Analysis Overview
SHA256
2d69f7d0f9e6853f52e4176c3cb01a4fb4ccfb9d9d9ce21b3a8976db60f675ba
Threat Level: Known bad
The file 4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Detect XtremeRAT payload
XtremeRAT
Boot or Logon Autostart Execution: Active Setup
UPX packed file
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-15 22:07
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-15 22:07
Reported
2024-07-15 22:09
Platform
win7-20240704-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515} | C:\Windows\svcr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}\StubPath = "C:\\windows\\svcr.exe" | C:\Windows\svcr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Windows\svcr.exe | N/A |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Windows\svcr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Microsoft\\Protect\\System.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "C:\\Windows\\system32\\Microsoft\\Protect\\System.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Microsoft\\Protect\\System.exe" | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "C:\\Windows\\system32\\Microsoft\\Protect\\System.exe" | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "%java%" | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe" | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe" | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Microsoft\Protect\System.exe | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft\Protect\System.exe | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Microsoft\Protect\ | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3032 set thread context of 2032 | N/A | C:\Windows\app.exe | C:\Windows\app.exe |
| PID 2376 set thread context of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe |
| PID 2032 set thread context of 2820 | N/A | C:\Windows\app.exe | C:\Windows\app.exe |
| PID 2784 set thread context of 376 | N/A | C:\Windows\app.exe | C:\Windows\app.exe |
| PID 376 set thread context of 1748 | N/A | C:\Windows\app.exe | C:\Windows\app.exe |
| PID 1828 set thread context of 1220 | N/A | C:\Windows\svcr.exe | C:\Windows\svcr.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svcr.exe | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
| File created | C:\Windows\svcr.exe | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\app.exe | C:\Windows\app.exe | N/A |
| File created | C:\Windows\app.exe | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\app.exe | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\app.exe | C:\Windows\app.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427243112" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9C129BE1-42F6-11EF-9629-7667FF076EE4} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\svcr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\svcr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe"
C:\Windows\app.exe
C:\Windows\app.exe
C:\Windows\app.exe
"C:\Windows\app.exe"
C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Windows\app.exe
C:\Windows\app.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\WINDOWS\SysWOW64\taskmgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:275457 /prefetch:2
C:\Windows\svcr.exe
"C:\Windows\svcr.exe" "C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe"
C:\Windows\app.exe
C:\Windows\app.exe
C:\Windows\app.exe
"C:\Windows\app.exe"
C:\Windows\app.exe
C:\Windows\app.exe
C:\Windows\svcr.exe
"C:\Windows\svcr.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:6566914 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2376-0-0x0000000000400000-0x00000000004C0000-memory.dmp
C:\Windows\app.exe
| MD5 | 6bc39ca90cb15858bcff5f20ab1f02bc |
| SHA1 | abbf8f10c0687ebe9a8c869b76bb5d2e6103b41a |
| SHA256 | ce02a77ae693e3a9d66b63100d5bdde64d72bf01fbcac1fdf6ffa15b86513db6 |
| SHA512 | 4f9b1ad1aa3b13828b4643799c9a9d4a3688a442a8a741414b06098bf91aa8629bc261d6db9f2bfd5f4efa241e3618c1737c21c7166395a78af20304c70df0dd |
memory/2376-17-0x0000000002FF0000-0x00000000030B1000-memory.dmp
memory/3032-19-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2032-21-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2032-35-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3032-34-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2032-32-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2032-31-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2032-27-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2032-25-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2032-23-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2904-38-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2904-57-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2904-52-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2904-55-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2904-48-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2904-46-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2376-56-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2904-50-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2904-44-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2904-40-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2904-42-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2032-70-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2820-68-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2820-67-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2820-66-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2820-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2568-73-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2820-60-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2820-59-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2820-58-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2820-63-0x0000000010000000-0x000000001004D000-memory.dmp
memory/3016-76-0x0000000010000000-0x000000001004D000-memory.dmp
memory/3016-79-0x0000000010000000-0x000000001004D000-memory.dmp
memory/1828-89-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2904-88-0x0000000002BE0000-0x0000000002CA0000-memory.dmp
memory/2904-87-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Windows\svcr.exe
| MD5 | 4b9b50c2507af7a72e71c065ab3f0208 |
| SHA1 | 8dc0c408ae97e6db8380f55d008ee8c48a5380d3 |
| SHA256 | 2d69f7d0f9e6853f52e4176c3cb01a4fb4ccfb9d9d9ce21b3a8976db60f675ba |
| SHA512 | 1daab31d18825fa5098d9f1b2d8edb03d9515c1eee413415297a15f6d79a366b8e074d85f19a5f99fda2d723e27e9ac9a421d66b3c9177e0b893cdb3a5cb6528 |
C:\Users\Admin\AppData\Local\Temp\nmunaaa
| MD5 | 3364a052704d5fdf7da3b0120de5a146 |
| SHA1 | f12f6d829afb1b7e23b2933dbdea7edd99ec5b64 |
| SHA256 | ea04b3493a08cfff7b9576d601966a02e4374eed64277c4508bb3a569597894b |
| SHA512 | 1abee15cc99aa1c8bdac62141ee69bd3e29be8943f6dc4b7e0c198a24600583f7e8684ffc2ec34038819333584e91bd82eab032321ae791f2b197af9c99eec52 |
memory/2784-99-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2784-111-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/376-124-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1828-145-0x0000000000400000-0x00000000004C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab4AB8.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar4B69.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 635b4e2e52ccc7d3c95e41f129021b9e |
| SHA1 | e8ed86a73382a221987ea77b444b11a9a3f0c761 |
| SHA256 | f81d39e5c966d80d885a4178c9d809f7a958ae94ac702e2ee87e536c402537c2 |
| SHA512 | 6283f97c4c063ea421ad926c7a62ddd32ba1bbe65a118de89b55ff4e22f41cc03a02c72332810b5c436fc8145031b22036f9615aba12eaeb317899b02c316ba9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 11eb0215317ed1ef571c40c256cfa604 |
| SHA1 | 3e603edb275671219603437aa65c3553a8195b28 |
| SHA256 | 5c74e394b1c124147f48977e06a3d9c785890f6aa07309ecf25bdf091e07a74e |
| SHA512 | ac1ff064d26ce6d7260fd59eb760934976c8377b43b105c431f4d3ef898b314c8b0887b797077e1939953d827fec91013440da68c02820834ae5b0509db1180b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8fcbad315ac1336d0072468fc53b03a0 |
| SHA1 | 3478507967d8651e7183c1d4cea2e5d05ac2d769 |
| SHA256 | e8ee1a965259c4e1bfb21f38ad32f4477529cabcc2e651187b8a5c318344490d |
| SHA512 | f36ec5a1cc652d7e96017937792cd8e898e710fec4cf7c7d00d41f21e2d7c54853017a5d7e3c68dfe5e6b998315ad6d185b79384865431deec48304b2ad60f4d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c1a285ee0cf04edc13ed4a5247241b4 |
| SHA1 | 220aaba54a5064f51b00a40d497d8478bf518197 |
| SHA256 | e07dd69d6f6288dbb82149497301c138fc7f968b9d79491509f55eec5c00026a |
| SHA512 | 31ff75c71044146f8f1ac9c63d3d54dfe62239171c762cd6bcf2ea9edf50873e445dab0714e50aefc90c410fc21e57a273e288fc4aa84b73ad10c24245ad7706 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6aaa36867f49c2471c77fb97daddd967 |
| SHA1 | 00e8dec40217f40b9212fd31c4fc4e2791613148 |
| SHA256 | 469008cf91cc041a1a69088d13ae9f654e0a339b82fa11af1ea6af0bd2293d48 |
| SHA512 | 23314867b254ea0556e6084e3f61f6ad70f306d95705eee3f2395e608d90f583043487ecf3eac1c67ba5b8fb4fd750961b2db6632a555b2eb673c0e2975f32c3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c9bc6e2bebb114931a57e894517411aa |
| SHA1 | c309d077751c14631434852c7615691c5b053918 |
| SHA256 | 963b5b08432e5fa38658b0a053c96b020157ea88ea376e1a095dc0801cec6096 |
| SHA512 | 39ea1d4a9795e04675c39482ab9fd254054148213952b95c0d915c4d551f7905191a599cb7fab7989fc1578f23a35bb01ffd3448064eec117c105dd08c3f3db4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b538ec66badd97720457122b3bb3cab |
| SHA1 | 19c0cd22b26b62ec0f0918e8a6e78fe8a84607fd |
| SHA256 | 973e194061dfe34de23d6f891749fac7aa8a5e8b0e39e6f7de9954cf8859e242 |
| SHA512 | 68ef5df36140f818cce8b09685c2efe09b907a178bca85a7257ad88db13275d85503de087ed4689b98afb0f6485481fae7004ee3171265a7f5507e262b2176d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a81c99f3b8d83f49861499a474352c15 |
| SHA1 | b264191e84ce28b65f7acdf4843d53a42bb062f2 |
| SHA256 | 209c04eaa31af1082de9e9f0792ec838438d1bccbd05023500a9991dcacb5647 |
| SHA512 | 570219817185f1496c09e156cfe9a6a7381f8c3d6e9ec0d501e4d80ca0219cb481ad71ef7d3ca62292464461f3ef194b2436ee7218073e52f0dcc9d20de52bf2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9594d0314be0e6f102f1122a1ac36c08 |
| SHA1 | fbf7c3d8d3fcea1ffe5844739179b350c5bb38ee |
| SHA256 | 85c1b0f38c5148e4fb9b9bb0d70f989ba3de2df3b20bd94ca9aeea537065d3ec |
| SHA512 | cd08dd72c465d9757b77c28fc0ac34ecd339b5d50cb229d086a773cfef1676384fc7e8cbb680e1e6e447f05474685bda054a4760d154ad549d31f8dc16b4d062 |
memory/2904-584-0x0000000002BE0000-0x0000000002CA0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 304a63f9f638a0e6839adf85c38bd607 |
| SHA1 | 81dd9aa8f92b8a75792b764a3f70573f55080538 |
| SHA256 | 6d87f84912e1b95ce5206b79960dd1da3dbc317ab5ba949eed8ef90722b7c478 |
| SHA512 | 020cc981977235d200e60c4f1dc925f10390f9e8498961cf3802a9f5b613aae6371a302ac382c1b3e87c6a7d0b32483ce027f19cec23978557b44b7beff15a99 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f95a5ee4620435fa24adc9ce66df4ac |
| SHA1 | 2dca658285720e9b82f1a104a813e1c5f658f82e |
| SHA256 | 2ba0d22ab5b29d51ea5dac079fbb3188031144be506405ba46839b4e887cd893 |
| SHA512 | 6e6cc6e01a919062cc8e83431387dd672b9cfc351822ec19463206de7ba41ecd25193e5a4ed809a7f975f25d08cb895d15e392934d343172b37824a39694e2b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4a625b62cb998929fed780eea6b045e3 |
| SHA1 | 6ba682988c979b0c2e6eaccc50c2add75297ecce |
| SHA256 | e26c3aa8e91c22c5a6058dee6fcbbdaba1f348ae53bb13e7c717803bcd00d998 |
| SHA512 | bd4842a12f7e6bb0e3f4e7cb16265b8cd349378d3b81a77689fec893173c811f269993644887dc7e00fd2a0e9876db9e9bce80ed4ef6ccc66a8f56d666bcc902 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 74a9cf6f33667c68d5a16077cc5772a1 |
| SHA1 | 07271c678cd42117385fb58677abc0cbc63a2148 |
| SHA256 | e97435eb834dd83275c1b18c3d35a2b981048358a1ba31fc3dd304d73cb43162 |
| SHA512 | 39711cc6367006aa644ab3578ecb681c47dfeb5ed95fcfd3c73bb6025fd36e2be96ff4b5adbdd0972c5d9a71396db216600f14ecb0e18e04a430859e8e2137fb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 708e4bf395653b73804805797491da2e |
| SHA1 | e041b8b0880c32f6bd3efb43cc94b65c54b9d7e6 |
| SHA256 | 1a50f51af7f91cceee12c67bbe963d26bec58013c57ef941576d1b16ac319a55 |
| SHA512 | 50b5906d89d952c9f739361a498429b8427fa925dc58b3e072bcde3abcc028107ebbc8021985bfec6a3c188a13afa7e3a64d1956d45edaaad4f50c47ecd93367 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6ab4dd0be7d08638de10880a806140e9 |
| SHA1 | 873abe0a18de7545d0c2ac59204a2e71b8e00ffd |
| SHA256 | 87071f4d757179771796fcbbad354a2c3073319f42d992655b62f3c7155151f8 |
| SHA512 | e1ae5c78e436469fddd317d89c7797fce89ad9af84c0191d315f878ad2aa9b7d3ef9b39044e9f9be88c2319a61fe436be592d62b02338531c7b4e82f1115e5ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f9c856564c832761420a76b49f0a6b2 |
| SHA1 | df1e0a44097a3cf1152b6aa3161c2e4e989ae2ea |
| SHA256 | f7e684a703e89b9b31f8574009508b5b3472ccb60afa2b1c9d884405d1d0db9e |
| SHA512 | 31b2e83dde8b5a63b20cac0d6ad0dddf404e66e6fe9476520f2871593a8a4152627b9b7cecbdb8fb53271ec1fb4c3b4592602a3ae82571b2963ef22ce0e957d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 705ef2ad811ce198943af6b2436bd888 |
| SHA1 | 84446ceb6ffe094e0225db0bd207b2f6d8e54262 |
| SHA256 | 7acb2fdd2df19913852f536f02b74b6f615654454647db14cc3bb26430c99173 |
| SHA512 | 6a63beba1eb683862f91ab457eac0ea953c2da9839bda872038ccf1f46bfb62e9a365c3932634c4d8e7d7afe15ac45f8a235d4a0b9b13c9e6bcdd7908f99ce78 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6462cebd612428b556e2d394db7f97e5 |
| SHA1 | 5acd81cd333850437a10101ff0d4f890687cf3ce |
| SHA256 | 48ce8154a4f385785d9858b0334c9b9b5ecfdffe566ae9ecf9989664d882957f |
| SHA512 | 4da92cdc7c3bd7d2c4ce75fb99a7ab86901cacac43e801cb09cd9eb8c3751e427ae4c57d51c6d1ed873620ac3bed5c4b574b4d1d4a2b466899faa31542f513e1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-15 22:07
Reported
2024-07-15 22:09
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515} | C:\Windows\svcr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}\StubPath = "C:\\windows\\svcr.exe" | C:\Windows\svcr.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Windows\svcr.exe | N/A |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Windows\svcr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Microsoft\\Protect\\System.exe" | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "C:\\Windows\\system32\\Microsoft\\Protect\\System.exe" | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "%java%" | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe" | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe" | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Microsoft\Protect\System.exe | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft\Protect\System.exe | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Microsoft\Protect\ | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4568 set thread context of 3248 | N/A | C:\Windows\app.exe | C:\Windows\app.exe |
| PID 528 set thread context of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe |
| PID 3248 set thread context of 2920 | N/A | C:\Windows\app.exe | C:\Windows\app.exe |
| PID 4832 set thread context of 656 | N/A | C:\Windows\app.exe | C:\Windows\app.exe |
| PID 656 set thread context of 3672 | N/A | C:\Windows\app.exe | C:\Windows\app.exe |
| PID 1616 set thread context of 1796 | N/A | C:\Windows\svcr.exe | C:\Windows\svcr.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\app.exe | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\app.exe | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\app.exe | C:\Windows\app.exe | N/A |
| File opened for modification | C:\Windows\svcr.exe | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
| File created | C:\Windows\svcr.exe | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\app.exe | C:\Windows\app.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1842512191" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119107" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427846212" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1842512191" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119107" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9968F591-42F6-11EF-BE68-E2A4B68B11BB} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1847512912" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31119107" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119107" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1860168067" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\svcr.exe | N/A |
| N/A | N/A | C:\Windows\svcr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\svcr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\WINDOWS\SysWOW64\taskmgr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Windows\app.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe"
C:\Windows\app.exe
C:\Windows\app.exe
C:\Windows\app.exe
"C:\Windows\app.exe"
C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
C:\Windows\app.exe
C:\Windows\app.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3112 CREDAT:17410 /prefetch:2
C:\WINDOWS\SysWOW64\taskmgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4492 -ip 4492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 480
C:\Windows\svcr.exe
"C:\Windows\svcr.exe" "C:\Users\Admin\AppData\Local\Temp\4b9b50c2507af7a72e71c065ab3f0208_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4492 -ip 4492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 476
C:\Windows\app.exe
C:\Windows\app.exe
C:\Windows\app.exe
"C:\Windows\app.exe"
C:\Windows\app.exe
C:\Windows\app.exe
C:\Windows\svcr.exe
"C:\Windows\svcr.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3112 CREDAT:82948 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | nerozhack.ddns.com.br | udp |
| US | 8.8.8.8:53 | alonedevil.no-ip.org | udp |
| US | 8.8.8.8:53 | gameszero.dyndns.org | udp |
| US | 8.8.8.8:53 | 11.73.50.20.in-addr.arpa | udp |
Files
memory/528-0-0x0000000000400000-0x00000000004C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aut9490.tmp
| MD5 | 6bc39ca90cb15858bcff5f20ab1f02bc |
| SHA1 | abbf8f10c0687ebe9a8c869b76bb5d2e6103b41a |
| SHA256 | ce02a77ae693e3a9d66b63100d5bdde64d72bf01fbcac1fdf6ffa15b86513db6 |
| SHA512 | 4f9b1ad1aa3b13828b4643799c9a9d4a3688a442a8a741414b06098bf91aa8629bc261d6db9f2bfd5f4efa241e3618c1737c21c7166395a78af20304c70df0dd |
memory/4568-19-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/3248-20-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3248-23-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4568-27-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/3248-26-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3248-24-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3248-30-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1980-33-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1980-34-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1980-31-0x0000000000400000-0x0000000000428000-memory.dmp
memory/528-36-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2920-37-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2920-42-0x0000000010000000-0x000000001004D000-memory.dmp
memory/3248-44-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2920-41-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2920-40-0x0000000010000000-0x000000001004D000-memory.dmp
memory/4492-47-0x0000000010000000-0x000000001004D000-memory.dmp
memory/4308-48-0x0000000010000000-0x000000001004D000-memory.dmp
memory/4308-51-0x0000000010000000-0x000000001004D000-memory.dmp
C:\Windows\svcr.exe
| MD5 | 4b9b50c2507af7a72e71c065ab3f0208 |
| SHA1 | 8dc0c408ae97e6db8380f55d008ee8c48a5380d3 |
| SHA256 | 2d69f7d0f9e6853f52e4176c3cb01a4fb4ccfb9d9d9ce21b3a8976db60f675ba |
| SHA512 | 1daab31d18825fa5098d9f1b2d8edb03d9515c1eee413415297a15f6d79a366b8e074d85f19a5f99fda2d723e27e9ac9a421d66b3c9177e0b893cdb3a5cb6528 |
memory/1980-63-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lhtrxxq
| MD5 | 3364a052704d5fdf7da3b0120de5a146 |
| SHA1 | f12f6d829afb1b7e23b2933dbdea7edd99ec5b64 |
| SHA256 | ea04b3493a08cfff7b9576d601966a02e4374eed64277c4508bb3a569597894b |
| SHA512 | 1abee15cc99aa1c8bdac62141ee69bd3e29be8943f6dc4b7e0c198a24600583f7e8684ffc2ec34038819333584e91bd82eab032321ae791f2b197af9c99eec52 |
memory/4492-72-0x0000000010000000-0x000000001004D000-memory.dmp
memory/656-75-0x0000000000400000-0x000000000041D000-memory.dmp
memory/656-76-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4832-80-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/656-85-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1616-92-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/1796-93-0x0000000010410000-0x000000001042E000-memory.dmp
memory/1796-94-0x0000000010410000-0x000000001042E000-memory.dmp
memory/1796-101-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\A4F1OTIC\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |