Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 16:49
Static task
static1
Behavioral task
behavioral1
Sample
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe
-
Size
512KB
-
MD5
05a34ce4e1751bf33e0803af17082c1f
-
SHA1
45b354f036de158920d8f242977aab190ede0136
-
SHA256
7e32714f0b728d757d398eb21058c77f8708122415eb052081e8e125563af9b3
-
SHA512
c4c022ae828687de17029eae8c7aaa5f3f6922a04b2bd99fb3fc1b0883b34904ae35eeb77d332ea709b24cb88a8165c2e822fcc15a3b4e8ecc004dbbd530da4d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5n
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
xugdddiajp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" xugdddiajp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
xugdddiajp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xugdddiajp.exe -
Processes:
xugdddiajp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xugdddiajp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xugdddiajp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xugdddiajp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" xugdddiajp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xugdddiajp.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
xugdddiajp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xugdddiajp.exe -
Executes dropped EXE 5 IoCs
Processes:
xugdddiajp.exefrvlqalvoorqjlp.exeumobygzk.exetveaphxpaipyu.exeumobygzk.exepid process 2524 xugdddiajp.exe 2592 frvlqalvoorqjlp.exe 2540 umobygzk.exe 2644 tveaphxpaipyu.exe 2900 umobygzk.exe -
Loads dropped DLL 5 IoCs
Processes:
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exexugdddiajp.exepid process 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2524 xugdddiajp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
xugdddiajp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xugdddiajp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xugdddiajp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xugdddiajp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" xugdddiajp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xugdddiajp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" xugdddiajp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
frvlqalvoorqjlp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tveaphxpaipyu.exe" frvlqalvoorqjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lefkgkjb = "xugdddiajp.exe" frvlqalvoorqjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tvcmfltt = "frvlqalvoorqjlp.exe" frvlqalvoorqjlp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
umobygzk.exeumobygzk.exexugdddiajp.exedescription ioc process File opened (read-only) \??\w: umobygzk.exe File opened (read-only) \??\z: umobygzk.exe File opened (read-only) \??\m: umobygzk.exe File opened (read-only) \??\n: umobygzk.exe File opened (read-only) \??\l: xugdddiajp.exe File opened (read-only) \??\l: umobygzk.exe File opened (read-only) \??\x: xugdddiajp.exe File opened (read-only) \??\j: umobygzk.exe File opened (read-only) \??\q: umobygzk.exe File opened (read-only) \??\p: umobygzk.exe File opened (read-only) \??\z: umobygzk.exe File opened (read-only) \??\o: xugdddiajp.exe File opened (read-only) \??\p: xugdddiajp.exe File opened (read-only) \??\t: umobygzk.exe File opened (read-only) \??\h: xugdddiajp.exe File opened (read-only) \??\w: xugdddiajp.exe File opened (read-only) \??\a: umobygzk.exe File opened (read-only) \??\j: umobygzk.exe File opened (read-only) \??\g: xugdddiajp.exe File opened (read-only) \??\t: xugdddiajp.exe File opened (read-only) \??\u: xugdddiajp.exe File opened (read-only) \??\v: umobygzk.exe File opened (read-only) \??\r: umobygzk.exe File opened (read-only) \??\s: umobygzk.exe File opened (read-only) \??\j: xugdddiajp.exe File opened (read-only) \??\k: xugdddiajp.exe File opened (read-only) \??\w: umobygzk.exe File opened (read-only) \??\x: umobygzk.exe File opened (read-only) \??\y: umobygzk.exe File opened (read-only) \??\e: umobygzk.exe File opened (read-only) \??\y: xugdddiajp.exe File opened (read-only) \??\g: umobygzk.exe File opened (read-only) \??\o: umobygzk.exe File opened (read-only) \??\k: umobygzk.exe File opened (read-only) \??\b: umobygzk.exe File opened (read-only) \??\a: xugdddiajp.exe File opened (read-only) \??\m: xugdddiajp.exe File opened (read-only) \??\i: umobygzk.exe File opened (read-only) \??\x: umobygzk.exe File opened (read-only) \??\b: umobygzk.exe File opened (read-only) \??\e: umobygzk.exe File opened (read-only) \??\r: umobygzk.exe File opened (read-only) \??\v: xugdddiajp.exe File opened (read-only) \??\u: umobygzk.exe File opened (read-only) \??\k: umobygzk.exe File opened (read-only) \??\l: umobygzk.exe File opened (read-only) \??\s: xugdddiajp.exe File opened (read-only) \??\p: umobygzk.exe File opened (read-only) \??\t: umobygzk.exe File opened (read-only) \??\h: umobygzk.exe File opened (read-only) \??\u: umobygzk.exe File opened (read-only) \??\e: xugdddiajp.exe File opened (read-only) \??\n: xugdddiajp.exe File opened (read-only) \??\n: umobygzk.exe File opened (read-only) \??\v: umobygzk.exe File opened (read-only) \??\i: xugdddiajp.exe File opened (read-only) \??\q: xugdddiajp.exe File opened (read-only) \??\r: xugdddiajp.exe File opened (read-only) \??\h: umobygzk.exe File opened (read-only) \??\s: umobygzk.exe File opened (read-only) \??\a: umobygzk.exe File opened (read-only) \??\q: umobygzk.exe File opened (read-only) \??\y: umobygzk.exe File opened (read-only) \??\z: xugdddiajp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
xugdddiajp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" xugdddiajp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" xugdddiajp.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2084-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\frvlqalvoorqjlp.exe autoit_exe \Windows\SysWOW64\xugdddiajp.exe autoit_exe \Windows\SysWOW64\umobygzk.exe autoit_exe \Windows\SysWOW64\tveaphxpaipyu.exe autoit_exe C:\Users\Admin\Downloads\CopyImport.doc.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exexugdddiajp.exedescription ioc process File created C:\Windows\SysWOW64\tveaphxpaipyu.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xugdddiajp.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File created C:\Windows\SysWOW64\frvlqalvoorqjlp.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File created C:\Windows\SysWOW64\umobygzk.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\umobygzk.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tveaphxpaipyu.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll xugdddiajp.exe File created C:\Windows\SysWOW64\xugdddiajp.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\frvlqalvoorqjlp.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
umobygzk.exeumobygzk.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe umobygzk.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe umobygzk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe umobygzk.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe umobygzk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe umobygzk.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe umobygzk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe umobygzk.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe umobygzk.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe umobygzk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal umobygzk.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe umobygzk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal umobygzk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal umobygzk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal umobygzk.exe -
Drops file in Windows directory 5 IoCs
Processes:
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
xugdddiajp.exeWINWORD.EXE05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" xugdddiajp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg xugdddiajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322D7D9C5583206A4176D4702F2CDF7D8465D9" 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs xugdddiajp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat xugdddiajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" xugdddiajp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C70C15E1DAB6B8B97CE8ECE537CD" 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" xugdddiajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2384 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exexugdddiajp.exeumobygzk.exefrvlqalvoorqjlp.exetveaphxpaipyu.exeumobygzk.exepid process 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2524 xugdddiajp.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2524 xugdddiajp.exe 2524 xugdddiajp.exe 2524 xugdddiajp.exe 2524 xugdddiajp.exe 2540 umobygzk.exe 2540 umobygzk.exe 2540 umobygzk.exe 2540 umobygzk.exe 2592 frvlqalvoorqjlp.exe 2592 frvlqalvoorqjlp.exe 2592 frvlqalvoorqjlp.exe 2592 frvlqalvoorqjlp.exe 2592 frvlqalvoorqjlp.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2900 umobygzk.exe 2900 umobygzk.exe 2900 umobygzk.exe 2900 umobygzk.exe 2592 frvlqalvoorqjlp.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2592 frvlqalvoorqjlp.exe 2592 frvlqalvoorqjlp.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2592 frvlqalvoorqjlp.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2592 frvlqalvoorqjlp.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2592 frvlqalvoorqjlp.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2592 frvlqalvoorqjlp.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2592 frvlqalvoorqjlp.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2592 frvlqalvoorqjlp.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2592 frvlqalvoorqjlp.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2592 frvlqalvoorqjlp.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2592 frvlqalvoorqjlp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exexugdddiajp.exefrvlqalvoorqjlp.exeumobygzk.exetveaphxpaipyu.exeumobygzk.exepid process 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2524 xugdddiajp.exe 2524 xugdddiajp.exe 2524 xugdddiajp.exe 2592 frvlqalvoorqjlp.exe 2592 frvlqalvoorqjlp.exe 2592 frvlqalvoorqjlp.exe 2540 umobygzk.exe 2540 umobygzk.exe 2540 umobygzk.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2900 umobygzk.exe 2900 umobygzk.exe 2900 umobygzk.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exexugdddiajp.exefrvlqalvoorqjlp.exeumobygzk.exetveaphxpaipyu.exeumobygzk.exepid process 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 2524 xugdddiajp.exe 2524 xugdddiajp.exe 2524 xugdddiajp.exe 2592 frvlqalvoorqjlp.exe 2592 frvlqalvoorqjlp.exe 2592 frvlqalvoorqjlp.exe 2540 umobygzk.exe 2540 umobygzk.exe 2540 umobygzk.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2644 tveaphxpaipyu.exe 2900 umobygzk.exe 2900 umobygzk.exe 2900 umobygzk.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2384 WINWORD.EXE 2384 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exexugdddiajp.exeWINWORD.EXEdescription pid process target process PID 2084 wrote to memory of 2524 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe xugdddiajp.exe PID 2084 wrote to memory of 2524 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe xugdddiajp.exe PID 2084 wrote to memory of 2524 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe xugdddiajp.exe PID 2084 wrote to memory of 2524 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe xugdddiajp.exe PID 2084 wrote to memory of 2592 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe frvlqalvoorqjlp.exe PID 2084 wrote to memory of 2592 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe frvlqalvoorqjlp.exe PID 2084 wrote to memory of 2592 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe frvlqalvoorqjlp.exe PID 2084 wrote to memory of 2592 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe frvlqalvoorqjlp.exe PID 2084 wrote to memory of 2540 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe umobygzk.exe PID 2084 wrote to memory of 2540 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe umobygzk.exe PID 2084 wrote to memory of 2540 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe umobygzk.exe PID 2084 wrote to memory of 2540 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe umobygzk.exe PID 2084 wrote to memory of 2644 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe tveaphxpaipyu.exe PID 2084 wrote to memory of 2644 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe tveaphxpaipyu.exe PID 2084 wrote to memory of 2644 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe tveaphxpaipyu.exe PID 2084 wrote to memory of 2644 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe tveaphxpaipyu.exe PID 2524 wrote to memory of 2900 2524 xugdddiajp.exe umobygzk.exe PID 2524 wrote to memory of 2900 2524 xugdddiajp.exe umobygzk.exe PID 2524 wrote to memory of 2900 2524 xugdddiajp.exe umobygzk.exe PID 2524 wrote to memory of 2900 2524 xugdddiajp.exe umobygzk.exe PID 2084 wrote to memory of 2384 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe WINWORD.EXE PID 2084 wrote to memory of 2384 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe WINWORD.EXE PID 2084 wrote to memory of 2384 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe WINWORD.EXE PID 2084 wrote to memory of 2384 2084 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe WINWORD.EXE PID 2384 wrote to memory of 2156 2384 WINWORD.EXE splwow64.exe PID 2384 wrote to memory of 2156 2384 WINWORD.EXE splwow64.exe PID 2384 wrote to memory of 2156 2384 WINWORD.EXE splwow64.exe PID 2384 wrote to memory of 2156 2384 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xugdddiajp.exexugdddiajp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\umobygzk.exeC:\Windows\system32\umobygzk.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\frvlqalvoorqjlp.exefrvlqalvoorqjlp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\umobygzk.exeumobygzk.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\tveaphxpaipyu.exetveaphxpaipyu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
7Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5e3e9a1bbde2429affaac84964d7c2af3
SHA12439b88c67c61d6549e66224d086d7123524abd3
SHA256538fe5e08b0c9ad904adf316fa0108564f857305675113f0e181c4d784a01a75
SHA512fe7bde00ea2e3ffdc58db3faeb0b14f11631acae117863e476d2625c6d6f30b172d453682a78ddb8acf61666fbda2d4206b095e019156b236969052af918f45f
-
C:\Users\Admin\Downloads\CopyImport.doc.exeFilesize
512KB
MD565bc20f7eab910ddac3c90b6abb942d1
SHA1aeabb7c806d5a92f15be5183242116ed7ac1983f
SHA25654903f421ce185ed1c3ef54aba2ec47b9db83dc618953458fd635bcb8e250358
SHA5121ba94fb3fd0fd4b1ccefea29eca43df597cf700a9eeadbcb46e1c54dfcfe4299a83d32a9219df97923537a7200e95944ace6f2bf8fcb225f1b7d3ca4ac5821c7
-
C:\Windows\SysWOW64\frvlqalvoorqjlp.exeFilesize
512KB
MD53a2ffcee6af2e90e898ee2163edd7edd
SHA1676ce3c4fdd07bcaeaf39eaae2282c2b152a051b
SHA25640932152ac4e90b4d9e85dbf8cd1b26a5bf92d428b27feb5905752e20e564fa4
SHA512ce241ffbef494588775fb11b909cd5c63ad3db04f69719261bc37bcdd0629661e24739216eefef205d61732284f8f67fda44f82eb8cf3737ff598c04d9959e1a
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\tveaphxpaipyu.exeFilesize
512KB
MD576bae5df1bbd3a6e7132bb5efbf60686
SHA1b80eca0ce471122c64f326ba11c2aeccb509bbac
SHA256c22370f3ccafcdc1fee3d413272fc8739866fd43542083638c7a22c813c2e13f
SHA51243070062e441e866f44ec7eda22f4affafdc1ab890fc3c99a57d4692c38b3a00a2dd36e92454c219c27c730b080ed2b1555e05e87a05f5e264db338e03134e0f
-
\Windows\SysWOW64\umobygzk.exeFilesize
512KB
MD5b3275da44034c34c84818be7fa370ca6
SHA110f0760ef4dcc8d972c1c79a1b5df4a9acb59bde
SHA256d36682ae3e417ced65295b2e991bd6ce2abd255e302c6562570f7c3c7d40e9bc
SHA51248193a47c87510ed82c35b556ac5f46d214bc96ffcf0d85ff4749c01a62d111bd1591d165938dec32397f08f58278603039f3f21c879558cec1272b257215e18
-
\Windows\SysWOW64\xugdddiajp.exeFilesize
512KB
MD5b31f6a5e46bf19aacda29d2e070b9c9f
SHA1a6fb11944d875d56bd722b0c49c63fd7b7fe50ec
SHA25674b8b98ce59665ae68e7aab6916aa97ddb9c26dc5dc217045bfbdcce1330f774
SHA512dc609ad659074644d323fa32435226098d825880715ff35014d96b33f09535a6dab7c91b466758f7f7bb3db1079df034c8fa6cbbc0855bf02f21c4c3ce1462a0
-
memory/2084-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2384-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2384-97-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB