Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 15:38
Behavioral task
behavioral1
Sample
fd185630944384dd09cdd36183680843_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
fd185630944384dd09cdd36183680843_JaffaCakes118.exe
-
Size
986KB
-
MD5
fd185630944384dd09cdd36183680843
-
SHA1
03e0d1d4a83fd7524a1188e4d903c55758b39873
-
SHA256
4d474f2446a19534f555ddae0e563a4a5f24d8c3792f64402386c2a2d5bdecbf
-
SHA512
cc0542a65765de2c5259162e06c35d415967840663fcb2f9d0467d9df792b16e79dfae45d9fa1970f10bd60abefa0dd289227056525f96f918eff8e40bb61ac6
-
SSDEEP
24576:FMYpZTbD+LLwTVujH88kC1xTti9wuyECfKR/kZZ2QOKc9Yuz6hn:ta/uKkC1xmnpTQOK4zzCn
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 11 IoCs
Processes:
102600.exejava.exejava.exeupdate.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 102600.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\temp\102600.exe = "C:\\temp\\102600.exe:*:Enabled:DM" 102600.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" java.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system\java.exe = "C:\\Windows\\system\\java.exe:*:Enabled:java.exe" java.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplica 102600.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 102600.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 102600.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ 102600.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\pcast\PodcastbarMini\update.exe = "C:\\Program Files (x86)\\pcast\\PodcastbarMini\\update.exe:*:Enabled:Share Streaming" update.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system\java.exe = "C:\\Windows\\system\\java.exe:*:Enabled:java.exe" java.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" java.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Windows\SysWOW64\WinSC.dll acprotect -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
boba_super_update-1.0.0.1_Ete_067.exe10059.exe2049.exenewweb10296.EXEfd185630944384dd09cdd36183680843_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation boba_super_update-1.0.0.1_Ete_067.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 10059.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2049.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation newweb10296.EXE Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation fd185630944384dd09cdd36183680843_JaffaCakes118.exe -
Executes dropped EXE 17 IoCs
Processes:
2049.exe102600.exe10059.exe2049.exewd2_051117_WIS271_mini.exenewweb10296.EXEboba_super_update-1.0.0.1_Ete_067.exespoolsv.exe2049.exeupdate.exeLoadam.exetool.exemssv.exeGLJ1941.tmpjava.exemssv.exejava.exepid process 3316 2049.exe 4436 102600.exe 3664 10059.exe 1972 2049.exe 3920 wd2_051117_WIS271_mini.exe 3216 newweb10296.EXE 2224 boba_super_update-1.0.0.1_Ete_067.exe 4040 spoolsv.exe 4640 2049.exe 2712 update.exe 2524 Loadam.exe 4748 tool.exe 4636 mssv.exe 2460 GLJ1941.tmp 3912 java.exe 4140 mssv.exe 4232 java.exe -
Loads dropped DLL 5 IoCs
Processes:
2049.exeboba_super_update-1.0.0.1_Ete_067.exenewweb10296.EXEspoolsv.exeGLJ1941.tmppid process 1972 2049.exe 2224 boba_super_update-1.0.0.1_Ete_067.exe 3216 newweb10296.EXE 4040 spoolsv.exe 2460 GLJ1941.tmp -
Processes:
resource yara_rule behavioral2/memory/3964-0-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/3964-13-0x0000000000400000-0x0000000000426000-memory.dmp upx C:\temp\102600.exe upx behavioral2/memory/3964-68-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/4436-32-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Windows\SysWOW64\WinSC.dll upx behavioral2/memory/2460-168-0x0000000010000000-0x0000000010043000-memory.dmp upx behavioral2/memory/4436-176-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
java.exejava.exewd2_051117_WIS271_mini.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSService_v1.0 = "C:\\Windows\\system\\java.exe" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSService_v1.0 = "C:\\Windows\\system\\java.exe" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\system32\\spoolsv\\spoolsv.exe -printer" wd2_051117_WIS271_mini.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
GLJ1941.tmpboba_super_update-1.0.0.1_Ete_067.exe2049.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ACEEE31-1440-471B-AA46-72B061FE7D61} GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ACEEE31-1440-471B-AA46-72B061FE7D61}\ = "NewWeb Controller" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} boba_super_update-1.0.0.1_Ete_067.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16A770A0-0E87-4278-B748-2460D64A8386} 2049.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
GLJ1941.tmpdescription ioc process File opened for modification \??\PhysicalDrive0 GLJ1941.tmp -
Drops file in System32 directory 15 IoCs
Processes:
wd2_051117_WIS271_mini.exenewweb10296.EXEboba_super_update-1.0.0.1_Ete_067.exedescription ioc process File opened for modification C:\Windows\SysWOW64\32F77AC0.094 wd2_051117_WIS271_mini.exe File created C:\Windows\SysWOW64\msicn\msibm.dll wd2_051117_WIS271_mini.exe File opened for modification C:\Windows\SysWOW64\msicn\fin.vxd wd2_051117_WIS271_mini.exe File created C:\Windows\SysWOW64\spoolsv\spoolsv.exe wd2_051117_WIS271_mini.exe File created C:\Windows\SysWOW64\msicn\plugins\bse.dll wd2_051117_WIS271_mini.exe File opened for modification C:\Windows\SysWOW64\mssv.exe newweb10296.EXE File created C:\Windows\SysWOW64\guid.vxd wd2_051117_WIS271_mini.exe File created C:\Windows\SysWOW64\GLBSINST.%$D newweb10296.EXE File created C:\Windows\SysWOW64\32F77AC0.094 wd2_051117_WIS271_mini.exe File created C:\Windows\SysWOW64\msicn\fin.vxd wd2_051117_WIS271_mini.exe File created C:\Windows\SysWOW64\~GLH0001.TMP newweb10296.EXE File created C:\Windows\SysWOW64\sysreal32.dll boba_super_update-1.0.0.1_Ete_067.exe File opened for modification C:\Windows\SysWOW64\guid.vxd wd2_051117_WIS271_mini.exe File created C:\Windows\SysWOW64\~GLH0000.TMP newweb10296.EXE File opened for modification C:\Windows\SysWOW64\WinSC.dll newweb10296.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
boba_super_update-1.0.0.1_Ete_067.exedescription ioc process File created C:\Program Files (x86)\pcast\PodcastbarMini\update.exe boba_super_update-1.0.0.1_Ete_067.exe File created C:\Program Files (x86)\pcast\PodcastbarMini\download.ini boba_super_update-1.0.0.1_Ete_067.exe -
Drops file in Windows directory 7 IoCs
Processes:
mssv.exejava.exemssv.exejava.exe102600.exedescription ioc process File opened for modification C:\Windows\system\java.exe mssv.exe File created C:\Windows\system\java.exe mssv.exe File opened for modification C:\Windows\system\DVL~1 java.exe File opened for modification C:\Windows\system\java.exe mssv.exe File created C:\Windows\system\java.exe mssv.exe File opened for modification C:\Windows\system\DVL~1 java.exe File created C:\Windows\Tasks\DM_Install_Program.job 102600.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 1 IoCs
Processes:
resource yara_rule C:\temp\boba_super_update-1.0.0.1_Ete_067.exe nsis_installer_1 -
Modifies registry class 64 IoCs
Processes:
GLJ1941.tmp2049.exeboba_super_update-1.0.0.1_Ete_067.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SCIntruder.Settings\CurVer GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCC53A8D-67A8-4E8F-B972-D4668D1A7424}\ = "IWindowEventsHandler" GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B631EFA-EBD5-4829-ABB3-1AFB96E2EA4F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16A770A0-0E87-4278-B748-2460D64A8386}\ProgID 2049.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib boba_super_update-1.0.0.1_Ete_067.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} boba_super_update-1.0.0.1_Ete_067.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" boba_super_update-1.0.0.1_Ete_067.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{35A69597-0E2A-4100-A394-C6F6FC2535B9}\ = "NewWeb Controller" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16A770A0-0E87-4278-B748-2460D64A8386} 2049.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\TypeLib\ = "{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}" 2049.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86DC8694-AACC-4CE6-B8EC-A75DEEDA698D}\ = "Settings Class" GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BCC53A8D-67A8-4E8F-B972-D4668D1A7424}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D8CA513-282F-4E40-8971-F5EE879AF7FD}\InprocServer32\ThreadingModel = "Apartment" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCC53A8D-67A8-4E8F-B972-D4668D1A7424}\TypeLib GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B631EFA-EBD5-4829-ABB3-1AFB96E2EA4F}\TypeLib GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper\CLSID\ = "{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}" boba_super_update-1.0.0.1_Ete_067.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\sysreal32.dll" boba_super_update-1.0.0.1_Ete_067.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SCIntruder.DocumentEventsHandler.1\CLSID\ = "{DED96F80-2B97-407C-8E09-D7233448753F}" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{566CB5F7-D9FA-4B01-8A1A-168F706CBE41}\TypeLib GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewWebController.Intruder.1\CLSID\ = "{9ACEEE31-1440-471B-AA46-72B061FE7D61}" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CD75223-E010-4BE9-9027-7A53533EA4F6}\1.0\0\win32 GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{172754B6-06EA-49D5-B1E1-7D821E23C5E9}\ProxyStubClsid32 GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 2049.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DED96F80-2B97-407C-8E09-D7233448753F}\ProgID GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DED96F80-2B97-407C-8E09-D7233448753F}\ProgID\ = "SCIntruder.DocumentEventsHandler.1" GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SCIntruder.Magazines\ = "Magazines Class" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewWebController.Intruder\CLSID GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36F305AA-4452-4FE0-9275-28F21E2A2F15}\ = "IService" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper\CurVer 2049.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0" boba_super_update-1.0.0.1_Ete_067.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\TypeLib\Version = "1.0" 2049.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" boba_super_update-1.0.0.1_Ete_067.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SCIntruder.Settings.1\ = "Settings Class" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1F6E94D-8EA2-4EC9-914D-138BC55AE105}\TypeLib GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B513A7FC-BC53-4077-ABE3-5BD321AF651D}\TypeLib\ = "{5CD75223-E010-4BE9-9027-7A53533EA4F6}" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper\CurVer boba_super_update-1.0.0.1_Ete_067.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91} boba_super_update-1.0.0.1_Ete_067.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" boba_super_update-1.0.0.1_Ete_067.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{566CB5F7-D9FA-4B01-8A1A-168F706CBE41}\InprocServer32 GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CD75223-E010-4BE9-9027-7A53533EA4F6}\1.0\FLAGS\ = "0" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B631EFA-EBD5-4829-ABB3-1AFB96E2EA4F} GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B513A7FC-BC53-4077-ABE3-5BD321AF651D}\TypeLib GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\ProgID\ = "Chajian.ChajianHelper.1" boba_super_update-1.0.0.1_Ete_067.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5668031-4BDE-43D4-8766-8E9AAC16C56E}\InprocServer32\ThreadingModel = "Apartment" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewWebController.Intruder\CurVer GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{172754B6-06EA-49D5-B1E1-7D821E23C5E9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B631EFA-EBD5-4829-ABB3-1AFB96E2EA4F}\TypeLib GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B631EFA-EBD5-4829-ABB3-1AFB96E2EA4F}\ = "ISettings" GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" boba_super_update-1.0.0.1_Ete_067.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5668031-4BDE-43D4-8766-8E9AAC16C56E}\AppID = "{35A69597-0E2A-4100-A394-C6F6FC2535B9}" GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1F6E94D-8EA2-4EC9-914D-138BC55AE105}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{172754B6-06EA-49D5-B1E1-7D821E23C5E9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36F305AA-4452-4FE0-9275-28F21E2A2F15}\TypeLib GLJ1941.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewWebController.Intruder.1\CLSID GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1F6E94D-8EA2-4EC9-914D-138BC55AE105}\TypeLib\Version = "1.0" GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{172754B6-06EA-49D5-B1E1-7D821E23C5E9}\TypeLib\Version = "1.0" GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16A770A0-0E87-4278-B748-2460D64A8386}\TypeLib\ = "{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}" 2049.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}\1.0\HELPDIR 2049.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\ProxyStubClsid32 2049.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0" boba_super_update-1.0.0.1_Ete_067.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DED96F80-2B97-407C-8E09-D7233448753F}\ = "DocumentEventsHandler Class" GLJ1941.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper\CLSID\ = "{16A770A0-0E87-4278-B748-2460D64A8386}" 2049.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{566CB5F7-D9FA-4B01-8A1A-168F706CBE41}\VersionIndependentProgID GLJ1941.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{566CB5F7-D9FA-4B01-8A1A-168F706CBE41}\ProgID GLJ1941.tmp -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
spoolsv.exepid process 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
spoolsv.exetool.exepid process 4040 spoolsv.exe 4748 tool.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
fd185630944384dd09cdd36183680843_JaffaCakes118.exe2049.exewd2_051117_WIS271_mini.exe2049.exeboba_super_update-1.0.0.1_Ete_067.exe10059.exe2049.exenewweb10296.EXELoadam.exemssv.exemssv.exedescription pid process target process PID 3964 wrote to memory of 3316 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe 2049.exe PID 3964 wrote to memory of 3316 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe 2049.exe PID 3964 wrote to memory of 3316 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe 2049.exe PID 3964 wrote to memory of 4436 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe 102600.exe PID 3964 wrote to memory of 4436 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe 102600.exe PID 3964 wrote to memory of 4436 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe 102600.exe PID 3964 wrote to memory of 3664 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe 10059.exe PID 3964 wrote to memory of 3664 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe 10059.exe PID 3964 wrote to memory of 3664 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe 10059.exe PID 3316 wrote to memory of 1972 3316 2049.exe 2049.exe PID 3316 wrote to memory of 1972 3316 2049.exe 2049.exe PID 3316 wrote to memory of 1972 3316 2049.exe 2049.exe PID 3964 wrote to memory of 3920 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe wd2_051117_WIS271_mini.exe PID 3964 wrote to memory of 3920 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe wd2_051117_WIS271_mini.exe PID 3964 wrote to memory of 3920 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe wd2_051117_WIS271_mini.exe PID 3964 wrote to memory of 3216 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe newweb10296.EXE PID 3964 wrote to memory of 3216 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe newweb10296.EXE PID 3964 wrote to memory of 3216 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe newweb10296.EXE PID 3964 wrote to memory of 2224 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe boba_super_update-1.0.0.1_Ete_067.exe PID 3964 wrote to memory of 2224 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe boba_super_update-1.0.0.1_Ete_067.exe PID 3964 wrote to memory of 2224 3964 fd185630944384dd09cdd36183680843_JaffaCakes118.exe boba_super_update-1.0.0.1_Ete_067.exe PID 3920 wrote to memory of 4040 3920 wd2_051117_WIS271_mini.exe spoolsv.exe PID 3920 wrote to memory of 4040 3920 wd2_051117_WIS271_mini.exe spoolsv.exe PID 3920 wrote to memory of 4040 3920 wd2_051117_WIS271_mini.exe spoolsv.exe PID 1972 wrote to memory of 4640 1972 2049.exe 2049.exe PID 1972 wrote to memory of 4640 1972 2049.exe 2049.exe PID 1972 wrote to memory of 4640 1972 2049.exe 2049.exe PID 2224 wrote to memory of 2712 2224 boba_super_update-1.0.0.1_Ete_067.exe update.exe PID 2224 wrote to memory of 2712 2224 boba_super_update-1.0.0.1_Ete_067.exe update.exe PID 2224 wrote to memory of 2712 2224 boba_super_update-1.0.0.1_Ete_067.exe update.exe PID 3664 wrote to memory of 2524 3664 10059.exe Loadam.exe PID 3664 wrote to memory of 2524 3664 10059.exe Loadam.exe PID 3664 wrote to memory of 2524 3664 10059.exe Loadam.exe PID 4640 wrote to memory of 4748 4640 2049.exe tool.exe PID 4640 wrote to memory of 4748 4640 2049.exe tool.exe PID 4640 wrote to memory of 4748 4640 2049.exe tool.exe PID 3216 wrote to memory of 4636 3216 newweb10296.EXE mssv.exe PID 3216 wrote to memory of 4636 3216 newweb10296.EXE mssv.exe PID 3216 wrote to memory of 4636 3216 newweb10296.EXE mssv.exe PID 3216 wrote to memory of 2460 3216 newweb10296.EXE GLJ1941.tmp PID 3216 wrote to memory of 2460 3216 newweb10296.EXE GLJ1941.tmp PID 3216 wrote to memory of 2460 3216 newweb10296.EXE GLJ1941.tmp PID 2524 wrote to memory of 552 2524 Loadam.exe cmd.exe PID 2524 wrote to memory of 552 2524 Loadam.exe cmd.exe PID 2524 wrote to memory of 552 2524 Loadam.exe cmd.exe PID 4636 wrote to memory of 3912 4636 mssv.exe java.exe PID 4636 wrote to memory of 3912 4636 mssv.exe java.exe PID 4636 wrote to memory of 3912 4636 mssv.exe java.exe PID 3216 wrote to memory of 4140 3216 newweb10296.EXE mssv.exe PID 3216 wrote to memory of 4140 3216 newweb10296.EXE mssv.exe PID 3216 wrote to memory of 4140 3216 newweb10296.EXE mssv.exe PID 4140 wrote to memory of 4232 4140 mssv.exe java.exe PID 4140 wrote to memory of 4232 4140 mssv.exe java.exe PID 4140 wrote to memory of 4232 4140 mssv.exe java.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd185630944384dd09cdd36183680843_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd185630944384dd09cdd36183680843_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\temp\2049.exe"C:\temp\2049.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2049.exeC:\Users\Admin\AppData\Local\Temp\2049.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Application Data\Microsoft\IEHelper\2049.exe"C:\ProgramData\Application Data\Microsoft\IEHelper\2049.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\temp\tool.exe"C:\temp\tool.exe" 20495⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\temp\102600.exe"C:\temp\102600.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
-
C:\temp\10059.exe"C:\temp\10059.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\temp\Loadam.exe"C:\temp\Loadam.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\temp\_deleteme.bat4⤵
-
C:\temp\wd2_051117_WIS271_mini.exe"C:\temp\wd2_051117_WIS271_mini.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\spoolsv\spoolsv.exeC:\Windows\system32\spoolsv\spoolsv.exe -printer3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\temp\newweb10296.EXE"C:\temp\newweb10296.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mssv.exe"C:\Windows\System32\mssv.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system\java.exe"C:\Windows\system\java.exe"4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\GLJ1941.tmp"C:\Users\Admin\AppData\Local\Temp\GLJ1941.tmp" C:\Windows\System32\WinSC.dll3⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Writes to the Master Boot Record (MBR)
- Modifies registry class
-
C:\Windows\SysWOW64\mssv.exeC:\Windows\System32\mssv.exe /REGSERVER3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system\java.exe"C:\Windows\system\java.exe"4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
-
C:\temp\boba_super_update-1.0.0.1_Ete_067.exe"C:\temp\boba_super_update-1.0.0.1_Ete_067.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\pcast\PodcastbarMini\update.exe"C:\Program Files (x86)\pcast\PodcastbarMini\update.exe"3⤵
- Modifies firewall policy service
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\pcast\PodcastbarMini\download.iniFilesize
122B
MD5f9847a8309cbf62d971e0691061cae05
SHA18de816026941933cab5036a28bf8e82031a2f3de
SHA256974fd60265deb6a7ebc968f9db0b124cabfec1a6eaef781bd480d464c5d57126
SHA5121a1e1af624c9676a9c2ceaade376032630cd0174b9247b33452b811bd35aa004a4fba39d357ee037e6cc90a81cb9f55d22ba922f22520346af0d89f58b626795
-
C:\Program Files (x86)\pcast\PodcastbarMini\update.exeFilesize
68KB
MD5242434c239b0d75e4b5d51b6d76004b7
SHA1c42a6a8fad18b5bd1698bb54da18fd1f7b1d076a
SHA256c82847393bf66781d7690ea9ff3f82d46e0e387fe52af132df2f2ead15164651
SHA51266878aa1bb8413b07b11f15c3592200267763fee62806103d002b03fc2eb9e70e7dfc4d629d824982029f65042e94593b68376c87c6ce4a8368b14468c9b375f
-
C:\ProgramData\Microsoft\IEHelper\2049.exeFilesize
241KB
MD5cb24df5cf2818f8eca7deab6b975ce60
SHA123c4d476fb62f2396af34f03af0ad3ec2abe7e10
SHA256f13fa77ec679e8d14424eabf76384175f8abe1838f1b4b4def1ff8b7f29e26a0
SHA512dfb47bc35d7e2b361e8aac899b778b1c0277a58aa8b2228405c1f2c6d6bb6d938f31b4f831eab1fc359d7b519f156d5efbc7431528c6a6ee2e54541885bf59ea
-
C:\ProgramData\Microsoft\IEHelper\IEHelper_4769.dllFilesize
108KB
MD506f3eb60f97b7285996e8c7682f0d7dc
SHA16598e7df5afb8cabb228bd0cfad8643466fc5b57
SHA256d4ce102c0395a226438a579a4d9136f49594464569b08c6d98e87d2496878a2b
SHA5123b13215d49b790bcd50e9ca64df46c9006e09533452f87cd809b304f814a9de13b135d95bf33f93df7412e37ff69cff66910c64f2893a5217cdcfab65f595b0a
-
C:\Users\Admin\AppData\Local\Temp\2049.exeFilesize
400KB
MD5c950e0f69f9aeb954397d6e5f0abd9e5
SHA171fc73100d6fe26a8c982a501c6a69186bad779f
SHA256d96561eb92dbfd4707aa7e3f962de7d34bf40462b7c5ee135e699e29bb2a52f5
SHA512fe8dd8180e57f6a2bc6b067d489c89dea2782dc158886d3860ed2a2d2bb86f6bbbee8f6d2d8411e20996f664295ab4b54355fa451dda67e82df1491e8d4f488e
-
C:\Users\Admin\AppData\Local\Temp\GLC1836.tmpFilesize
161KB
MD58c97d8bb1470c6498e47b12c5a03ce39
SHA115d233b22f1c3d756dca29bcc0021e6fb0b8cdf7
SHA256a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a
SHA5127ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f
-
C:\Users\Admin\AppData\Local\Temp\GLJ1941.tmpFilesize
2KB
MD56f608d264503796bebd7cd66b687be92
SHA1bb82145e86516859dae6d4b3bffb08c727b13c65
SHA25649833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d
SHA512c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54
-
C:\Windows\SysWOW64\WinSC.dllFilesize
103KB
MD5d5c5427ab977f0383c865d1b97544207
SHA1136c24bf7663caf5d2cc36658f4565d3dab8968a
SHA2560ad4829c6f109e7ad4ef747d071978139100aa7efaf1c014f8edd2f95bbad56e
SHA512b80c7af184cd97cbd34b629c54cc254ba844ca895b9bbd456e101740f7189e09f09f5d05ffb1e832578c60f36cbcd29054af9980cc7149e053dd741f663bf7cd
-
C:\Windows\SysWOW64\msicn\msibm.dllFilesize
244KB
MD5ce7b6e0fed62052f6690bc8ae620081f
SHA1cd8f10864cc113ff459a8150c6e2f6cc14b5ea52
SHA256d761e1d2fb377edb44eb791a402dcb89ffebce185d5ff127bec9128bb023d496
SHA51265e45866d9d0f27209a328aa2463c144c3c593a79954dfaf5662c53cb14f925dc6fc297a73e8e0fc353f9bf5439cacdd523fc768324d96a5836a8d8fb8a65477
-
C:\Windows\SysWOW64\mssv.exeFilesize
50KB
MD558c31ef011ea353ec924c8f91a34b981
SHA1b917431def52a690069dadc13375a441d17ce06e
SHA2568c297d226b830d158a280d7e74b47e0d209725bc6a005947e4170c33335bf63c
SHA512e2a0469454fcfa80f7bbcf0ba1ff4e9314976adcfb201b05bad572042c21ef63a104d3f031bc38d70431c4edab8c803357a9358611d6f4c95c87303de3feee6c
-
C:\Windows\SysWOW64\spoolsv\spoolsv.exeFilesize
44KB
MD5ca0e9f2948604660bd94d012d65d24a8
SHA11ee4af187b318ec7b22209438888dba1e6dafa21
SHA25631134e2b466db1ce8241221e3c6b9ac3055dc2a26e8838d10444c75e5fa7b2b3
SHA5128cf669980e942f5b98a5d580df1eb927fb093c3cb6ed4271b5f6850c1631d860986cc0c6968b3468c5265b7e67e65ced31763c9baf10e1d807ba1b4673872cbb
-
C:\Windows\SysWOW64\sysreal32.dllFilesize
68KB
MD503c68a64818522069dd56aa362184adb
SHA11f70d299051f70989d83054a4177108d4d371b71
SHA256f82c5969d02117bb94373f36c5c25bebdfb9af9eb014ae233bf14d4b6cd49aa5
SHA512c5c6d985ebbf80480191e9b063847bd41edad21dea684c009d023256bd5e9f150e6246519f52abc9e20bf1f6d2d1c0417232a0babd0477ca1038a23f6b9fc64a
-
C:\Windows\system\java.exeFilesize
18KB
MD536a095c8f8c7ffddd39be5d43f62e596
SHA1c923a9cf3d48d1d50eba0b9517faa5141cca2656
SHA2566254b2b677c0816b70d4e90df7cf8ab7b3ed1b7126de21872b285cc4a36dfa5b
SHA512e0ce714fbc921ceaf542920e2c493aa58b745359d89b768eaedeb1133f2daea4338ea13f1909a1e7977dca85c2b3467191436a36f96d8385c3d2b55cef4112da
-
C:\temp\10059.exeFilesize
133KB
MD57c3c75cf5418ed7b1c3710c7a7741bc5
SHA1b934eaab7626a3c9eac0d205eb008fe43d4fdf93
SHA25604c12ccc87fd1b6dbc0906fc1c6cc039747c232bcc507d0a72da32a66279c02d
SHA51290bcd2c3a6be99b4f033d53b473a64c53c6dd33efcb2664bec71844646e266696e827f4d1d7dd6ad7f3d5fc6cca2397b287121444b8d5e192f1be88a4a997de8
-
C:\temp\102600.exeFilesize
56KB
MD5ad4b5a89f671f284b43ea2a7cb4a42c1
SHA1c45197f33eb11dda04d5c4fe5fa56eb57f51f651
SHA256ad2fd6de49c88884aa690445e80d20822147c6510e3664a6b419b10e0259a1a9
SHA5128176483f516da5c1ffa97817fd6ce3bac1180116de3d44b2f245b65c5b2969c4e1ef00b88a9fa868ef317e0f5f7b9b458348ea9efea5b9a3072f28b843cfc71c
-
C:\temp\2049.exeFilesize
280KB
MD529e6687bb514f1397033b085d18fe240
SHA15f503609bb3ddcdfbf852ea3cbd5aa540700e88c
SHA25679e31119bf7adf533b0c45482df7ec8519a9a4ec9f01d1dc25a87c2dae4455fc
SHA5127bddc4493956fa33eee877ef1c73289d977341489ea2b049b96582d3c1f8fbd6918d07076b039a98fef71486b78e6944073bd5e44ce12877d52c2bcefbaffd6c
-
C:\temp\Loadam.exeFilesize
18KB
MD5fbf214cc6f86b2ba6f87c7c6c6cf5f90
SHA118e7b59d4758720c5f1dfe983a6bd3d40c7cfc27
SHA256c871aabbbdc4a8b9b6970ed2b8bd75bb39df57a2a81510223137c9e6a9701bac
SHA512c58df78a0547f845dd1387c3ec9afd467615d7427c63a9b97b82b39976de9faf8be0459176299ec129fbacf23e80efca52250c1d77f78226f5c77b909f5c5c29
-
C:\temp\_deleteme.batFilesize
80B
MD56c856dbd1ce1fffa9e5ac768bd5978ee
SHA16afe6336441923db24ff1e2d044eb4f5b2501a27
SHA256c2b12d0da599982e1a8b6c2e6759e0310b982689a0ca2326da6632bdce4ecc99
SHA51278fa4a16d36483046bd796c177ab552d0271f7094b6067eebdcf318bb659bdd9fb461de428c489ba06aa03ae51f84dbd278d67a09c267b24cda52a6a25aba74e
-
C:\temp\boba_super_update-1.0.0.1_Ete_067.exeFilesize
116KB
MD521e50a12f2ecce19405cfc90ff79c811
SHA1ade2b1b95843016f0661890683e82e20a45b6c35
SHA256bdbbcea503538e65772dcb66b55025281619bddfe20fc2faab73036dff5fc1fc
SHA512c1191ce1350fbcaf9640e1d6cf9611926f834e18663d598c5748fa779dcf2c44e5c83e697bdc314f99224f4002c615f187b73b8df8ee551f7d733cdc85867907
-
C:\temp\newweb10296.EXEFilesize
244KB
MD5f7331eb6c0d009dd7afb48a93a212166
SHA19bcfed872960b4f19500d5fb4fe02fcd1c2e5ffa
SHA2560efa60dea2558717c5a1a29e85f9e63dfb0127dbf52bd4b9176917a23edcc5a1
SHA51269a3888504819d19c81490b2ad8b5dd1dfb450ebd39016131ed87c4f549d2dfc10c2bb1e98b0206affed1759da814e82c8d9470f9ebfcffaca89b5a9541265e2
-
C:\temp\tool.exeFilesize
328KB
MD584bc69fd23dd51b304ae9aaa8d67aed0
SHA1a6b3d198e0204ae8b2aba3a6d6d9eb5c11b84730
SHA25609619b393ef1fd850f7c108baf0303910b20465ef7ff8298c050dc138f059c40
SHA512019bb109fa45a00593ce4d0cc28cb812cedf016b3bae33c077820913692e1e7da52d8341def987e2184c9da93738aa4b63d8385dd54d94fdaf081de786d885e3
-
C:\temp\wd2_051117_WIS271_mini.exeFilesize
196KB
MD531313ee73d01379633db3470c72c7e79
SHA1e091e1a5292d82f7939c6d8e2cf914541eff6f1c
SHA2568fefa20fd0ebf82a7541baf0f82aa65e0687cb6bb2be68c322341309c8cac4c9
SHA512e99d5132da10eab4bf7abc31a55f753980e6e6e38ea8d748f20ad334568ae1e4b405dddd22854b0a2b0e0b5b4cfac235e28282d859b6c295a98b8e65df886721
-
memory/2224-67-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/2224-110-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/2460-168-0x0000000010000000-0x0000000010043000-memory.dmpFilesize
268KB
-
memory/2524-159-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3316-175-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3316-40-0x0000000000570000-0x0000000000572000-memory.dmpFilesize
8KB
-
memory/3316-20-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3664-127-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3912-165-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3912-177-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3964-13-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3964-0-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3964-68-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4232-172-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4232-178-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4436-32-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4436-176-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4640-140-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB