modiloader | fca7ad5c5619d248df1b82d1dc8fdc61682ea89192ce61dff70c6e3621032988

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
Size

841KB
MD5

e143087e244e6bced278e4a16f9f1445
SHA1

70c17b71957e185cd09181ac0a317135e7a797db
SHA256

fca7ad5c5619d248df1b82d1dc8fdc61682ea89192ce61dff70c6e3621032988
SHA512

cf47d36d1e673065066f1184c4457b157b3c7c37425e59be0726f250de4b3afac85522ab1f2154b6043d32c985bffa77ac7b1aba2e46acf4e3d0ea3d147b59ef
SSDEEP

24576:Y1ckvnJDH7oH1haz/5qgxuLh62tLqazx5QwLzyUSSykQ59aIkPTr:Y1vvJz8H1hU/5qgQ62Bqad5g0yksxkrr

Score

10^/10

modiloader pony credential_access discovery evasion persistence rat spyware stealer trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	clhost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kajek.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	miGRu6Gcu2.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral1/memory/2252-10-0x0000000000400000-0x0000000000419000-memory.dmp	modiloader_stage2
behavioral1/memory/1160-15-0x0000000000400000-0x000000000051D000-memory.dmp	modiloader_stage2
behavioral1/memory/1160-13-0x0000000000400000-0x000000000051D000-memory.dmp	modiloader_stage2
behavioral1/files/0x00030000000178b0-44.dat	modiloader_stage2
behavioral1/memory/1160-51-0x0000000000400000-0x000000000051D000-memory.dmp	modiloader_stage2
behavioral1/memory/2616-72-0x0000000000400000-0x0000000000418000-memory.dmp	modiloader_stage2
behavioral1/files/0x00160000000185f5-73.dat	modiloader_stage2
behavioral1/memory/1700-92-0x0000000000400000-0x0000000000418000-memory.dmp	modiloader_stage2
behavioral1/memory/1160-398-0x0000000000400000-0x000000000051D000-memory.dmp	modiloader_stage2

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
2240	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2724	miGRu6Gcu2.exe
2264	kajek.exe
2616	alhost.exe
1720	alhost.exe
1700	blhost.exe
2284	blhost.exe
1540	clhost.exe
1964	dlhost.exe
1644	clhost.exe
1940	clhost.exe
332	csrss.exe
1648	elhost.exe
2872	9B94.tmp

Loads dropped DLL 17 IoCs

pid	Process
1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
2724	miGRu6Gcu2.exe
2724	miGRu6Gcu2.exe
1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
1540	clhost.exe
1540	clhost.exe
2872	9B94.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1160-15-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral1/memory/1160-13-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral1/memory/1160-12-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral1/memory/1160-6-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral1/memory/1160-4-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral1/memory/1160-2-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral1/memory/1160-51-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral1/memory/2284-90-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2284-97-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2284-96-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2284-95-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2284-86-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2284-84-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1540-118-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1644-159-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1160-398-0x0000000000400000-0x000000000051D000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /A"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /l"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /j"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /M"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /G"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /D"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /J"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /X"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /R"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /z"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /P"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /b"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /Y"	kajek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9F7.exe = "C:\\Program Files (x86)\\LP\\24FD\\9F7.exe"	clhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /f"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /H"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /e"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /m"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /w"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /I"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /T"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /x"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /Q"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /p"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /g"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /u"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /W"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /a"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /r"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /Z"	miGRu6Gcu2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /F"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /d"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /V"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /t"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /q"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /k"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /N"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /K"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /U"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /s"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /o"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /L"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /Z"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /v"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /E"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /h"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /S"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /i"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /C"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /c"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /n"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /B"	kajek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /y"	kajek.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	alhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	alhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	blhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	blhost.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2748	tasklist.exe
2868	tasklist.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 1160	2252	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	29
PID 2616 set thread context of 1720	2616	alhost.exe	37
PID 1700 set thread context of 2284	1700	blhost.exe	39
PID 1964 set thread context of 1652	1964	dlhost.exe	49

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\24FD\9F7.exe	clhost.exe
File opened for modification	C:\Program Files (x86)\LP\24FD\9F7.exe	clhost.exe
File opened for modification	C:\Program Files (x86)\LP\24FD\9B94.tmp	clhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	miGRu6Gcu2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kajek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9B94.tmp

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2724	miGRu6Gcu2.exe
2724	miGRu6Gcu2.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
1720	alhost.exe
1720	alhost.exe
2264	kajek.exe
1720	alhost.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
1720	alhost.exe
1720	alhost.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2284	blhost.exe
1720	alhost.exe
1720	alhost.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
1540	clhost.exe
1540	clhost.exe
1540	clhost.exe
1540	clhost.exe
1540	clhost.exe
1540	clhost.exe
2264	kajek.exe
2264	kajek.exe
1720	alhost.exe
1720	alhost.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
2264	kajek.exe
1720	alhost.exe
1720	alhost.exe
2264	kajek.exe
2264	kajek.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2616	explorer.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	tasklist.exe
Token: SeRestorePrivilege	2132	msiexec.exe
Token: SeTakeOwnershipPrivilege	2132	msiexec.exe
Token: SeSecurityPrivilege	2132	msiexec.exe
Token: SeDebugPrivilege	1964	dlhost.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: 33	1324	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1324	AUDIODG.EXE
Token: 33	1324	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1324	AUDIODG.EXE
Token: SeDebugPrivilege	1964	dlhost.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeDebugPrivilege	2868	tasklist.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
2724	miGRu6Gcu2.exe
2264	kajek.exe
1648	elhost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1160	2252	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	29
PID 2252 wrote to memory of 1160	2252	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	29
PID 2252 wrote to memory of 1160	2252	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	29
PID 2252 wrote to memory of 1160	2252	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	29
PID 2252 wrote to memory of 1160	2252	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	29
PID 2252 wrote to memory of 1160	2252	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	29
PID 2252 wrote to memory of 1160	2252	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	29
PID 2252 wrote to memory of 1160	2252	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	29
PID 1160 wrote to memory of 2724	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	30
PID 1160 wrote to memory of 2724	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	30
PID 1160 wrote to memory of 2724	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	30
PID 1160 wrote to memory of 2724	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2264	2724	miGRu6Gcu2.exe	31
PID 2724 wrote to memory of 2264	2724	miGRu6Gcu2.exe	31
PID 2724 wrote to memory of 2264	2724	miGRu6Gcu2.exe	31
PID 2724 wrote to memory of 2264	2724	miGRu6Gcu2.exe	31
PID 2724 wrote to memory of 2596	2724	miGRu6Gcu2.exe	32
PID 2724 wrote to memory of 2596	2724	miGRu6Gcu2.exe	32
PID 2724 wrote to memory of 2596	2724	miGRu6Gcu2.exe	32
PID 2724 wrote to memory of 2596	2724	miGRu6Gcu2.exe	32
PID 1160 wrote to memory of 2616	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	35
PID 1160 wrote to memory of 2616	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	35
PID 1160 wrote to memory of 2616	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	35
PID 1160 wrote to memory of 2616	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	35
PID 2596 wrote to memory of 2748	2596	cmd.exe	34
PID 2596 wrote to memory of 2748	2596	cmd.exe	34
PID 2596 wrote to memory of 2748	2596	cmd.exe	34
PID 2596 wrote to memory of 2748	2596	cmd.exe	34
PID 2616 wrote to memory of 1720	2616	alhost.exe	37
PID 2616 wrote to memory of 1720	2616	alhost.exe	37
PID 2616 wrote to memory of 1720	2616	alhost.exe	37
PID 2616 wrote to memory of 1720	2616	alhost.exe	37
PID 2616 wrote to memory of 1720	2616	alhost.exe	37
PID 2616 wrote to memory of 1720	2616	alhost.exe	37
PID 2616 wrote to memory of 1720	2616	alhost.exe	37
PID 2616 wrote to memory of 1720	2616	alhost.exe	37
PID 2616 wrote to memory of 1720	2616	alhost.exe	37
PID 2616 wrote to memory of 1720	2616	alhost.exe	37
PID 1160 wrote to memory of 1700	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	38
PID 1160 wrote to memory of 1700	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	38
PID 1160 wrote to memory of 1700	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	38
PID 1160 wrote to memory of 1700	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	38
PID 1700 wrote to memory of 2284	1700	blhost.exe	39
PID 1700 wrote to memory of 2284	1700	blhost.exe	39
PID 1700 wrote to memory of 2284	1700	blhost.exe	39
PID 1700 wrote to memory of 2284	1700	blhost.exe	39
PID 1700 wrote to memory of 2284	1700	blhost.exe	39
PID 1700 wrote to memory of 2284	1700	blhost.exe	39
PID 1700 wrote to memory of 2284	1700	blhost.exe	39
PID 1700 wrote to memory of 2284	1700	blhost.exe	39
PID 1160 wrote to memory of 1540	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	40
PID 1160 wrote to memory of 1540	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	40
PID 1160 wrote to memory of 1540	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	40
PID 1160 wrote to memory of 1540	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	40
PID 1160 wrote to memory of 1964	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	41
PID 1160 wrote to memory of 1964	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	41
PID 1160 wrote to memory of 1964	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	41
PID 1160 wrote to memory of 1964	1160	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	41
PID 1540 wrote to memory of 1644	1540	clhost.exe	43
PID 1540 wrote to memory of 1644	1540	clhost.exe	43
PID 1540 wrote to memory of 1644	1540	clhost.exe	43
PID 1540 wrote to memory of 1644	1540	clhost.exe	43
PID 1540 wrote to memory of 1940	1540	clhost.exe	45
PID 1540 wrote to memory of 1940	1540	clhost.exe	45

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	clhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	clhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
  e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Users\Admin\miGRu6Gcu2.exe
    C:\Users\Admin\miGRu6Gcu2.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\kajek.exe
      "C:\Users\Admin\kajek.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del miGRu6Gcu2.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
- - C:\Users\Admin\alhost.exe
    C:\Users\Admin\alhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\alhost.exe
      alhost.exe
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:1720
- - C:\Users\Admin\blhost.exe
    C:\Users\Admin\blhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\blhost.exe
      blhost.exe
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:2284
- - C:\Users\Admin\clhost.exe
    C:\Users\Admin\clhost.exe
    3⤵
    - Modifies security service
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1540
  - - C:\Users\Admin\clhost.exe
      C:\Users\Admin\clhost.exe startC:\Users\Admin\AppData\Roaming\DBFBB\93024.exe%C:\Users\Admin\AppData\Roaming\DBFBB
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1644
  - - C:\Users\Admin\clhost.exe
      C:\Users\Admin\clhost.exe startC:\Program Files (x86)\BB655\lvvm.exe%C:\Program Files (x86)\BB655
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1940
  - - C:\Program Files (x86)\LP\24FD\9B94.tmp
      "C:\Program Files (x86)\LP\24FD\9B94.tmp"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2872
- - C:\Users\Admin\dlhost.exe
    C:\Users\Admin\dlhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1652
- - C:\Users\Admin\elhost.exe
    C:\Users\Admin\elhost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2240
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2868

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DBFBB\B655.BFB

Filesize
300B

MD5
992085599b6f2e8fdd1c595bbdfb9e76

SHA1
f8a68c08c204addcfd674b69781888b3f2fecf6b

SHA256
a10ab7e20b8cb90e4f4b356596cc1d35a2277717ee6e370d264710b6185564f8

SHA512
26b906694c5291087ce1aa1d7383f6c87b02c6aff13f31246af5a694a65e88a59b3116e516db41be8d85532d5c5a4093ba3a07c60ceb92a7545f4a1869d7c99f

Download Submit
C:\Users\Admin\AppData\Roaming\DBFBB\B655.BFB

Filesize
600B

MD5
84e44940961fb664eaae76599d6b9fe5

SHA1
11ecfa6879c0b317803894e32dfbef6722d242be

SHA256
1aae3a6a39174006c476e8743cdc7ab1cf6d4f14fe4e43fe5f07e40af4532b72

SHA512
469168afe750226d0c99ac6f1ac7b71368ce4c2cf892c35bdd64df07c0a25970abe5b221ac355d845f573312064c28d1b409792cec044935100ea86f0cc1266c

Download Submit
C:\Users\Admin\AppData\Roaming\DBFBB\B655.BFB

Filesize
996B

MD5
e501d6c27ac0e6049f13ec9a21195196

SHA1
1353d83b369cd0074b115e6197dff6fb0311ccef

SHA256
4f75f7642a6e927f1e48f0ec1a1d11cf10d0a32732ea76817a6f335c93f180f9

SHA512
151ca00bc7f80ab4a7c142b504379c853754e23194bcbaac4b1d385c5786ac353af0a40fc1ca6038206ed752d7ad6867d963892e64349b8dcdb7c543b817fdb9

Download Submit
C:\Users\Admin\AppData\Roaming\DBFBB\B655.BFB

Filesize
1KB

MD5
12efb599d1936b8ab59e7ebbf6364607

SHA1
e211c93aad0bee50e85159a2b1053bb4dd0e6e5c

SHA256
7e9b442f1593d5d530c54da653183ed8b927c0f47ffb3b44fe6d200fc0a48d7c

SHA512
c444f6dc523e6af36c0cad9151f996493768a33af292166d617afbdf10525985e5d38a73324c4decdc49828e8e063e81dce1e72004adbefd394f79b0f44f8110

Download Submit
C:\Windows\system32\consrv.dll

Filesize
53KB

MD5
63e99b675a1337db6d8430195ea3efd2

SHA1
1baead2bf8f433dc82f9b2c03fd65ce697a92155

SHA256
6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

SHA512
f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
0013230658af51d60ff4984d15218414

SHA1
ff367e5e7b513c07f600855be6222b596674c7b0

SHA256
503dafc38a8b5a36550322c3e05d806ab4cff989a689f2ab9415d6c089818488

SHA512
17a0c9a2db5071be187cc1beef3d03ea0013230b2b2b4e80d96c4ae15b57220ee24dbaf5530f79a9676ccdaf55db8d51aeedf7fba91bfbbcba794b7c707114ba

Download Submit
\Program Files (x86)\LP\24FD\9B94.tmp

Filesize
99KB

MD5
0f322aa9f0ab8f4d2ac9dc7c1f67789b

SHA1
bd0abad1aa3edd06bd176282c9ec3fa528ccf5f8

SHA256
b788fc4b83fc9e83f3dd7a14e25c251434f5a3389750e380ea32a93662525863

SHA512
736af7f378d4f05576010d4cd732ea02dd7e31999cd8e4ad7037686623a0a7a7a45e0376024327943e8a5ba9d090a1f4b2a6e7bc4366b05631abf371070cc6c9

Download Submit
\Users\Admin\alhost.exe

Filesize
236KB

MD5
ccee7bbbd52e9e3d551451e54f85489a

SHA1
7f72be25a00d4e667f17fa106bf024fac3eb9886

SHA256
24d5bac9c9a2d7e77dc8f79ad7fe3333283028dbec964effd9020dd6473e3290

SHA512
3e2fd0abfc61741698570a600aa4f845503410bc9bef9906dced2df27e5f38c7bb06eefb653a0e199eec88044725e2c0f0238253c73979fcceecb992e3b73af4

Download Submit
\Users\Admin\blhost.exe

Filesize
126KB

MD5
f9482a349a998f5c9cb842705e67fea7

SHA1
196794ddf71cab834c7029dbf1c27009b06754b2

SHA256
9e5b1531710c57fad4e07c5888db6823e6634384a5ebe9d7f40b54cb9a163b44

SHA512
71ced1fbd460b833d1f422a80d5a27a893e18f7a6286cb61b1283a2c843f8fc77a68b30cba33fe988063f5db3893cb7fd8f677e023960b1999386c18389c9536

Download Submit
\Users\Admin\clhost.exe

Filesize
283KB

MD5
78b038f42b4e2490672f9a35a42674b5

SHA1
ca8972f311b9dab6aa917b65cfb9726447fb44f8

SHA256
99125e2bff877025e5687aa5928061cc7da65a944afcd81a66f556bf5d48730d

SHA512
13826dd7b9b1de6b08189c814487fcf6dd369059be8f70d5ba7ef6e9339a56be6f04a424e11238cc49a932e7d2988630c102109a861cb4adb5382f9e883ae515

Download Submit
\Users\Admin\dlhost.exe

Filesize
244KB

MD5
682907092bb50419e5b28cf99466e124

SHA1
622962a69e71cf4192f860be74249be205e9ce13

SHA256
9e08b47ad6498e8f7173eb8a9e2ce2c4aaa36d0c69cfb3365ba76938d037f98e

SHA512
cced9e3ec516c2e07182ecf012749b9b123bd70d6204d5f82afa4c0a8a8f110da8690c816e7c8d97f9a283e8e4961fbe0afa60badd4b57d21a8decfa1b527799

Download Submit
\Users\Admin\elhost.exe

Filesize
32KB

MD5
00a9df0a178efb6f4f44aa392186c492

SHA1
d3c3039ca41481525815bca5301d9d00f5725667

SHA256
c505d1c76b1e886de65c6b7b171a9d56870a320532c7561f7f8b162920602b18

SHA512
ae0cbce9119ec561a8084610a42f30f60ed29d6bde908dedb7394dbcd8cd24456c85a543b72aa797705130ccce851a348a5171baf1c8a2499ad599b345283a3f

Download Submit
\Users\Admin\kajek.exe

Filesize
192KB

MD5
deeffbdcdc44dbab312004f79b6e6be8

SHA1
8470ec1b600803bbe98e9194f2daf36de1fa13ac

SHA256
57f510fa7396e0f3f3c1a0b6603a714c7d31d5c65baca3f9d09937ec34e90fe9

SHA512
3fe33f9d81c22d48b8425fb2c94029f3f530337f2a60ebab8279c427b5c67b46f1e138a735032f65ae0c6ff1c6a824f29a2bd7aa2aeac2c076aab6942e2b8e9c

Download Submit
\Users\Admin\miGRu6Gcu2.exe

Filesize
192KB

MD5
869d4fbc9194f74e9815f487d245fcff

SHA1
66ac3d8d447558f6389e3a8e203c1b60634af873

SHA256
b7bc5a05d5190e33bcf35bc06107881990caf3fd99643c50eb855ca8505d7113

SHA512
57700b710c9c42ed07f1959c7a17d592a5bfafadb340eaec33d769a788cb5b84de7d84b4ff5b865df9fedd966d7dc8b5a2534811e1de52f488a31a5548d4d6ce

Download Submit
\Windows\assembly\GAC_32\Desktop.ini

Filesize
4KB

MD5
758f90d425814ea5a1d2694e44e7e295

SHA1
64d61731255ef2c3060868f92f6b81b4c9b5fe29

SHA256
896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433

SHA512
11858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9

Download Submit
memory/1160-6-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1160-4-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1160-15-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1160-13-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1160-2-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1160-398-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1160-51-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1160-12-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1160-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1160-0-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1540-118-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1644-159-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1700-92-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1720-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1720-68-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1720-70-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1720-105-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1720-54-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1720-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1720-58-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1720-61-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-160-0x00000000003B0000-0x00000000003ED000-memory.dmp

Filesize
244KB

Download
memory/1964-166-0x00000000003B0000-0x00000000003ED000-memory.dmp

Filesize
244KB

Download
memory/1964-167-0x00000000003B0000-0x00000000003ED000-memory.dmp

Filesize
244KB

Download
memory/1964-163-0x00000000003B0000-0x00000000003ED000-memory.dmp

Filesize
244KB

Download
memory/2252-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2284-82-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2284-84-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2284-86-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2284-95-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2284-96-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2284-97-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2284-90-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2616-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download