600000-0x000000000067F000-memory.dmp
C:\Users\Admin\Videos\Captures\desktop.ini
| MD5 | b0d27eaec71f1cd73b015f5ceeb15f9d |
| SHA1 | 62264f8b5c2f5034a1e4143df6e8c787165fbc2f |
| SHA256 | 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2 |
| SHA512 | 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c |
memory/4204-16-0x0000000000600000-0x000000000067F000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | a5b02997f8e0567a99b1619bcf7db5d4 |
| SHA1 | 16bf092a9c585ede780e58174f77c03d67e340c5 |
| SHA256 | 92b49af49194b3a6bfba8695c3e9a5d44857017b9494d2135ec0b7fc4eea5133 |
| SHA512 | c3635eece68501b0d4bbaef7b03835574e1553b6d5b54cc592ac265a16602dc4993bf65922b8ea739b6fea81086ef5e91a710ce42e6fcfd2b6fe06570dc9ef75 |
memory/3032-42-0x00000234326F0000-0x00000234326F1000-memory.dmp
memory/3032-57-0x00000234326F0000-0x00000234326F1000-memory.dmp
memory/4204-64-0x0000000000600000-0x000000000067F000-memory.dmp
memory/3032-77-0x00000234326F0000-0x00000234326F1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-12 19:49
Reported
2024-06-12 19:52
Platform
win7-20240419-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\synchronizer\synchronizer.jar
Network
Files
memory/1236-2-0x0000000002700000-0x0000000002970000-memory.dmp
memory/1236-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1236-11-0x0000000002700000-0x0000000002970000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-12 19:49
Reported
2024-06-12 19:52
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4200 wrote to memory of 4060 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 4200 wrote to memory of 4060 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\synchronizer\synchronizer.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
Files
memory/4200-2-0x000001E7EAA70000-0x000001E7EACE0000-memory.dmp
memory/4200-12-0x000001E7E90A0000-0x000001E7E90A1000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | cbff5c9cd49f4b3bcd8394a48da6641f |
| SHA1 | 5d055b16ee5f9b80a2c4ca85a27148df1c4b667f |
| SHA256 | 59d2b5f21bc27ed4b5f96f16ad2372413927005fc3d3985485ec7681c4129dbf |
| SHA512 | 76f4f9e0a88c0948842d43baba174e0a08ee6913b921afd51518fa87a04a1374a335f8ec3036ddd3cfdd909e023fb394f12c743555ad31a66dabee4f013e0b48 |
memory/4200-13-0x000001E7EAA70000-0x000001E7EACE0000-memory.dmp