Analysis Overview
SHA256
05c5863b608f27843b7fedbf54d09c36a8882330999ab8f49e7776a5a61a40a8
Threat Level: Shows suspicious behavior
The file 13139d28789f574157b034cab3747cf7_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
ACProtect 1.3x - 1.4x DLL software
Deletes itself
Drops startup file
Loads dropped DLL
UPX packed file
Installs/modifies Browser Helper Object
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-04 14:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-04 14:12
Reported
2024-05-04 14:14
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TM.lnk | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TM.lnk | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\NoExplorer = "1" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\NoExplorer = "1" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\wybho.dll | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Thunder.dll | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\CLSID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\ = "{87CA3845-37FE-414C-81CF-E08A7D0F6779}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\ = "xlhelper Class" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\ProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\ = "Thunder 1.0 Type Library" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\VersionIndependentProgID\ = "WYBHO.wybhotool" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\HELPDIR\ = "C:\\Windows\\system32" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\0 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\ = "xlhelper Class" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\TypeLib\ = "{87CA3845-37FE-414C-81CF-E08A7D0F6779}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ = "Iwybhotool" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ProxyStubClsid32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CurVer | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CurVer\ = "Thunder.xlhelper.1" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\VersionIndependentProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWow64\\wybho.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\FLAGS | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\wybho.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\VersionIndependentProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "WYBHO.wybhotool.1" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\0\win32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\CLSID\ = "{01443AEC-0FD1-40fd-9C87-E93D1494C233}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "wybhotool Class" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\ = "{87CA3845-37FE-414C-81CF-E08A7D0F6779}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ = "Ixlhelper" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\ = "{A13FA9A7-4644-4233-8192-891801DC3355}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CLSID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CLSID\ = "{01443AEC-0FD1-40fd-9C87-E93D1494C233}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\ProgID\ = "Thunder.xlhelper.1" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\InprocServer32\ = "C:\\Windows\\SysWow64\\Thunder.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\HELPDIR\ = "C:\\Windows\\system32" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ProxyStubClsid32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\ = "xlhelper Class" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Programmable | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\ = "WYBHO 1.0 Type Library" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\HELPDIR | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ = "Ixlhelper" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\VersionIndependentProgID\ = "Thunder.xlhelper" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\Programmable | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe"
C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32.exe /s "C:\Windows\system32\wybho.dll"
C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32.exe /s "C:\Windows\system32\Thunder.dll"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\123.bat" "
Network
Files
memory/2664-0-0x0000000000400000-0x0000000000416000-memory.dmp
C:\Windows\SysWOW64\wybho.dll
| MD5 | 68b65524748712b97a3ece67887a8c57 |
| SHA1 | b902b20b96b89ae5a328fc9480aa74eb102d3f58 |
| SHA256 | 7725e0ab99614776160cec3509d24b91607ac61be17f731b51fa418246bac7c1 |
| SHA512 | 8b3fc11f09fd72cb8fa4512feee90680d018152d6690ffba2f1f919b52f6ac2143cca0da1c7f2fd5e2c9f59065594e1e7beda4becdb1c3992870539beb161f2e |
memory/2424-7-0x0000000010000000-0x0000000010032000-memory.dmp
C:\Windows\SysWOW64\Thunder.dll
| MD5 | eaf8239add44ac986a321565efdfead9 |
| SHA1 | 8129182ad7be9ef58a0d9a8a44f87f2c9133cbb2 |
| SHA256 | c68e173f06f9db9334f0e0ff3a8b9f4e51963df33557658bfbadc36764a0ae66 |
| SHA512 | 4fd17dfc1bac645f525c3e08623df6940096bcec459489eb019e855c679742fbfbf926bc8072e4214c1d2cc4322a5f4f92a66e5ae1ad271701d93e4eb7e44960 |
C:\Users\Admin\AppData\Local\Temp\123.bat
| MD5 | 2616cc4f9600fee017bc361aa5285c7d |
| SHA1 | 1a5523357e6f13839de87a3d4adb0048b307726e |
| SHA256 | 6214839f639ddcd7e54ef2d59749334dff5abfd252a4758c2afc817d4cb4995f |
| SHA512 | 9dbed95bf2d4476c362c0ea45eb5d0f41fe502927bd7438e60511c7d7a1ab5be278cbf4caf435a3678f20c5227c9a47e71f490c48589d5dd23624948f2cb5da9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-04 14:12
Reported
2024-05-04 14:14
Platform
win10v2004-20240419-en
Max time kernel
136s
Max time network
105s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TM.lnk | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TM.lnk | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\NoExplorer = "1" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\NoExplorer = "1" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\wybho.dll | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Thunder.dll | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWow64\\wybho.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\HELPDIR\ = "C:\\Windows\\system32" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ = "Iwybhotool" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Thunder.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\HELPDIR\ = "C:\\Windows\\system32" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "WYBHO.wybhotool.1" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\wybho.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ProxyStubClsid32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\VersionIndependentProgID\ = "Thunder.xlhelper" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\Programmable | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\VersionIndependentProgID\ = "WYBHO.wybhotool" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\ProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\ = "{87CA3845-37FE-414C-81CF-E08A7D0F6779}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\CLSID\ = "{01443AEC-0FD1-40fd-9C87-E93D1494C233}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\ = "Thunder 1.0 Type Library" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\HELPDIR | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\ = "{A13FA9A7-4644-4233-8192-891801DC3355}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\CLSID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ = "Iwybhotool" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib\ = "{A13FA9A7-4644-4233-8192-891801DC3355}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\ = "WYBHO 1.0 Type Library" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\FLAGS | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\HELPDIR | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Programmable | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\VersionIndependentProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\InprocServer32\ = "C:\\Windows\\SysWow64\\Thunder.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ = "Ixlhelper" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\ = "{87CA3845-37FE-414C-81CF-E08A7D0F6779}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\ = "{A13FA9A7-4644-4233-8192-891801DC3355}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\ = "xlhelper Class" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "wybhotool Class" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\ = "xlhelper Class" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CLSID\ = "{01443AEC-0FD1-40fd-9C87-E93D1494C233}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0\win32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ProxyStubClsid32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CLSID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\ = "xlhelper Class" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\FLAGS | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe"
C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32.exe /s "C:\Windows\system32\wybho.dll"
C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32.exe /s "C:\Windows\system32\Thunder.dll"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/5064-0-0x0000000000400000-0x0000000000416000-memory.dmp
C:\Windows\SysWOW64\wybho.dll
| MD5 | 68b65524748712b97a3ece67887a8c57 |
| SHA1 | b902b20b96b89ae5a328fc9480aa74eb102d3f58 |
| SHA256 | 7725e0ab99614776160cec3509d24b91607ac61be17f731b51fa418246bac7c1 |
| SHA512 | 8b3fc11f09fd72cb8fa4512feee90680d018152d6690ffba2f1f919b52f6ac2143cca0da1c7f2fd5e2c9f59065594e1e7beda4becdb1c3992870539beb161f2e |
memory/4420-7-0x0000000010000000-0x0000000010032000-memory.dmp
C:\Windows\SysWOW64\Thunder.dll
| MD5 | eaf8239add44ac986a321565efdfead9 |
| SHA1 | 8129182ad7be9ef58a0d9a8a44f87f2c9133cbb2 |
| SHA256 | c68e173f06f9db9334f0e0ff3a8b9f4e51963df33557658bfbadc36764a0ae66 |
| SHA512 | 4fd17dfc1bac645f525c3e08623df6940096bcec459489eb019e855c679742fbfbf926bc8072e4214c1d2cc4322a5f4f92a66e5ae1ad271701d93e4eb7e44960 |
C:\Users\Admin\AppData\Local\Temp\123.bat
| MD5 | 2616cc4f9600fee017bc361aa5285c7d |
| SHA1 | 1a5523357e6f13839de87a3d4adb0048b307726e |
| SHA256 | 6214839f639ddcd7e54ef2d59749334dff5abfd252a4758c2afc817d4cb4995f |
| SHA512 | 9dbed95bf2d4476c362c0ea45eb5d0f41fe502927bd7438e60511c7d7a1ab5be278cbf4caf435a3678f20c5227c9a47e71f490c48589d5dd23624948f2cb5da9 |