Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 16:04
Static task
static1
Behavioral task
behavioral1
Sample
05906c39cad698da162ccf37f3964228_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
05906c39cad698da162ccf37f3964228_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
05906c39cad698da162ccf37f3964228_JaffaCakes118.exe
-
Size
512KB
-
MD5
05906c39cad698da162ccf37f3964228
-
SHA1
0cf0214a3cb6a32e5bc139d6dcff6b7cbb2bcd88
-
SHA256
e1d59c5b329a280bc03ddc31f57e993eb14fb4afa7d80c4feb7b99c787699065
-
SHA512
3654a9d697e49d2c245d6dd82c49e5e5db9eedb347e7349d443e9a2247115a15fc27294f3def10a83a71a241fc4266e50d84b4d6633eb5304e139c3b9869c26b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm51
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
aukndlxjlx.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" aukndlxjlx.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
aukndlxjlx.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" aukndlxjlx.exe -
Processes:
aukndlxjlx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" aukndlxjlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aukndlxjlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aukndlxjlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aukndlxjlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aukndlxjlx.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
aukndlxjlx.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aukndlxjlx.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
Processes:
aukndlxjlx.exejxwnerabjzojkim.exebcavxpqn.exesrsciqapnrjdk.exebcavxpqn.exepid process 2368 aukndlxjlx.exe 876 jxwnerabjzojkim.exe 1568 bcavxpqn.exe 1320 srsciqapnrjdk.exe 524 bcavxpqn.exe -
Loads dropped DLL 5 IoCs
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exeaukndlxjlx.exepid process 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2368 aukndlxjlx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
aukndlxjlx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aukndlxjlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aukndlxjlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" aukndlxjlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aukndlxjlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" aukndlxjlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aukndlxjlx.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
jxwnerabjzojkim.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wsfodtgr = "jxwnerabjzojkim.exe" jxwnerabjzojkim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "srsciqapnrjdk.exe" jxwnerabjzojkim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ceqdicuy = "aukndlxjlx.exe" jxwnerabjzojkim.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
aukndlxjlx.exebcavxpqn.exebcavxpqn.exedescription ioc process File opened (read-only) \??\e: aukndlxjlx.exe File opened (read-only) \??\n: aukndlxjlx.exe File opened (read-only) \??\t: bcavxpqn.exe File opened (read-only) \??\u: bcavxpqn.exe File opened (read-only) \??\t: bcavxpqn.exe File opened (read-only) \??\i: bcavxpqn.exe File opened (read-only) \??\s: bcavxpqn.exe File opened (read-only) \??\a: bcavxpqn.exe File opened (read-only) \??\y: bcavxpqn.exe File opened (read-only) \??\g: bcavxpqn.exe File opened (read-only) \??\m: bcavxpqn.exe File opened (read-only) \??\x: bcavxpqn.exe File opened (read-only) \??\z: bcavxpqn.exe File opened (read-only) \??\k: aukndlxjlx.exe File opened (read-only) \??\u: bcavxpqn.exe File opened (read-only) \??\i: aukndlxjlx.exe File opened (read-only) \??\s: aukndlxjlx.exe File opened (read-only) \??\x: bcavxpqn.exe File opened (read-only) \??\o: bcavxpqn.exe File opened (read-only) \??\j: bcavxpqn.exe File opened (read-only) \??\o: bcavxpqn.exe File opened (read-only) \??\p: bcavxpqn.exe File opened (read-only) \??\r: bcavxpqn.exe File opened (read-only) \??\m: aukndlxjlx.exe File opened (read-only) \??\b: bcavxpqn.exe File opened (read-only) \??\q: bcavxpqn.exe File opened (read-only) \??\b: aukndlxjlx.exe File opened (read-only) \??\h: aukndlxjlx.exe File opened (read-only) \??\q: aukndlxjlx.exe File opened (read-only) \??\t: aukndlxjlx.exe File opened (read-only) \??\m: bcavxpqn.exe File opened (read-only) \??\h: bcavxpqn.exe File opened (read-only) \??\l: bcavxpqn.exe File opened (read-only) \??\w: bcavxpqn.exe File opened (read-only) \??\l: bcavxpqn.exe File opened (read-only) \??\w: bcavxpqn.exe File opened (read-only) \??\g: aukndlxjlx.exe File opened (read-only) \??\p: aukndlxjlx.exe File opened (read-only) \??\z: aukndlxjlx.exe File opened (read-only) \??\z: bcavxpqn.exe File opened (read-only) \??\k: bcavxpqn.exe File opened (read-only) \??\s: bcavxpqn.exe File opened (read-only) \??\l: aukndlxjlx.exe File opened (read-only) \??\r: aukndlxjlx.exe File opened (read-only) \??\w: aukndlxjlx.exe File opened (read-only) \??\a: bcavxpqn.exe File opened (read-only) \??\b: bcavxpqn.exe File opened (read-only) \??\e: bcavxpqn.exe File opened (read-only) \??\o: aukndlxjlx.exe File opened (read-only) \??\e: bcavxpqn.exe File opened (read-only) \??\u: aukndlxjlx.exe File opened (read-only) \??\v: aukndlxjlx.exe File opened (read-only) \??\x: aukndlxjlx.exe File opened (read-only) \??\y: aukndlxjlx.exe File opened (read-only) \??\k: bcavxpqn.exe File opened (read-only) \??\h: bcavxpqn.exe File opened (read-only) \??\i: bcavxpqn.exe File opened (read-only) \??\a: aukndlxjlx.exe File opened (read-only) \??\n: bcavxpqn.exe File opened (read-only) \??\q: bcavxpqn.exe File opened (read-only) \??\v: bcavxpqn.exe File opened (read-only) \??\n: bcavxpqn.exe File opened (read-only) \??\y: bcavxpqn.exe File opened (read-only) \??\j: aukndlxjlx.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
aukndlxjlx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" aukndlxjlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" aukndlxjlx.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2240-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\jxwnerabjzojkim.exe autoit_exe \Windows\SysWOW64\aukndlxjlx.exe autoit_exe \Windows\SysWOW64\bcavxpqn.exe autoit_exe C:\Windows\SysWOW64\srsciqapnrjdk.exe autoit_exe C:\Program Files\ExitSync.doc.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe C:\Users\Admin\Downloads\SelectSkip.doc.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exeaukndlxjlx.exedescription ioc process File opened for modification C:\Windows\SysWOW64\srsciqapnrjdk.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File created C:\Windows\SysWOW64\aukndlxjlx.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\aukndlxjlx.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File created C:\Windows\SysWOW64\jxwnerabjzojkim.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File created C:\Windows\SysWOW64\bcavxpqn.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File created C:\Windows\SysWOW64\srsciqapnrjdk.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jxwnerabjzojkim.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bcavxpqn.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll aukndlxjlx.exe -
Drops file in Program Files directory 21 IoCs
Processes:
bcavxpqn.exebcavxpqn.exedescription ioc process File opened for modification C:\Program Files\ExitSync.nal bcavxpqn.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bcavxpqn.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bcavxpqn.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bcavxpqn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal bcavxpqn.exe File opened for modification \??\c:\Program Files\ExitSync.doc.exe bcavxpqn.exe File opened for modification \??\c:\Program Files\ExitSync.doc.exe bcavxpqn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bcavxpqn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bcavxpqn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal bcavxpqn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal bcavxpqn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bcavxpqn.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bcavxpqn.exe File created \??\c:\Program Files\ExitSync.doc.exe bcavxpqn.exe File opened for modification C:\Program Files\ExitSync.doc.exe bcavxpqn.exe File opened for modification C:\Program Files\ExitSync.doc.exe bcavxpqn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bcavxpqn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal bcavxpqn.exe File opened for modification C:\Program Files\ExitSync.nal bcavxpqn.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bcavxpqn.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bcavxpqn.exe -
Drops file in Windows directory 4 IoCs
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEaukndlxjlx.exe05906c39cad698da162ccf37f3964228_JaffaCakes118.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" aukndlxjlx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs aukndlxjlx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B12947EF389D52BDB9D233EDD7C8" 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh aukndlxjlx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" aukndlxjlx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc aukndlxjlx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC70B15E4DAB4B8C07FE0EDE037CB" 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat aukndlxjlx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFCFC4F5A85129131D65F7D94BC94E13C584567366343D79F" 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" aukndlxjlx.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 784 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exeaukndlxjlx.exesrsciqapnrjdk.exebcavxpqn.exejxwnerabjzojkim.exebcavxpqn.exepid process 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2368 aukndlxjlx.exe 2368 aukndlxjlx.exe 2368 aukndlxjlx.exe 2368 aukndlxjlx.exe 2368 aukndlxjlx.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 1568 bcavxpqn.exe 1568 bcavxpqn.exe 1568 bcavxpqn.exe 1568 bcavxpqn.exe 876 jxwnerabjzojkim.exe 876 jxwnerabjzojkim.exe 876 jxwnerabjzojkim.exe 876 jxwnerabjzojkim.exe 876 jxwnerabjzojkim.exe 524 bcavxpqn.exe 524 bcavxpqn.exe 524 bcavxpqn.exe 524 bcavxpqn.exe 876 jxwnerabjzojkim.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 876 jxwnerabjzojkim.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 876 jxwnerabjzojkim.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 876 jxwnerabjzojkim.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 876 jxwnerabjzojkim.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 876 jxwnerabjzojkim.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 876 jxwnerabjzojkim.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 876 jxwnerabjzojkim.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 876 jxwnerabjzojkim.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 876 jxwnerabjzojkim.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 876 jxwnerabjzojkim.exe 1320 srsciqapnrjdk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2552 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 2552 explorer.exe Token: SeShutdownPrivilege 2552 explorer.exe Token: SeShutdownPrivilege 2552 explorer.exe Token: SeShutdownPrivilege 2552 explorer.exe Token: SeShutdownPrivilege 2552 explorer.exe Token: SeShutdownPrivilege 2552 explorer.exe Token: SeShutdownPrivilege 2552 explorer.exe Token: SeShutdownPrivilege 2552 explorer.exe Token: SeShutdownPrivilege 2552 explorer.exe Token: SeShutdownPrivilege 2552 explorer.exe Token: SeShutdownPrivilege 2552 explorer.exe Token: SeShutdownPrivilege 2552 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exeaukndlxjlx.exesrsciqapnrjdk.exebcavxpqn.exejxwnerabjzojkim.exebcavxpqn.exeexplorer.exepid process 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2368 aukndlxjlx.exe 2368 aukndlxjlx.exe 2368 aukndlxjlx.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 1568 bcavxpqn.exe 1568 bcavxpqn.exe 1568 bcavxpqn.exe 876 jxwnerabjzojkim.exe 876 jxwnerabjzojkim.exe 876 jxwnerabjzojkim.exe 524 bcavxpqn.exe 524 bcavxpqn.exe 524 bcavxpqn.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe -
Suspicious use of SendNotifyMessage 31 IoCs
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exeaukndlxjlx.exesrsciqapnrjdk.exebcavxpqn.exeexplorer.exepid process 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 2368 aukndlxjlx.exe 2368 aukndlxjlx.exe 2368 aukndlxjlx.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 1320 srsciqapnrjdk.exe 1568 bcavxpqn.exe 1568 bcavxpqn.exe 1568 bcavxpqn.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe 2552 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 784 WINWORD.EXE 784 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exeaukndlxjlx.exedescription pid process target process PID 2240 wrote to memory of 2368 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe aukndlxjlx.exe PID 2240 wrote to memory of 2368 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe aukndlxjlx.exe PID 2240 wrote to memory of 2368 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe aukndlxjlx.exe PID 2240 wrote to memory of 2368 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe aukndlxjlx.exe PID 2240 wrote to memory of 876 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe jxwnerabjzojkim.exe PID 2240 wrote to memory of 876 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe jxwnerabjzojkim.exe PID 2240 wrote to memory of 876 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe jxwnerabjzojkim.exe PID 2240 wrote to memory of 876 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe jxwnerabjzojkim.exe PID 2240 wrote to memory of 1568 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe bcavxpqn.exe PID 2240 wrote to memory of 1568 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe bcavxpqn.exe PID 2240 wrote to memory of 1568 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe bcavxpqn.exe PID 2240 wrote to memory of 1568 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe bcavxpqn.exe PID 2240 wrote to memory of 1320 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe srsciqapnrjdk.exe PID 2240 wrote to memory of 1320 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe srsciqapnrjdk.exe PID 2240 wrote to memory of 1320 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe srsciqapnrjdk.exe PID 2240 wrote to memory of 1320 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe srsciqapnrjdk.exe PID 2368 wrote to memory of 524 2368 aukndlxjlx.exe bcavxpqn.exe PID 2368 wrote to memory of 524 2368 aukndlxjlx.exe bcavxpqn.exe PID 2368 wrote to memory of 524 2368 aukndlxjlx.exe bcavxpqn.exe PID 2368 wrote to memory of 524 2368 aukndlxjlx.exe bcavxpqn.exe PID 2240 wrote to memory of 784 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe WINWORD.EXE PID 2240 wrote to memory of 784 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe WINWORD.EXE PID 2240 wrote to memory of 784 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe WINWORD.EXE PID 2240 wrote to memory of 784 2240 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\05906c39cad698da162ccf37f3964228_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05906c39cad698da162ccf37f3964228_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\aukndlxjlx.exeaukndlxjlx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bcavxpqn.exeC:\Windows\system32\bcavxpqn.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\jxwnerabjzojkim.exejxwnerabjzojkim.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\bcavxpqn.exebcavxpqn.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\srsciqapnrjdk.exesrsciqapnrjdk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
8Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
512KB
MD551c7d05608434d91c8c11466b0aa576e
SHA12a0befabe3b5baecdb56e675de35d0ea9caccdaa
SHA25608293eb5061ef6f69181cb348c7f025637f1cfe5c82ad88747404ca32edb508c
SHA5125af81a4d2956f9a990fcfe7a0d2a47a0ec225820accebec60c1f836993c19b3ad7ac5e52d4ad4e389af40dc8ec0acf970ef9aedf7d1be005bae9ce8f3b7e1716
-
C:\Program Files\ExitSync.doc.exeFilesize
512KB
MD51e9167016f4bf5c402b2b69d7fa388b0
SHA1003038c8b333a4c815e1df02769c1506674cdf0c
SHA256022e32fe0af6805d032fb233ee8a417f9c629909b3c36862d4b7c298d9a3b321
SHA512aadbfbaf7e170d42fd36354ebe89002f97bd46a51caf93883e695cc5dd785b8d6f5a953527c9418a84ae9d7b2e911100e02c121b46f25706f6b24f394fb73064
-
C:\Users\Admin\Downloads\SelectSkip.doc.exeFilesize
512KB
MD59ba0f12057732b95193cccadcd1e8058
SHA1d564f0a9de4f9f49687b49db94aa71dc534b1747
SHA2564ebb1278b2f72a2cff6643159b9c0921d9df8e563b20c7ff1253636d5b01d467
SHA512757e2e3a22e7dd23612d8960c0dc09a7fb6080746301d981a69b0e74d94db4604d9c8ab84075160b575ae8cb7f89018147fd2ea604106ff68ef5a63ffdf53c40
-
C:\Windows\SysWOW64\jxwnerabjzojkim.exeFilesize
512KB
MD557556626fd4b7c3138aa57451daf8269
SHA1c255acdc67932ad68a767087fb0736e1ed131501
SHA25645c97ed5e706d32047ef7d583683b540090189b5819511f6a9fc2e1d4b1f5184
SHA512146766fbc68bffc8e31ada4f63a2bec0e78fc3b3bb0e6fd49ad9972b09be86eaf8d1aa5d793f721dc75b21953769b7202061a2eb33bba5c86f5238f0dd3afba0
-
C:\Windows\SysWOW64\srsciqapnrjdk.exeFilesize
512KB
MD5e8f66fcd7694c8717f0f4efcb8a894f9
SHA1c06fdc67f3295dff31ef5e20a88df7d414e66cb2
SHA2564604ed33df6394399a695d50a7ada4ca8aa050126a9150308315f9967c0a0066
SHA5125520dddc4d4edba2ff86ac0ea027c13dd3cd33607e7a8720a345ce967efbcfb7a97aeedfcbf13b9c71b472c2133ee03a6c886bf5e05f96484b465329b6f253bb
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\aukndlxjlx.exeFilesize
512KB
MD530e6950269e4dfd76d86cdfbe5a66028
SHA1df46283418daf2c81683e7c35c3289892669ce23
SHA256f05bb13d00917f1bedb95d1cd3d518988fce1afc6a20c33a89bbb055133814f9
SHA512f03ada1686a2c11b667bfa4cc0d4461b8ba819d52492cd237fa7d606935198863b679f2751472bd88b7493b2998357e9ae3a400a52a3610e817b3be67d693809
-
\Windows\SysWOW64\bcavxpqn.exeFilesize
512KB
MD5feb61eff3c401509184485582362cf6f
SHA1fe4781512cf064dc4b01f99de50cce9a9d830af2
SHA256db3dc8ab01ea5111810c6dca3ad3e6c3ccc270f16e3e7a54849faafed162c92d
SHA512c33cdb2cf3fa7fa56ce835010902a768547d140511f0333c90e7d7c93076e22a32f289f06395f4d2ca4f653a9506df4cf13d57b954c497a35983d7aa6f68113a
-
memory/784-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2240-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2552-90-0x0000000002590000-0x00000000025A0000-memory.dmpFilesize
64KB