Analysis
-
max time kernel
30s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2024 20:38
Static task
static1
Behavioral task
behavioral1
Sample
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe
-
Size
824KB
-
MD5
5d91acb715da8501370af725e44d7aa3
-
SHA1
118d2f7c992f0e5ec16b07fd18c410a9517a60e5
-
SHA256
03e1ef8b9811f1ef7b3561f527f2ab4fd7570b06d91ed7507898c98a9ca4c8f6
-
SHA512
ab56c511b5cb46b0f7e4daec6cec0c62d7c2b96fcde35d14c900aa0c5c81d4da6e506ddbeb7a78a21c69591ebf7dc23198f870bc00c0777ca913f17266b91059
-
SSDEEP
24576:PUFa7K4Jy/fVtktVGPrfO/WxvaXUTcLHFpSYiVtktVGPrfO/WT1:8qMlSyfO/WxyXukHFISyfO/WT
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Processes:
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WINWORD.EXE -
Processes:
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" WINWORD.EXE -
Disables RegEdit via registry modification 2 IoCs
Processes:
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" WINWORD.EXE -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 788 netsh.exe 3612 netsh.exe 2444 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
WINWORD.EXEpid process 1404 WINWORD.EXE -
Drops startup file 4 IoCs
Processes:
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXEservices.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.com 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.com 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.com WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.com services.exe -
Executes dropped EXE 7 IoCs
Processes:
WINWORD.EXE WINWORD.EXEservices.exe WINWORD.EXEservices.exesmss.exeservices.exepid process 1404 WINWORD.EXE 4968 WINWORD.EXE 4228 services.exe 1168 WINWORD.EXE 4320 services.exe 5056 smss.exe 2732 services.exe -
Processes:
resource yara_rule behavioral2/memory/3780-2-0x0000000002B10000-0x0000000003B43000-memory.dmp upx behavioral2/memory/3780-5-0x0000000002B10000-0x0000000003B43000-memory.dmp upx behavioral2/memory/3780-9-0x0000000002B10000-0x0000000003B43000-memory.dmp upx behavioral2/memory/3780-35-0x0000000002B10000-0x0000000003B43000-memory.dmp upx behavioral2/memory/3780-36-0x0000000002B10000-0x0000000003B43000-memory.dmp upx behavioral2/memory/1404-161-0x0000000003F20000-0x0000000004F53000-memory.dmp upx behavioral2/memory/1404-164-0x0000000003F20000-0x0000000004F53000-memory.dmp upx behavioral2/memory/1404-165-0x0000000003F20000-0x0000000004F53000-memory.dmp upx behavioral2/memory/1404-212-0x0000000003F20000-0x0000000004F53000-memory.dmp upx -
Processes:
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc WINWORD.EXE -
Processes:
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WINWORD.EXE -
Drops file in Program Files directory 39 IoCs
Processes:
services.exe5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\Drvics32.dll services.exe File created C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\control.ini 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\jwiegh.dll 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\hjwgsd.dll WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\PUB60SP.mrc WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\remote.ini WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\Drvics32.dll 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\Drvics32.dll WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe services.exe File created C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\yofc.dll services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\control.ini WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\ruimsbbe.dll services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\remote.ini 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\yofc.dll WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\control.ini services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\jwiegh.dll services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\ruimsbbe.dll 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\remote.ini services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\hjwgsd.dll services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\PUB60SP.mrc 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\yofc.dll 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\jwiegh.dll WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\ruimsbbe.dll WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\hjwgsd.dll 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\PUB60SP.mrc services.exe -
Drops file in Windows directory 1 IoCs
Processes:
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry key 1 TTPs 2 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 3 IoCs
Processes:
ping.exeping.exeping.exepid process 2228 ping.exe 1120 ping.exe 2236 ping.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2800 WINWORD.EXE 2800 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXEpid process 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe 1404 WINWORD.EXE 1404 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Token: SeDebugPrivilege 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXEWINWORD.EXE WINWORD.EXEservices.exe WINWORD.EXEservices.exeservices.exepid process 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe 1404 WINWORD.EXE 2800 WINWORD.EXE 4968 WINWORD.EXE 2800 WINWORD.EXE 4228 services.exe 2800 WINWORD.EXE 2800 WINWORD.EXE 1168 WINWORD.EXE 4320 services.exe 2732 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exenet.exenet.exenet.exe WINWORD.EXEdescription pid process target process PID 3780 wrote to memory of 768 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe fontdrvhost.exe PID 3780 wrote to memory of 776 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe fontdrvhost.exe PID 3780 wrote to memory of 64 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe dwm.exe PID 3780 wrote to memory of 2540 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe sihost.exe PID 3780 wrote to memory of 2568 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe svchost.exe PID 3780 wrote to memory of 2680 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe taskhostw.exe PID 3780 wrote to memory of 3512 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Explorer.EXE PID 3780 wrote to memory of 3652 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe svchost.exe PID 3780 wrote to memory of 3816 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe DllHost.exe PID 3780 wrote to memory of 3956 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe StartMenuExperienceHost.exe PID 3780 wrote to memory of 4052 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe RuntimeBroker.exe PID 3780 wrote to memory of 680 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe SearchApp.exe PID 3780 wrote to memory of 3888 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe RuntimeBroker.exe PID 3780 wrote to memory of 5112 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe RuntimeBroker.exe PID 3780 wrote to memory of 2032 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe TextInputHost.exe PID 3780 wrote to memory of 1924 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe backgroundTaskHost.exe PID 3780 wrote to memory of 788 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe netsh.exe PID 3780 wrote to memory of 788 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe netsh.exe PID 3780 wrote to memory of 788 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe netsh.exe PID 3780 wrote to memory of 2800 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXE PID 3780 wrote to memory of 2800 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXE PID 3780 wrote to memory of 2688 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe net.exe PID 3780 wrote to memory of 2688 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe net.exe PID 3780 wrote to memory of 2688 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe net.exe PID 3780 wrote to memory of 2412 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe net.exe PID 3780 wrote to memory of 2412 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe net.exe PID 3780 wrote to memory of 2412 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe net.exe PID 3780 wrote to memory of 876 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe net.exe PID 3780 wrote to memory of 876 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe net.exe PID 3780 wrote to memory of 876 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe net.exe PID 3780 wrote to memory of 3612 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe netsh.exe PID 3780 wrote to memory of 3612 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe netsh.exe PID 3780 wrote to memory of 3612 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe netsh.exe PID 3780 wrote to memory of 1404 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXE PID 3780 wrote to memory of 1404 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXE PID 3780 wrote to memory of 1404 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXE PID 2688 wrote to memory of 524 2688 net.exe net1.exe PID 2688 wrote to memory of 524 2688 net.exe net1.exe PID 2688 wrote to memory of 524 2688 net.exe net1.exe PID 2412 wrote to memory of 3124 2412 net.exe net1.exe PID 2412 wrote to memory of 3124 2412 net.exe net1.exe PID 2412 wrote to memory of 3124 2412 net.exe net1.exe PID 876 wrote to memory of 4176 876 net.exe net1.exe PID 876 wrote to memory of 4176 876 net.exe net1.exe PID 876 wrote to memory of 4176 876 net.exe net1.exe PID 1404 wrote to memory of 4968 1404 WINWORD.EXE WINWORD.EXE PID 1404 wrote to memory of 4968 1404 WINWORD.EXE WINWORD.EXE PID 1404 wrote to memory of 4968 1404 WINWORD.EXE WINWORD.EXE PID 3780 wrote to memory of 768 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe fontdrvhost.exe PID 3780 wrote to memory of 776 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe fontdrvhost.exe PID 3780 wrote to memory of 64 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe dwm.exe PID 3780 wrote to memory of 2540 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe sihost.exe PID 3780 wrote to memory of 2568 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe svchost.exe PID 3780 wrote to memory of 2680 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe taskhostw.exe PID 3780 wrote to memory of 3512 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Explorer.EXE PID 3780 wrote to memory of 3652 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe svchost.exe PID 3780 wrote to memory of 3816 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe DllHost.exe PID 3780 wrote to memory of 3956 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe StartMenuExperienceHost.exe PID 3780 wrote to memory of 4052 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe RuntimeBroker.exe PID 3780 wrote to memory of 680 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe SearchApp.exe PID 3780 wrote to memory of 3888 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe RuntimeBroker.exe PID 3780 wrote to memory of 5112 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe RuntimeBroker.exe PID 3780 wrote to memory of 2032 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe TextInputHost.exe PID 3780 wrote to memory of 1924 3780 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe backgroundTaskHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WINWORD.EXE
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2568
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2680
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d91acb715da8501370af725e44d7aa3_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3780 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
PID:788 -
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2800 -
C:\Windows\SysWOW64\net.exenet stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵PID:524
-
C:\Windows\SysWOW64\net.exenet stop "Automatic Updates"3⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Automatic Updates"4⤵PID:3124
-
C:\Windows\SysWOW64\net.exenet stop "Security Center"3⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵PID:4176
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
PID:3612 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4044
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1404 -
C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4968 -
C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4228 -
C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1168 -
C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4320 -
C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe"5⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\ping.exeping www.putera.com -t -l 30005⤵
- Runs ping.exe
PID:2236 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4548
-
C:\Windows\SysWOW64\ping.exeping www.tourism.gov.my -t -l 30005⤵
- Runs ping.exe
PID:2228 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5104
-
C:\Windows\SysWOW64\ping.exeping www.miti.gov.my -t -l 30005⤵
- Runs ping.exe
PID:1120 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:220
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:336 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
PID:2444 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵PID:4060
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:3688 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵PID:1312
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3652
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3816
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4052
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:680
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5112
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2032
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1816
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:520
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\Drvics32.dllFilesize
808B
MD5f9144a29af9775feb89b66bc8679dff7
SHA186a1246436e2f6c26a7de1a36f7a94cfd6e8202b
SHA25637dd8b6797dc589dbaebb4c6db3b4f343389caf3c68a298b56a8f4faae1d0284
SHA5120c13f645591e85bb8ce4e43bde458e0c2ea771382d1738a495c20d21580a22d6b194a7e1c543c3fa395e2e2c9fc27710cccc1af5742037733b8398ee8dcdd74a
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\PUB60SP.mrcFilesize
8KB
MD5cf07b3218b7a13466a3ab1abd929dc04
SHA10357e87e477c6c91af0dae6c7528089112bc4adb
SHA2560f19bef5cf2a0d134e2a8845caf5f8a57925c57c5bcc70b671fdf2dd71f52990
SHA51242e79e6bc3a1b183219fd327531402dd16dab72f1b6a4dd5475ffd5c556ee7a5564962a10880551d9bc27f989fd90beae3756349512e383eae9b3bd5b0bd1cbd
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\control.iniFilesize
176B
MD5fc0e51b62b341213d142b5061fe88606
SHA1a36c06ee541061a30ae14702c6d422366f1efda3
SHA256ef820d65689bda87756d2b775f286d992717289bb2e9bb2843903e05a87df3ef
SHA5125f44293217227a29f8031837ff87d7777cb425fb7b3684e925b349c54084d1a52bc1be6b19678c7dd20ed885c34dcafd063676549cdaaa93f1685d7ae8e9a70f
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\hjwgsd.dllFilesize
18KB
MD5ed6b628f8fcc9e5b4634047546b78091
SHA151d55b389381a84205ce07526b606f353e64a8dc
SHA2568aaa8cc5cee89de645ddc34bbaa4fe00274c4802ebda7120d1904fec1137fa33
SHA512ac97820615e26bd51cbc989fcbf3a028f2e5b12658449b4b6692f3cd82b2df08967118ee05aa7fd5063e439d1a0afbb611aa19f11a28d830612512a5438f63c7
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\jwiegh.dllFilesize
267KB
MD53814086d561a22ed9005ba4f35c5987c
SHA130f3059629c123223208659be7ab45c234aa9434
SHA2565d918c11a0efcfaaea5981aa4b25520584e33d09e4e940c65078ca0581673387
SHA51255197cc81b499b35e14aa80f84a44449335fc85f3b2d757dcea2b1b172ceb7cb0ed4805dd1503d2fb1c3e680f4df0a9487e70b0fa270d4c5cb88e3a00370c9cd
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\remote.iniFilesize
20KB
MD5d982ae777e8e44019b24bc272d84d582
SHA1a490d6472e8ee57fe7f6046a911dfdf6a5e4ed95
SHA256b9681ebd6aaa8276d307c2e5243eecfea97e045b9ffd432ad75974fb818cac82
SHA51225321a7325e330d37323e05a9a045fcd515cacd9555ba413eab1709cd59db92fbcfbb424ed150199720a338e0017331f4e1fbfcaf5763b64280d9ea29bcf06b2
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\ruimsbbe.dllFilesize
2KB
MD5b023650f83ebe604181f657c0d8a4be1
SHA128b808d1fb4e9a6022c8a7de29248fcdb583eea9
SHA2561b12ded49161bc6bf18bf521fe233be4f41a4107d0c76fa2fa66a8023828fa36
SHA5128c4b703a19ab8be5c1c7fdafa1380e4c83f99370afae6dd938ef78066458665668ef4076740d151b6ad53eedc94b5934f486090058ead456d474e96fb7efeeff
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exeFilesize
563KB
MD581cfac8335822ba4bea1e50c46adf967
SHA1ea360da28b5aff7112b6f42404dc2ee2610e640c
SHA2561829bf1ccae25c61dca8eb1b4fea10c47276157cc619efb6ab8a8804592770a7
SHA51224dee2758eda2facb07c814737e4f20ea718a4ef42294dfc97a61c1af7b271df5ef0a0d414199ee89c8c496a1063d217173e32bcf4f305c3b41dca1ccf30c738
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\yofc.dllFilesize
2KB
MD505e9217895f13d8b004c83d8223957cc
SHA15655ea6576dceaff14b7b27f4b347e85f322f9b1
SHA2560b767361d3dfbaa8ab7748eb0aecb104f394b4473b228e269addaebe95e2a4d6
SHA5128188c722a25d45a857712be7673a1b9bf43d1f4e64d891004d6b71ba6a20894f0fb833e877230b5cfc833b4d05a0d1a44c930aee6c9fcd3c712e149496482bf8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.comFilesize
824KB
MD55d91acb715da8501370af725e44d7aa3
SHA1118d2f7c992f0e5ec16b07fd18c410a9517a60e5
SHA25603e1ef8b9811f1ef7b3561f527f2ab4fd7570b06d91ed7507898c98a9ca4c8f6
SHA512ab56c511b5cb46b0f7e4daec6cec0c62d7c2b96fcde35d14c900aa0c5c81d4da6e506ddbeb7a78a21c69591ebf7dc23198f870bc00c0777ca913f17266b91059
-
C:\Windows\SYSTEM.INIFilesize
258B
MD5e8d131d743f705ac76d2015b0d574479
SHA175488ce3ed2ebc5af5eb84871f0ae8f9eb6bdb7b
SHA256bde725e617212c10c3da4c4483530a01aa60e4c564b4cec203df069dd6ffcdb7
SHA512587df4f33351cb67ad5b8412527a16085c506ff3a9ff7449419749a8f734c948635ae93fc27656715c33ea96f862a852f5436fc6c6063ca8fac7a84499233f14
-
memory/1120-186-0x0000000000C70000-0x0000000000C72000-memory.dmpFilesize
8KB
-
memory/1120-260-0x0000000000C70000-0x0000000000C72000-memory.dmpFilesize
8KB
-
memory/1120-187-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/1168-125-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1168-117-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1168-119-0x00000000006A0000-0x00000000006A2000-memory.dmpFilesize
8KB
-
memory/1404-100-0x0000000002CE0000-0x0000000002CE2000-memory.dmpFilesize
8KB
-
memory/1404-165-0x0000000003F20000-0x0000000004F53000-memory.dmpFilesize
16.2MB
-
memory/1404-128-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1404-161-0x0000000003F20000-0x0000000004F53000-memory.dmpFilesize
16.2MB
-
memory/1404-162-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1404-164-0x0000000003F20000-0x0000000004F53000-memory.dmpFilesize
16.2MB
-
memory/1404-97-0x0000000003C70000-0x0000000003C71000-memory.dmpFilesize
4KB
-
memory/1404-212-0x0000000003F20000-0x0000000004F53000-memory.dmpFilesize
16.2MB
-
memory/1404-107-0x0000000002CE0000-0x0000000002CE2000-memory.dmpFilesize
8KB
-
memory/1404-50-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1404-68-0x00000000006A0000-0x00000000006A2000-memory.dmpFilesize
8KB
-
memory/2228-230-0x0000000000D30000-0x0000000000D32000-memory.dmpFilesize
8KB
-
memory/2228-180-0x0000000000D30000-0x0000000000D32000-memory.dmpFilesize
8KB
-
memory/2228-183-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/2236-170-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/2236-182-0x0000000000F30000-0x0000000000F32000-memory.dmpFilesize
8KB
-
memory/2236-239-0x0000000000F30000-0x0000000000F32000-memory.dmpFilesize
8KB
-
memory/2732-140-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/2800-51-0x00007FFC8BAB0000-0x00007FFC8BAC0000-memory.dmpFilesize
64KB
-
memory/2800-57-0x00007FFC8BAB0000-0x00007FFC8BAC0000-memory.dmpFilesize
64KB
-
memory/2800-70-0x00007FFC893A0000-0x00007FFC893B0000-memory.dmpFilesize
64KB
-
memory/2800-69-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-52-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-54-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-56-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-55-0x00007FFC8BAB0000-0x00007FFC8BAC0000-memory.dmpFilesize
64KB
-
memory/2800-94-0x00007FFC893A0000-0x00007FFC893B0000-memory.dmpFilesize
64KB
-
memory/2800-53-0x00007FFC8BAB0000-0x00007FFC8BAC0000-memory.dmpFilesize
64KB
-
memory/2800-59-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-138-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-67-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-66-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-65-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-134-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-49-0x00007FFC8BAB0000-0x00007FFC8BAC0000-memory.dmpFilesize
64KB
-
memory/2800-130-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-61-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-64-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/2800-62-0x00007FFCCBA30000-0x00007FFCCBC25000-memory.dmpFilesize
2.0MB
-
memory/3612-99-0x0000000002D00000-0x0000000002D02000-memory.dmpFilesize
8KB
-
memory/3612-120-0x0000000002D00000-0x0000000002D02000-memory.dmpFilesize
8KB
-
memory/3612-93-0x00000000036E0000-0x00000000036E1000-memory.dmpFilesize
4KB
-
memory/3612-105-0x0000000002D00000-0x0000000002D02000-memory.dmpFilesize
8KB
-
memory/3688-273-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/3688-274-0x00000000008F0000-0x00000000008F2000-memory.dmpFilesize
8KB
-
memory/3780-9-0x0000000002B10000-0x0000000003B43000-memory.dmpFilesize
16.2MB
-
memory/3780-86-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/3780-0-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/3780-155-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/3780-36-0x0000000002B10000-0x0000000003B43000-memory.dmpFilesize
16.2MB
-
memory/3780-1-0x00000000006C0000-0x00000000006C2000-memory.dmpFilesize
8KB
-
memory/3780-2-0x0000000002B10000-0x0000000003B43000-memory.dmpFilesize
16.2MB
-
memory/3780-5-0x0000000002B10000-0x0000000003B43000-memory.dmpFilesize
16.2MB
-
memory/3780-123-0x0000000002AE0000-0x0000000002AE2000-memory.dmpFilesize
8KB
-
memory/3780-10-0x0000000002AE0000-0x0000000002AE2000-memory.dmpFilesize
8KB
-
memory/3780-35-0x0000000002B10000-0x0000000003B43000-memory.dmpFilesize
16.2MB
-
memory/3780-12-0x0000000002AF0000-0x0000000002AF1000-memory.dmpFilesize
4KB
-
memory/3780-14-0x0000000002AE0000-0x0000000002AE2000-memory.dmpFilesize
8KB
-
memory/4060-264-0x0000000000130000-0x0000000000147000-memory.dmpFilesize
92KB
-
memory/4228-222-0x0000000003E80000-0x0000000003E82000-memory.dmpFilesize
8KB
-
memory/4228-172-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/4228-168-0x0000000003E80000-0x0000000003E82000-memory.dmpFilesize
8KB
-
memory/4228-167-0x0000000004150000-0x0000000004151000-memory.dmpFilesize
4KB
-
memory/4228-104-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/4228-102-0x00000000023F0000-0x00000000023F2000-memory.dmpFilesize
8KB
-
memory/4320-131-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/4320-126-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/4968-88-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/4968-90-0x00000000006A0000-0x00000000006A2000-memory.dmpFilesize
8KB
-
memory/4968-96-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/5056-133-0x0000000000400000-0x00000000005CA000-memory.dmpFilesize
1.8MB