Malware Analysis Report

2024-08-06 14:20

Sample ID 240619-2v9z7awakb
Target 0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118
SHA256 9523efa6997c29824eaf3158e89eb2c3518caeeec3cae81a1c0b2fa20d35eeb5
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9523efa6997c29824eaf3158e89eb2c3518caeeec3cae81a1c0b2fa20d35eeb5

Threat Level: Known bad

The file 0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

Modifies firewall policy service

ModiLoader, DBatLoader

ModiLoader Second Stage

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Active Setup
T1547.014
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Active Setup
T1547.014
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 22:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 22:55

Reported

2024-06-19 22:57

Platform

win7-20240221-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\javaupd.exe = "C:\\Windows\\system32\\javaupd.exe:*:Enabled:Explorer" C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\javaqs.exe N/A
N/A N/A C:\Windows\SysWOW64\javaqs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\javaqs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kaspersky Email Security = "C:\\Windows\\system32\\javaupd.exe" C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\KB1090891424.log C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\javaqs.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\javaupd.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\javaupd.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2664 set thread context of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2356 set thread context of 2448 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\program files\tesla\files\Half life 3 preview 10 minutes gameplay video.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\TCN ISO SigmaX2 firmware.bin.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Absolute Video Converter 6.2.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Joannas Horde Leveling Guide TBC Woltk.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\xbox360 flashing tools and guide including bricked drive fix.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Adobe Acrobat Reader keygen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Divx Pro 6.8.0.19 + keymaker.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Tuneup Ultilities 2008.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Divx Pro 6.8.0.19 + keymaker.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\xbox360 flashing tools and guide including bricked drive fix.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\WinRAR v3.x keygen RaZoR.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Internet Download Manager V5.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Download Accelerator Plus v8.7.5.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Tuneup Ultilities 2008.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\TCN ISO cable modem hacking tools.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Half life 3 preview 10 minutes gameplay video.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Motorola, nokia, ericsson mobil phone tools.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Norton Anti-Virus 2009 Enterprise Crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Half life 3 preview 10 minutes gameplay video.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Wow WoLTk keygen generator-sfx.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Kaspersky Internet Security 2009 keygen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\CleanMyPC Registry Cleaner v6.02.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\TCN ISO cable modem hacking tools.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\LimeWire Pro v4.18.3.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Super Utilities Pro 2009 11.0.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Daemon Tools Pro 4.11.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Password Cracker.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Kaspersky Internet Security 2009 keygen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Microsoft Visual Studio 2008 KeyGen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\LimeWire Pro v4.18.3.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\BitDefender AntiVirus 2009 Keygen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Myspace theme collection.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Daemon Tools Pro 4.11.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Kaspersky Internet Security 2009 keygen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Power ISO v4.2 + keygen axxo.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\BitDefender AntiVirus 2009 Keygen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\K-Lite codec pack 4.0 gold.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Joannas Horde Leveling Guide TBC Woltk.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Download Boost 2.0.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Smart Draw 2008 keygen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Windows XP PRO Corp SP3 valid-key generator.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Tuneup Ultilities 2008.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Alcohol 120 v1.9.7.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Super Utilities Pro 2009 11.0.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Kaspersky Internet Security 2009 keygen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Internet Download Manager V5.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Absolute Video Converter 6.2.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Super Utilities Pro 2009 11.0.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\FOOTBALL MANAGER 2009.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Red Alert 3 keygen and trainer.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Download Boost 2.0.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Norton Anti-Virus 2009 Enterprise Crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Adobe Acrobat Reader keygen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Adobe Photoshop CS4 crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Sophos antivirus updater bypass.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Download Boost 2.0.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Perfect keylogger family edition with crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 1580 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Windows\SysWOW64\javaqs.exe
PID 1580 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Windows\SysWOW64\javaqs.exe
PID 1580 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Windows\SysWOW64\javaqs.exe
PID 1580 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Windows\SysWOW64\javaqs.exe
PID 2356 wrote to memory of 2448 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 2356 wrote to memory of 2448 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 2356 wrote to memory of 2448 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 2356 wrote to memory of 2448 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 2356 wrote to memory of 2448 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 2356 wrote to memory of 2448 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 2356 wrote to memory of 2448 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 2356 wrote to memory of 2448 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 2356 wrote to memory of 2448 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 2356 wrote to memory of 2448 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 1656 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

C:\Windows\SysWOW64\javaqs.exe

"C:\Windows\system32\javaqs.exe"

C:\Windows\SysWOW64\javaqs.exe

C:\Windows\SysWOW64\javaqs.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 255.255.255.255.in-addr.arpa udp
US 8.8.8.8:53 unicode.org udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in-rno.apple.com udp
US 17.179.253.242:25 mx-in-rno.apple.com tcp
US 8.8.8.8:53 alt4.aspmx.l.google.com udp
FI 142.250.150.26:25 alt4.aspmx.l.google.com tcp
US 8.8.8.8:53 mx-in-vib.apple.com udp
US 17.57.170.2:25 mx-in-vib.apple.com tcp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
NL 142.251.9.27:25 alt3.aspmx.l.google.com tcp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp

Files

memory/1580-10-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-14-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-15-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-12-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-8-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-6-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-5-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-2-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-0-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-19-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-23-0x0000000000400000-0x0000000000460000-memory.dmp

\Windows\SysWOW64\javaqs.exe

MD5 e4a50779ce4afc2eae51db7d550e8d4b
SHA1 db23b06bdb4ff3e9ac5e76080ca863c112a6c262
SHA256 19ba29b55ec53bc54faaf02cb344667a4a5c3ce210aa14daa55ca5a7c31292c7
SHA512 20187d00c6bfae560ade24b7481603849419830dec52298c8afbffd0d00d912d7864bec13c48559eef57a98823b42f1d9e003436a2dd83ce5ac8775dd3131d65

memory/2448-38-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2448-52-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2448-53-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2448-54-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2448-48-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2448-46-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2448-44-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2448-42-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2448-40-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2448-50-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2448-57-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2448-55-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2448-59-0x0000000010410000-0x0000000010455000-memory.dmp

memory/2448-68-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1580-69-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-72-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-78-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-83-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1580-88-0x0000000000400000-0x0000000000460000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 22:55

Reported

2024-06-19 22:57

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\javaupd.exe = "C:\\Windows\\system32\\javaupd.exe:*:Enabled:Explorer" C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\javaqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Java update = "C:\\Windows\\SysWOW64\\javaqs.exe" C:\Windows\SysWOW64\javaqs.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A2K5H58-65CP-B7PP-F600-3023OJX71M20} C:\Windows\SysWOW64\javaqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A2K5H58-65CP-B7PP-F600-3023OJX71M20}\StubPath = "\"C:\\Windows\\SysWOW64\\javaqs.exe\"" C:\Windows\SysWOW64\javaqs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\javaqs.exe N/A
N/A N/A C:\Windows\SysWOW64\javaqs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\javaqs.exe N/A
N/A N/A C:\Windows\SysWOW64\javaqs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java update = "C:\\Windows\\SysWOW64\\javaqs.exe" C:\Windows\SysWOW64\javaqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Kaspersky Email Security = "C:\\Windows\\system32\\javaupd.exe" C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\javaqs.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\javaupd.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\javaupd.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\KB85780876.log C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 920 set thread context of 556 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 1140 set thread context of 1216 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\program files\emule\incoming\Norton Anti-Virus 2009 Enterprise Crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Divx Pro 6.8.0.19 + keymaker.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Silkroad Online guides and wallpapers.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\G-Force Platinum v3.7.5.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Adobe Acrobat Reader keygen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Google Earth Pro 4.2. with Maps and crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\xbox360 flashing tools and guide including bricked drive fix.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Myspace theme collection.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\BitDefender AntiVirus 2009 Keygen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Absolute Video Converter 6.2.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Alcohol 120 v1.9.7.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Tuneup Ultilities 2008.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Sophos antivirus updater bypass.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\TCN ISO SigmaX2 firmware.bin.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\G-Force Platinum v3.7.5.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Perfect keylogger family edition with crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Acker DVD Ripper 2009.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\TCN ISO cable modem hacking tools.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Norton Anti-Virus 2009 Enterprise Crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Perfect keylogger family edition with crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Download Accelerator Plus v8.7.5.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Norton Anti-Virus 2009 Enterprise Crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Perfect keylogger family edition with crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Download Accelerator Plus v8.7.5.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Acker DVD Ripper 2009.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Half life 3 preview 10 minutes gameplay video.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\CleanMyPC Registry Cleaner v6.02.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Sophos antivirus updater bypass.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Microsoft Visual Studio 2008 KeyGen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Opera 10 cracked.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Myspace theme collection.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Super Utilities Pro 2009 11.0.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\K-Lite codec pack 4.0 gold.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Password Cracker.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\xbox360 flashing tools and guide including bricked drive fix.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\WinRAR v3.x keygen RaZoR.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\TCN ISO SigmaX2 firmware.bin.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Acker DVD Ripper 2009.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Perfect keylogger family edition with crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Download Accelerator Plus v8.7.5.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Ultimate xxx password generator 2009.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Alcohol 120 v1.9.7.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Opera 10 cracked.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Google Earth Pro 4.2. with Maps and crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Microsoft Visual Studio 2008 KeyGen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\FOOTBALL MANAGER 2009.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Ad-aware 2008.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Daemon Tools Pro 4.11.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\BitDefender AntiVirus 2009 Keygen.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Norton Anti-Virus 2009 Enterprise Crack.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Red Alert 3 keygen and trainer.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Joannas Horde Leveling Guide TBC Woltk.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Power ISO v4.2 + keygen axxo.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Sophos antivirus updater bypass.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Power ISO v4.2 + keygen axxo.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 920 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 920 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 920 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 920 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 920 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 920 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 920 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 920 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 920 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 920 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 556 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Windows\SysWOW64\javaqs.exe
PID 556 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Windows\SysWOW64\javaqs.exe
PID 556 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe C:\Windows\SysWOW64\javaqs.exe
PID 1140 wrote to memory of 1216 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 1140 wrote to memory of 1216 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 1140 wrote to memory of 1216 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 1140 wrote to memory of 1216 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 1140 wrote to memory of 1216 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 1140 wrote to memory of 1216 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 1140 wrote to memory of 1216 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 1140 wrote to memory of 1216 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 1140 wrote to memory of 1216 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 1140 wrote to memory of 1216 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 1140 wrote to memory of 1216 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 1140 wrote to memory of 1216 N/A C:\Windows\SysWOW64\javaqs.exe C:\Windows\SysWOW64\javaqs.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1216 wrote to memory of 4084 N/A C:\Windows\SysWOW64\javaqs.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

C:\Windows\SysWOW64\javaqs.exe

"C:\Windows\system32\javaqs.exe"

C:\Windows\SysWOW64\javaqs.exe

C:\Windows\SysWOW64\javaqs.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.com udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 nocorp.me udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 nocorp.me udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 nocorp.me udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 gmail.com udp

Files

memory/556-0-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-2-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-3-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-7-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-11-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Windows\SysWOW64\javaqs.exe

MD5 e4a50779ce4afc2eae51db7d550e8d4b
SHA1 db23b06bdb4ff3e9ac5e76080ca863c112a6c262
SHA256 19ba29b55ec53bc54faaf02cb344667a4a5c3ce210aa14daa55ca5a7c31292c7
SHA512 20187d00c6bfae560ade24b7481603849419830dec52298c8afbffd0d00d912d7864bec13c48559eef57a98823b42f1d9e003436a2dd83ce5ac8775dd3131d65

memory/1216-21-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1216-24-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1216-19-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1216-22-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1216-29-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1216-25-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1216-30-0x0000000010410000-0x0000000010455000-memory.dmp

memory/1216-37-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1216-31-0x0000000010410000-0x0000000010455000-memory.dmp

memory/556-40-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-42-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-43-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-44-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-45-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-46-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-47-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-52-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-54-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-57-0x0000000000400000-0x0000000000460000-memory.dmp

memory/556-63-0x0000000000400000-0x0000000000460000-memory.dmp