Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 04:22
Behavioral task
behavioral1
Sample
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
-
Size
165KB
-
MD5
02c49ff5cd55eb5c2fd2e9d1017af70c
-
SHA1
df96670a8368a27d32e4171694121b765c232230
-
SHA256
bf60ffee067198ee1d3d56c14218ee65a85dac4d2e84e71194d2aa1e597c0547
-
SHA512
9ce0a92d5dbb247574076ee80aa8793d0c952aa9699ce41deaad974a179fb1e14064b520d60eba7de20e68d7e50ed815de56aa344d96cbc3062d4a4e7cc2e7a8
-
SSDEEP
3072:sr85CW4cIeOY5nmIPPjFPIzdctOdt25OmlM8+:k9El3mIPPjFPgO+t25OmlMJ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Detect Neshta payload 5 IoCs
Processes:
resource yara_rule C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE family_neshta behavioral2/memory/1068-132-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1068-151-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1068-173-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe family_neshta -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exepid process 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\comand.exe \"%1\" %*" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4736-13-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-23-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-24-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-19-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-16-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-18-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-48-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-49-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-47-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-95-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-96-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-123-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-124-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-125-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-130-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-131-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-133-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-135-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-136-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-138-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-139-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-143-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-145-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-147-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-148-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-152-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-153-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-155-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-158-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-160-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-167-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-168-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-169-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-172-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-174-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-175-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-176-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-177-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral2/memory/4736-182-0x0000000002920000-0x00000000039AE000-memory.dmp upx -
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process File opened (read-only) \??\T: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\U: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\V: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\E: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\M: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\Q: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\H: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\O: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\Y: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\Z: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\I: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\K: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\S: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\N: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\P: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\R: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\W: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\X: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\G: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\J: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened (read-only) \??\L: 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process File opened for modification C:\autorun.inf 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification F:\autorun.inf 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img100.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color120.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\darkBlue_GRAD.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\darkBlue_GRAD.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img12.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img8.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\darkBlue_GRAD.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\security_watermark.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\topGradRepeat.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img10.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img8.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img7.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img11.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color32.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\darkBlue_GRAD.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\darkBlue_GRAD.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\help.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\help.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\security_watermark.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.906_none_ea293d31af4f56ea\WelcomeScan.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img9.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color32.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\ASPdotNET_logo.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\DMR_48.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\DMR_48.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img10.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\DMR_120.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img11.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img102.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\topGradRepeat.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\DMR_48.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\DMR_48.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\DMR_120.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img105.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\ASPdotNET_logo.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\DMR_48.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\ASPdotNET_logo.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\help.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img7.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img104.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img105.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\security_watermark.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\ASPdotNET_logo.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\security_watermark.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\ASPdotNET_logo.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\DMR_48.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\security_watermark.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\topGradRepeat.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\security_watermark.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color48.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color48.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\topGradRepeat.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\ASPdotNET_logo.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\DMR_120.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\darkBlue_GRAD.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\help.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification C:\Windows\svchost.com 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\DMR_48.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img102.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color120.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\DMR_48.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\darkBlue_GRAD.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.906_none_ea293d31af4f56ea\WelcomeScan.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\security_watermark.jpg.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 41 IoCs
Processes:
explorer.exe02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000cb58d29d100041646d696e003c0009000400efbecb58c394d458cb222e0000006ae10100000001000000000000000000000000000000d1b65b00410064006d0069006e00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000cb58c3941100557365727300640009000400efbe874f7748d458cb222e000000c70500000000010000000000000000003a000000000014937a0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = a800310000000000d458cb2212003032433439467e310000900009000400efbed458cb22d458cb222e0000002b340200000007000000000000000000000000000000dbe54400300032006300340039006600660035006300640035003500650062003500630032006600640032006500390064003100300031003700610066003700300063005f004a006100660066006100430061006b00650073003100310038006c00000018000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000d458cb22100054656d7000003a0009000400efbecb58c394d458cb222e00000089e10100000001000000000000000000000000000000dbe54400540065006d007000000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\nevershowext 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5600310000000000cb58c39412004170704461746100400009000400efbecb58c394d458cb222e00000075e1010000000100000000000000000000000000000069a76e004100700070004400610074006100000016000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\comand.exe \"%1\" %*" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 5000310000000000cb58e29810004c6f63616c003c0009000400efbecb58c394d458cb222e00000088e101000000010000000000000000000000000000000f140f004c006f00630061006c00000014000000 explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 316 explorer.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exepid process 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Token: SeDebugPrivilege 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exeexplorer.exepid process 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 316 explorer.exe 316 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription pid process target process PID 1068 wrote to memory of 4736 1068 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe PID 1068 wrote to memory of 4736 1068 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe PID 1068 wrote to memory of 4736 1068 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe PID 4736 wrote to memory of 800 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe fontdrvhost.exe PID 4736 wrote to memory of 808 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe fontdrvhost.exe PID 4736 wrote to memory of 332 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe dwm.exe PID 4736 wrote to memory of 4024 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe explorer.exe PID 4736 wrote to memory of 4024 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe explorer.exe PID 4736 wrote to memory of 4024 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe explorer.exe PID 4736 wrote to memory of 2616 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe sihost.exe PID 4736 wrote to memory of 2632 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe svchost.exe PID 4736 wrote to memory of 2728 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe taskhostw.exe PID 4736 wrote to memory of 3464 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Explorer.EXE PID 4736 wrote to memory of 3640 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe svchost.exe PID 4736 wrote to memory of 3828 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe DllHost.exe PID 4736 wrote to memory of 3920 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe StartMenuExperienceHost.exe PID 4736 wrote to memory of 3984 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe RuntimeBroker.exe PID 4736 wrote to memory of 4064 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe SearchApp.exe PID 4736 wrote to memory of 4124 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe RuntimeBroker.exe PID 4736 wrote to memory of 4656 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe RuntimeBroker.exe PID 4736 wrote to memory of 6056 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe TextInputHost.exe PID 4736 wrote to memory of 4592 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe backgroundTaskHost.exe PID 4736 wrote to memory of 5720 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe backgroundTaskHost.exe PID 4736 wrote to memory of 1068 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe PID 4736 wrote to memory of 1068 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe PID 4736 wrote to memory of 800 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe fontdrvhost.exe PID 4736 wrote to memory of 808 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe fontdrvhost.exe PID 4736 wrote to memory of 332 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe dwm.exe PID 4736 wrote to memory of 2616 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe sihost.exe PID 4736 wrote to memory of 2632 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe svchost.exe PID 4736 wrote to memory of 2728 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe taskhostw.exe PID 4736 wrote to memory of 3464 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Explorer.EXE PID 4736 wrote to memory of 3640 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe svchost.exe PID 4736 wrote to memory of 3828 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe DllHost.exe PID 4736 wrote to memory of 3920 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe StartMenuExperienceHost.exe PID 4736 wrote to memory of 3984 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe RuntimeBroker.exe PID 4736 wrote to memory of 4064 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe SearchApp.exe PID 4736 wrote to memory of 4124 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe RuntimeBroker.exe PID 4736 wrote to memory of 4656 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe RuntimeBroker.exe PID 4736 wrote to memory of 6056 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe TextInputHost.exe PID 4736 wrote to memory of 4592 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe backgroundTaskHost.exe PID 4736 wrote to memory of 5720 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe backgroundTaskHost.exe PID 4736 wrote to memory of 316 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe explorer.exe PID 4736 wrote to memory of 5220 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe RuntimeBroker.exe PID 4736 wrote to memory of 5452 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe RuntimeBroker.exe PID 4736 wrote to memory of 800 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe fontdrvhost.exe PID 4736 wrote to memory of 808 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe fontdrvhost.exe PID 4736 wrote to memory of 332 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe dwm.exe PID 4736 wrote to memory of 2616 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe sihost.exe PID 4736 wrote to memory of 2632 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe svchost.exe PID 4736 wrote to memory of 2728 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe taskhostw.exe PID 4736 wrote to memory of 3464 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe Explorer.EXE PID 4736 wrote to memory of 3640 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe svchost.exe PID 4736 wrote to memory of 3828 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe DllHost.exe PID 4736 wrote to memory of 3920 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe StartMenuExperienceHost.exe PID 4736 wrote to memory of 3984 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe RuntimeBroker.exe PID 4736 wrote to memory of 4064 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe SearchApp.exe PID 4736 wrote to memory of 4124 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe RuntimeBroker.exe PID 4736 wrote to memory of 4656 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe RuntimeBroker.exe PID 4736 wrote to memory of 6056 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe TextInputHost.exe PID 4736 wrote to memory of 4592 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe backgroundTaskHost.exe PID 4736 wrote to memory of 316 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe explorer.exe PID 4736 wrote to memory of 5220 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe RuntimeBroker.exe PID 4736 wrote to memory of 5452 4736 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe RuntimeBroker.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\explorer.exeexplorer 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118l4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Modify Registry
7Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEFilesize
328KB
MD539c8a4c2c3984b64b701b85cb724533b
SHA1c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00
SHA256888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d
SHA512f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2
-
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeFilesize
773KB
MD5e7a27a45efa530c657f58fda9f3b9f4a
SHA16c0d29a8b75574e904ab1c39fc76b39ca8f8e461
SHA256d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5
SHA5120c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54
-
C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exeFilesize
125KB
MD5c6146a1633c9ecf052f67cc97b8342f6
SHA173e5da9adb23ca93a6af2b1d30b7775de4125ebc
SHA256161b1a7c9747d598c7b8031a21527f08a32b6fd0a82841f3f553b70842cb164a
SHA51202d42059dd7afc00f95672ffb9a20fd5344f6adde8cc21f0cb31653800e1bcf313a9d6c77bdcdf3800a1395644ff9c415740e4c170731a09846d59ee4602a403
-
C:\fwsedh.pifFilesize
100KB
MD53b8fa65f2c724a30508c14185fbff057
SHA1f41eb3b2d139f50e9278ff4fb581e5eaa63f3d13
SHA256bc5ecd9eb0345e2dc2a8edee063c6ac2b4ec1fcf07206a9ba13a70caa940477a
SHA512dfb2ab6cdab49ca0e5088c8e90ae6593b46ac5e4fcfe783a62ddb1733a1118db488bbfcfa608b363c3b756ac8219ef1a59031e3a656e91f449f5cc00b6c49561
-
memory/1068-25-0x0000000002DB0000-0x0000000002DB2000-memory.dmpFilesize
8KB
-
memory/1068-173-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1068-151-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1068-31-0x0000000002DB0000-0x0000000002DB2000-memory.dmpFilesize
8KB
-
memory/1068-132-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1068-29-0x0000000002DB0000-0x0000000002DB2000-memory.dmpFilesize
8KB
-
memory/1068-26-0x0000000002F00000-0x0000000002F01000-memory.dmpFilesize
4KB
-
memory/4736-131-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-143-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-28-0x0000000003B60000-0x0000000003B61000-memory.dmpFilesize
4KB
-
memory/4736-18-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-19-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-48-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-49-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-47-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-95-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-96-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-123-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-124-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-125-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-130-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-30-0x00000000039F0000-0x00000000039F2000-memory.dmpFilesize
8KB
-
memory/4736-32-0x00000000039F0000-0x00000000039F2000-memory.dmpFilesize
8KB
-
memory/4736-133-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-135-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-136-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-138-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-139-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-16-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-145-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-147-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-148-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-24-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-152-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-153-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-155-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-158-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-160-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-167-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-168-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-169-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-172-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-23-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-174-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-175-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-176-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-177-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-13-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-182-0x0000000002920000-0x00000000039AE000-memory.dmpFilesize
16.6MB
-
memory/4736-188-0x00000000039F0000-0x00000000039F2000-memory.dmpFilesize
8KB
-
memory/4736-12-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB