Malware Analysis Report

2025-01-22 12:16

Sample ID 240625-ady3tazaqh
Target 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118
SHA256 0d13b46286128dd6e2dd217bb33c1cc6e48b444d9501e0843443d151bc339c32
Tags
macro persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0d13b46286128dd6e2dd217bb33c1cc6e48b444d9501e0843443d151bc339c32

Threat Level: Shows suspicious behavior

The file 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

macro persistence

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Document created with cracked Office version

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 00:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 00:06

Reported

2024-06-25 00:08

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\config\vab0726ze.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\config\vab0726ze.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\BTStacAvs = "C:\\Users\\Admin\\BTStacAvs.exe" C:\Windows\SysWOW64\config\vab0726ze.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HkAvgLrj = "C:\\Users\\Admin\\HkAvgLrj.exe" C:\Windows\SysWOW64\config\vab0726ze.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\BTStacFrr = "C:\\Users\\Admin\\BTStacFrr.exe" C:\Windows\SysWOW64\config\vab0726ze.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\BTStacPgn = "C:\\Users\\Admin\\BTStacPgn.exe" C:\Windows\SysWOW64\config\vab0726ze.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MsgrUpd = "C:\\Users\\Admin\\MsgrUpd.exe" C:\Windows\SysWOW64\config\vab0726ze.exe N/A

Document created with cracked Office version

macro
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\config\LdrAdc.dll C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\config\LdrAdc.dll C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File created C:\WINDOWS\SysWOW64\config\vab0726ze.exe C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\config\vazb0620px.bat C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File created C:\WINDOWS\SysWOW64\config\__tmp_rar_sfx_access_check_259400428 C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\config\vab0726ze.exe C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File created C:\WINDOWS\SysWOW64\config\vab0726ze.pps C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\config\vab0726ze.pps C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File created C:\WINDOWS\SysWOW64\config\vazb0620px.bat C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\vab0726ze.pps C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\config\vab0726ze.exe
PID 2428 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\config\vab0726ze.exe
PID 2428 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\config\vab0726ze.exe
PID 2428 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\config\vab0726ze.exe
PID 2428 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 2428 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 2428 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 2428 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 2428 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 2428 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 2428 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 2428 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 2428 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 2740 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2740 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2740 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2740 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\WINDOWS\system32\config\vazb0620px.bat" "

C:\Windows\SysWOW64\config\vab0726ze.exe

vab0726ze.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Windows\System32\config\vab0726ze.pps"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.jowele01.dominiotemporario.com udp
US 8.8.8.8:53 www.jowele01.dominiotemporario.com udp
US 8.8.8.8:53 www.jowele01.dominiotemporario.com udp
US 8.8.8.8:53 www.jowele01.dominiotemporario.com udp
US 8.8.8.8:53 www.jowele01.dominiotemporario.com udp
US 8.8.8.8:53 www.jowele01.dominiotemporario.com udp

Files

C:\Windows\SysWOW64\config\vazb0620px.bat

MD5 c6a0739c021bb5858ec6c6de1bf4defc
SHA1 4333ec7cdc0477bc6c0d4d70c6655d933eccec3f
SHA256 9a03e38cd7c3930c4f0251e281310c359c0c328ef895c37d8ff935616f5ba94a
SHA512 50c21fe8b8197ce38d3f429757153b3d260a8473640330ff7a7b938f9fd180b7c659a3d77af31a99138b258171f66bda8a6350dfc6983f29cb7e70e09105f2c1

\Windows\SysWOW64\config\vab0726ze.exe

MD5 249c96ac98d01d6d33fe63045c244a6d
SHA1 caf03883a3dd584116bf4b5797c6a96bbdb06587
SHA256 5f0c62ab8647416443254a9f29dddbee33934a7082ef189d988ad78dcd1c3c68
SHA512 212fb0f9294483c62a0334d1ce142f82629d2a3ed315fe6e31c913777b5f1a176ed93d3419a8446a7ffbd2b3198d222cdb0e98330274a05408c82a6db25eccbf

memory/1796-24-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1796-23-0x0000000000020000-0x000000000003B000-memory.dmp

\Windows\SysWOW64\config\LdrAdc.dll

MD5 c7cdd580237ffac1704ffc1c93a9a328
SHA1 a69ad77cf351be1cb53e6a3ca990a37b03297a1d
SHA256 d3e7ce933dc7ece16066033b740eb0ef7c9a0d45d496babd42e8b8b163f87bc4
SHA512 4ee4ec1828ebf99134c6f4a539b9a448566a333c1ef8baf45095f43ba90551105e2fd0ebc529094034644816baf0c4892dddd634ca40397367d1bde64f2d0fc3

memory/2740-33-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\SysWOW64\config\vab0726ze.pps

MD5 b8e80e2b539ff450e7f5ba4998bbcfa5
SHA1 ba42ff9c3353b0e84ca0dd2c5c34f6969712f358
SHA256 526f8ac5139e0ce09a6b098944bb81c15fda3d816c134eabb02f92e3c9d318f0
SHA512 f0064716ee1fe78055d895323e71b6ed2bf3e94b177512340513ec003aefa6cb3ea4edec245f36eb575e2f6d8873671ea364b4454aad01a675ff8e1e4823f4c7

memory/2740-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1796-46-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1796-48-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1796-47-0x0000000000020000-0x000000000003B000-memory.dmp

memory/1796-51-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1796-61-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1796-64-0x0000000000020000-0x000000000003B000-memory.dmp

memory/1796-63-0x0000000000400000-0x0000000000464000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 00:06

Reported

2024-06-25 00:09

Platform

win10v2004-20240508-en

Max time kernel

47s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\config\vab0726ze.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\config\vab0726ze.exe N/A
N/A N/A C:\Windows\SysWOW64\config\vab0726ze.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BTStacAvs = "C:\\Users\\Admin\\BTStacAvs.exe" C:\Windows\SysWOW64\config\vab0726ze.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HkAvgLrj = "C:\\Users\\Admin\\HkAvgLrj.exe" C:\Windows\SysWOW64\config\vab0726ze.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BTStacFrr = "C:\\Users\\Admin\\BTStacFrr.exe" C:\Windows\SysWOW64\config\vab0726ze.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BTStacPgn = "C:\\Users\\Admin\\BTStacPgn.exe" C:\Windows\SysWOW64\config\vab0726ze.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsgrUpd = "C:\\Users\\Admin\\MsgrUpd.exe" C:\Windows\SysWOW64\config\vab0726ze.exe N/A

Document created with cracked Office version

macro
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\config\__tmp_rar_sfx_access_check_240612593 C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File created C:\WINDOWS\SysWOW64\config\vab0726ze.exe C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File created C:\WINDOWS\SysWOW64\config\vab0726ze.pps C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File created C:\WINDOWS\SysWOW64\config\vazb0620px.bat C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\config\vazb0620px.bat C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File created C:\WINDOWS\SysWOW64\config\LdrAdc.dll C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\config\LdrAdc.dll C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\config\vab0726ze.exe C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\config\vab0726ze.pps C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\WINDOWS\system32\config\vazb0620px.bat" "

C:\Windows\SysWOW64\config\vab0726ze.exe

vab0726ze.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Windows\System32\config\vab0726ze.pps" /ou ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.jowele01.dominiotemporario.com udp
US 8.8.8.8:53 www.jowele01.dominiotemporario.com udp
US 8.8.8.8:53 www.jowele01.dominiotemporario.com udp

Files

C:\WINDOWS\SysWOW64\config\vazb0620px.bat

MD5 c6a0739c021bb5858ec6c6de1bf4defc
SHA1 4333ec7cdc0477bc6c0d4d70c6655d933eccec3f
SHA256 9a03e38cd7c3930c4f0251e281310c359c0c328ef895c37d8ff935616f5ba94a
SHA512 50c21fe8b8197ce38d3f429757153b3d260a8473640330ff7a7b938f9fd180b7c659a3d77af31a99138b258171f66bda8a6350dfc6983f29cb7e70e09105f2c1

C:\Windows\SysWOW64\config\vab0726ze.exe

MD5 249c96ac98d01d6d33fe63045c244a6d
SHA1 caf03883a3dd584116bf4b5797c6a96bbdb06587
SHA256 5f0c62ab8647416443254a9f29dddbee33934a7082ef189d988ad78dcd1c3c68
SHA512 212fb0f9294483c62a0334d1ce142f82629d2a3ed315fe6e31c913777b5f1a176ed93d3419a8446a7ffbd2b3198d222cdb0e98330274a05408c82a6db25eccbf

C:\Windows\SysWOW64\config\LdrAdc.dll

MD5 c7cdd580237ffac1704ffc1c93a9a328
SHA1 a69ad77cf351be1cb53e6a3ca990a37b03297a1d
SHA256 d3e7ce933dc7ece16066033b740eb0ef7c9a0d45d496babd42e8b8b163f87bc4
SHA512 4ee4ec1828ebf99134c6f4a539b9a448566a333c1ef8baf45095f43ba90551105e2fd0ebc529094034644816baf0c4892dddd634ca40397367d1bde64f2d0fc3

memory/2660-18-0x0000000000610000-0x000000000062B000-memory.dmp

C:\Windows\SysWOW64\config\vab0726ze.pps

MD5 b8e80e2b539ff450e7f5ba4998bbcfa5
SHA1 ba42ff9c3353b0e84ca0dd2c5c34f6969712f358
SHA256 526f8ac5139e0ce09a6b098944bb81c15fda3d816c134eabb02f92e3c9d318f0
SHA512 f0064716ee1fe78055d895323e71b6ed2bf3e94b177512340513ec003aefa6cb3ea4edec245f36eb575e2f6d8873671ea364b4454aad01a675ff8e1e4823f4c7

memory/2660-20-0x0000000000680000-0x0000000000681000-memory.dmp

memory/720-21-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

memory/720-23-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

memory/720-22-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

memory/720-25-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

memory/720-24-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

memory/720-26-0x00007FFD37C10000-0x00007FFD37C20000-memory.dmp

memory/720-27-0x00007FFD37C10000-0x00007FFD37C20000-memory.dmp

memory/2660-33-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2660-34-0x0000000000610000-0x000000000062B000-memory.dmp

memory/720-38-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

memory/720-39-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

memory/720-41-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

memory/720-40-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

memory/2660-42-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2660-44-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2660-46-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2660-47-0x0000000000610000-0x000000000062B000-memory.dmp