Malware Analysis Report

2025-01-18 21:44

Sample ID 240415-h81twshe52
Target f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118
SHA256 a566061451bd752ba3802ba9394137f1d2d9fd92951058a56d5f61175b23bb22
Tags
adware discovery persistence stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a566061451bd752ba3802ba9394137f1d2d9fd92951058a56d5f61175b23bb22

Threat Level: Shows suspicious behavior

The file f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence stealer upx

UPX packed file

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Checks installed software on the system

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 07:25

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 07:25

Reported

2024-04-15 07:27

Platform

win7-20240221-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TopGuide = "C:\\Program Files (x86)\\TopGuide\\TopGuide.exe" C:\Program Files (x86)\TopGuide\TopGuide.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1ED65C88-1259-484B-A9FA-6731E0D15743} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1ED65C88-1259-484B-A9FA-6731E0D15743} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1ED65C88-1259-484B-A9FA-6731E0D15743} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TopGuide\TopGuide.dll C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\TopGuide\adc.dll C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\TopGuide\uninstall.exe C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\TopGuide\TopGuide.exe C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\{D94DCC35-A105-4A97-A957-FB7D54BB3612}\CodePage = "949" C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\{D94DCC35-A105-4A97-A957-FB7D54BB3612}\ = "¾ßÈÄ" C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\{D94DCC35-A105-4A97-A957-FB7D54BB3612}\URL = "http://info-way.kr/addPages/?id=TG31&k={searchTerms}" C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{D94DCC35-A105-4A97-A957-FB7D54BB3612}" C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\{D94DCC35-A105-4A97-A957-FB7D54BB3612} C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\{D94DCC35-A105-4A97-A957-FB7D54BB3612}\ = "Yahoo" C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\0\win32\ = "C:\\Program Files (x86)\\TopGuide\\TopGuide.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\ = "ITopGuideCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\ProgID\ = "TopGuide.TopGuideCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32\ = "C:\\Program Files (x86)\\TopGuide\\TopGuide.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\TypeLib\ = "{7D1AFD44-BEA6-48BD-8872-21940D385C3B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\CLSID\ = "{1ED65C88-1259-484B-A9FA-6731E0D15743}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\ = "TopGuideCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl.1\ = "TopGuideCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\ = "TopGuideCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\CurVer\ = "TopGuide.TopGuideCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl.1\CLSID\ = "{1ED65C88-1259-484B-A9FA-6731E0D15743}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\CLSID\ = "{1ED65C88-1259-484B-A9FA-6731E0D15743}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\CurVer\ = "TopGuide.TopGuideCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\VersionIndependentProgID\ = "TopGuide.TopGuideCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl.1\CLSID\ = "{1ED65C88-1259-484B-A9FA-6731E0D15743}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\ = "TopGuide" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\ = "TopGuide" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\ = "TopGuide 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl.1\ = "TopGuideCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\VersionIndependentProgID\ = "TopGuide.TopGuideCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\TypeLib\ = "{7D1AFD44-BEA6-48BD-8872-21940D385C3B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\ = "ITopGuideCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\ProgID\ = "TopGuide.TopGuideCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32\ = "C:\\Program Files (x86)\\TopGuide\\TopGuide.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2216 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2216 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2216 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2216 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2216 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2216 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2216 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Program Files (x86)\TopGuide\TopGuide.exe
PID 2216 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Program Files (x86)\TopGuide\TopGuide.exe
PID 2216 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Program Files (x86)\TopGuide\TopGuide.exe
PID 2216 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Program Files (x86)\TopGuide\TopGuide.exe
PID 2216 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Program Files (x86)\TopGuide\TopGuide.exe
PID 2216 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Program Files (x86)\TopGuide\TopGuide.exe
PID 2216 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe C:\Program Files (x86)\TopGuide\TopGuide.exe
PID 2272 wrote to memory of 2544 N/A C:\Program Files (x86)\TopGuide\TopGuide.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2272 wrote to memory of 2544 N/A C:\Program Files (x86)\TopGuide\TopGuide.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2272 wrote to memory of 2544 N/A C:\Program Files (x86)\TopGuide\TopGuide.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2272 wrote to memory of 2544 N/A C:\Program Files (x86)\TopGuide\TopGuide.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2272 wrote to memory of 2544 N/A C:\Program Files (x86)\TopGuide\TopGuide.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2272 wrote to memory of 2544 N/A C:\Program Files (x86)\TopGuide\TopGuide.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2272 wrote to memory of 2544 N/A C:\Program Files (x86)\TopGuide\TopGuide.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\TopGuide\TopGuide.dll"

C:\Program Files (x86)\TopGuide\TopGuide.exe

"C:\Program Files (x86)\TopGuide\TopGuide.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\TopGuide\TopGuide.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 topguide.co.kr udp
KR 158.247.225.128:80 topguide.co.kr tcp
KR 158.247.225.128:443 topguide.co.kr tcp
KR 158.247.225.128:80 topguide.co.kr tcp

Files

memory/2216-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2216-1-0x0000000000230000-0x000000000026F000-memory.dmp

C:\Program Files (x86)\TopGuide\TopGuide.dll

MD5 af91dc5eb2f1600a2acce03de4db8161
SHA1 3dc31ecc6ab4111d6f265c5a5700091449ae9df4
SHA256 0c1113cec21ed5a03fdd50f4602c362a161c55e4681788328624c296e49a70a5
SHA512 67f563095432601fddfc181c1fe1b020463c77148f59c8ea9bfade4b9e3392b1b1906b9603a10041d17c75f24265a5a9aa87ce6cda1d64ae356abba69519b3f2

\Program Files (x86)\TopGuide\TopGuide.exe

MD5 97a66539f4cdf6f5970d4f3ab62e7157
SHA1 32dca1cbc2a1729dae1fba9b66d7221ed8b0b6a2
SHA256 d8fd95ab37afabedcd5d6a76785897b70770644ed3ab8a2b274dfd6ed971ea12
SHA512 1857d4829bc758b49a4ba7c2e5bf16b7d07c6eebde561829c4a2f850f50399da5ba68026c5ae19332af023117b750abfa39d05b844c2131c4479cdac387b8abe

C:\Program Files (x86)\TopGuide\adc.dll

MD5 33d7115901c7382d911c5e5f28d95850
SHA1 e6b5b513626a1afd7285a1a3648912d54e819128
SHA256 b6af553defd463dd7d63b3c65b27d81a1ec5bb325cdaf57d3d42792e8d0dd361
SHA512 d5f697dad1c37b7b9d1ea30bd400f1900046fedc1c5ea4b9dea9646ea94f43ec81d3dad6f97f8ab2ab97c2804a939f72f903efae4b1e3e6f45b970bf5bf0eeed

memory/2216-35-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2216-36-0x0000000000230000-0x000000000023C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 07:25

Reported

2024-04-15 07:27

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TopGuide = "C:\\Program Files (x86)\\TopGuide\\TopGuide.exe" C:\Program Files (x86)\TopGuide\TopGuide.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1ED65C88-1259-484B-A9FA-6731E0D15743} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1ED65C88-1259-484B-A9FA-6731E0D15743} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1ED65C88-1259-484B-A9FA-6731E0D15743} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TopGuide\TopGuide.exe C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\TopGuide\TopGuide.dll C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\TopGuide\adc.dll C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\TopGuide\uninstall.exe C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{D94DCC35-A105-4A97-A957-FB7D54BB3612}" C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D94DCC35-A105-4A97-A957-FB7D54BB3612} C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D94DCC35-A105-4A97-A957-FB7D54BB3612}\ = "Yahoo" C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D94DCC35-A105-4A97-A957-FB7D54BB3612}\CodePage = "949" C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D94DCC35-A105-4A97-A957-FB7D54BB3612}\ = "¾ßÈÄ" C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D94DCC35-A105-4A97-A957-FB7D54BB3612}\URL = "http://info-way.kr/addPages/?id=TG31&k={searchTerms}" C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\ = "TopGuideCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\ProgID\ = "TopGuide.TopGuideCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\TopGuide\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32\ = "C:\\Program Files (x86)\\TopGuide\\TopGuide.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\CurVer\ = "TopGuide.TopGuideCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\TypeLib\ = "{7D1AFD44-BEA6-48BD-8872-21940D385C3B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\ = "ITopGuideCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\TypeLib\ = "{7D1AFD44-BEA6-48BD-8872-21940D385C3B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\VersionIndependentProgID\ = "TopGuide.TopGuideCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\ = "TopGuide 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\ = "TopGuide" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\ = "ITopGuideCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\TypeLib\ = "{7D1AFD44-BEA6-48BD-8872-21940D385C3B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\CLSID\ = "{1ED65C88-1259-484B-A9FA-6731E0D15743}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B}\1.0\0\win32\ = "C:\\Program Files (x86)\\TopGuide\\TopGuide.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32\ = "C:\\Program Files (x86)\\TopGuide\\TopGuide.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\ProgID\ = "TopGuide.TopGuideCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\VersionIndependentProgID\ = "TopGuide.TopGuideCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl.1\CLSID\ = "{1ED65C88-1259-484B-A9FA-6731E0D15743}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\TypeLib\ = "{7D1AFD44-BEA6-48BD-8872-21940D385C3B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1ED65C88-1259-484B-A9FA-6731E0D15743}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\ = "TopGuideCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D1AFD44-BEA6-48BD-8872-21940D385C3B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl.1\CLSID\ = "{1ED65C88-1259-484B-A9FA-6731E0D15743}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\CLSID\ = "{1ED65C88-1259-484B-A9FA-6731E0D15743}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl\CurVer\ = "TopGuide.TopGuideCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BA72FD4-FEEC-4DEE-9504-5C13E4C9866C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopGuide.TopGuideCtl.1\ = "TopGuideCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A
N/A N/A C:\Program Files (x86)\TopGuide\TopGuide.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f09194b0dcf8ddd8c664e82d0a1ea6df_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\TopGuide\TopGuide.dll"

C:\Program Files (x86)\TopGuide\TopGuide.exe

"C:\Program Files (x86)\TopGuide\TopGuide.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\TopGuide\TopGuide.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 topguide.co.kr udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
KR 158.247.225.128:80 topguide.co.kr tcp
KR 158.247.225.128:80 topguide.co.kr tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 158.247.225.128:443 topguide.co.kr tcp
US 8.8.8.8:53 128.225.247.158.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 9.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2776-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Program Files (x86)\TopGuide\TopGuide.dll

MD5 af91dc5eb2f1600a2acce03de4db8161
SHA1 3dc31ecc6ab4111d6f265c5a5700091449ae9df4
SHA256 0c1113cec21ed5a03fdd50f4602c362a161c55e4681788328624c296e49a70a5
SHA512 67f563095432601fddfc181c1fe1b020463c77148f59c8ea9bfade4b9e3392b1b1906b9603a10041d17c75f24265a5a9aa87ce6cda1d64ae356abba69519b3f2

C:\Program Files (x86)\TopGuide\TopGuide.exe

MD5 97a66539f4cdf6f5970d4f3ab62e7157
SHA1 32dca1cbc2a1729dae1fba9b66d7221ed8b0b6a2
SHA256 d8fd95ab37afabedcd5d6a76785897b70770644ed3ab8a2b274dfd6ed971ea12
SHA512 1857d4829bc758b49a4ba7c2e5bf16b7d07c6eebde561829c4a2f850f50399da5ba68026c5ae19332af023117b750abfa39d05b844c2131c4479cdac387b8abe

C:\Program Files (x86)\TopGuide\adc.dll

MD5 33d7115901c7382d911c5e5f28d95850
SHA1 e6b5b513626a1afd7285a1a3648912d54e819128
SHA256 b6af553defd463dd7d63b3c65b27d81a1ec5bb325cdaf57d3d42792e8d0dd361
SHA512 d5f697dad1c37b7b9d1ea30bd400f1900046fedc1c5ea4b9dea9646ea94f43ec81d3dad6f97f8ab2ab97c2804a939f72f903efae4b1e3e6f45b970bf5bf0eeed

memory/2776-17-0x0000000000400000-0x000000000043F000-memory.dmp