Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 01:25
Static task
static1
Behavioral task
behavioral1
Sample
e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe
-
Size
512KB
-
MD5
e6506b12acef569b3e62b8ff428c0e80
-
SHA1
06b2719a3bfadf6b12801a0561e2ab63f11852ee
-
SHA256
74fd931ee56c8032739350bc1811e034ce4aee2997b50b4583a98127446c6270
-
SHA512
2a8c9b238db3007668590b0b1ab3181372adbb44d975be0a9b3ad62c806266942447255bb711ab501521deb06218c87421e1e73fba61987526caeb8ed5f7a8d2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
prmrhtjqoa.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" prmrhtjqoa.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
prmrhtjqoa.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" prmrhtjqoa.exe -
Processes:
prmrhtjqoa.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prmrhtjqoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" prmrhtjqoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prmrhtjqoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" prmrhtjqoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" prmrhtjqoa.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
prmrhtjqoa.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" prmrhtjqoa.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
Processes:
prmrhtjqoa.exeinaywyhzidajcwq.exeqjyddmof.exescebbdaqpuqat.exeqjyddmof.exepid Process 944 prmrhtjqoa.exe 1396 inaywyhzidajcwq.exe 1568 qjyddmof.exe 1956 scebbdaqpuqat.exe 596 qjyddmof.exe -
Loads dropped DLL 5 IoCs
Processes:
e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exeprmrhtjqoa.exepid Process 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 944 prmrhtjqoa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
prmrhtjqoa.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" prmrhtjqoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" prmrhtjqoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prmrhtjqoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" prmrhtjqoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prmrhtjqoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" prmrhtjqoa.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
inaywyhzidajcwq.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aldeqsoc = "prmrhtjqoa.exe" inaywyhzidajcwq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ojmipoga = "inaywyhzidajcwq.exe" inaywyhzidajcwq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "scebbdaqpuqat.exe" inaywyhzidajcwq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
qjyddmof.exeprmrhtjqoa.exeqjyddmof.exedescription ioc Process File opened (read-only) \??\t: qjyddmof.exe File opened (read-only) \??\x: prmrhtjqoa.exe File opened (read-only) \??\a: qjyddmof.exe File opened (read-only) \??\g: qjyddmof.exe File opened (read-only) \??\i: qjyddmof.exe File opened (read-only) \??\v: qjyddmof.exe File opened (read-only) \??\w: qjyddmof.exe File opened (read-only) \??\e: prmrhtjqoa.exe File opened (read-only) \??\o: prmrhtjqoa.exe File opened (read-only) \??\q: qjyddmof.exe File opened (read-only) \??\u: qjyddmof.exe File opened (read-only) \??\z: qjyddmof.exe File opened (read-only) \??\b: qjyddmof.exe File opened (read-only) \??\h: qjyddmof.exe File opened (read-only) \??\j: qjyddmof.exe File opened (read-only) \??\v: qjyddmof.exe File opened (read-only) \??\w: qjyddmof.exe File opened (read-only) \??\y: qjyddmof.exe File opened (read-only) \??\a: prmrhtjqoa.exe File opened (read-only) \??\g: prmrhtjqoa.exe File opened (read-only) \??\j: prmrhtjqoa.exe File opened (read-only) \??\b: qjyddmof.exe File opened (read-only) \??\s: qjyddmof.exe File opened (read-only) \??\t: qjyddmof.exe File opened (read-only) \??\m: prmrhtjqoa.exe File opened (read-only) \??\h: qjyddmof.exe File opened (read-only) \??\n: qjyddmof.exe File opened (read-only) \??\r: qjyddmof.exe File opened (read-only) \??\l: qjyddmof.exe File opened (read-only) \??\n: qjyddmof.exe File opened (read-only) \??\p: prmrhtjqoa.exe File opened (read-only) \??\t: prmrhtjqoa.exe File opened (read-only) \??\z: prmrhtjqoa.exe File opened (read-only) \??\k: prmrhtjqoa.exe File opened (read-only) \??\s: prmrhtjqoa.exe File opened (read-only) \??\w: prmrhtjqoa.exe File opened (read-only) \??\k: qjyddmof.exe File opened (read-only) \??\s: qjyddmof.exe File opened (read-only) \??\m: qjyddmof.exe File opened (read-only) \??\q: qjyddmof.exe File opened (read-only) \??\x: qjyddmof.exe File opened (read-only) \??\y: qjyddmof.exe File opened (read-only) \??\e: qjyddmof.exe File opened (read-only) \??\l: qjyddmof.exe File opened (read-only) \??\g: qjyddmof.exe File opened (read-only) \??\k: qjyddmof.exe File opened (read-only) \??\m: qjyddmof.exe File opened (read-only) \??\z: qjyddmof.exe File opened (read-only) \??\y: prmrhtjqoa.exe File opened (read-only) \??\o: qjyddmof.exe File opened (read-only) \??\a: qjyddmof.exe File opened (read-only) \??\u: qjyddmof.exe File opened (read-only) \??\j: qjyddmof.exe File opened (read-only) \??\p: qjyddmof.exe File opened (read-only) \??\x: qjyddmof.exe File opened (read-only) \??\o: qjyddmof.exe File opened (read-only) \??\n: prmrhtjqoa.exe File opened (read-only) \??\p: qjyddmof.exe File opened (read-only) \??\b: prmrhtjqoa.exe File opened (read-only) \??\i: prmrhtjqoa.exe File opened (read-only) \??\r: prmrhtjqoa.exe File opened (read-only) \??\l: prmrhtjqoa.exe File opened (read-only) \??\q: prmrhtjqoa.exe File opened (read-only) \??\e: qjyddmof.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
prmrhtjqoa.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" prmrhtjqoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" prmrhtjqoa.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2236-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0009000000016d24-5.dat autoit_exe behavioral1/files/0x000900000001224c-17.dat autoit_exe behavioral1/files/0x0007000000016d84-31.dat autoit_exe behavioral1/files/0x00020000000180e5-34.dat autoit_exe behavioral1/files/0x0002000000003d1f-51.dat autoit_exe behavioral1/files/0x0006000000018b96-70.dat autoit_exe behavioral1/files/0x0006000000018ba2-74.dat autoit_exe behavioral1/files/0x0006000000018d06-78.dat autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exeprmrhtjqoa.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\prmrhtjqoa.exe e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\inaywyhzidajcwq.exe e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe File created C:\Windows\SysWOW64\qjyddmof.exe e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qjyddmof.exe e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe File created C:\Windows\SysWOW64\scebbdaqpuqat.exe e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll prmrhtjqoa.exe File created C:\Windows\SysWOW64\prmrhtjqoa.exe e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\scebbdaqpuqat.exe e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe File created C:\Windows\SysWOW64\inaywyhzidajcwq.exe e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe -
Drops file in Program Files directory 22 IoCs
Processes:
qjyddmof.exeqjyddmof.exedescription ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qjyddmof.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qjyddmof.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal qjyddmof.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal qjyddmof.exe File opened for modification \??\c:\Program Files\ExitSync.doc.exe qjyddmof.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qjyddmof.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal qjyddmof.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qjyddmof.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qjyddmof.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qjyddmof.exe File opened for modification \??\c:\Program Files\ExitSync.doc.exe qjyddmof.exe File opened for modification C:\Program Files\ExitSync.doc.exe qjyddmof.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qjyddmof.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qjyddmof.exe File created \??\c:\Program Files\ExitSync.doc.exe qjyddmof.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qjyddmof.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qjyddmof.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qjyddmof.exe File opened for modification C:\Program Files\ExitSync.doc.exe qjyddmof.exe File opened for modification C:\Program Files\ExitSync.nal qjyddmof.exe File opened for modification C:\Program Files\ExitSync.nal qjyddmof.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal qjyddmof.exe -
Drops file in Windows directory 4 IoCs
Processes:
e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exeWINWORD.EXEdescription ioc Process File opened for modification C:\Windows\mydoc.rtf e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEprmrhtjqoa.exee6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exeexplorer.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf prmrhtjqoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh prmrhtjqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB12044E7399F53CABAA6329AD7B9" e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" prmrhtjqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC67B1594DAB2B9BB7C90EDE034C8" e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg prmrhtjqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" prmrhtjqoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc prmrhtjqoa.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" prmrhtjqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" prmrhtjqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid Process 2024 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exeinaywyhzidajcwq.exescebbdaqpuqat.exeqjyddmof.exeprmrhtjqoa.exeqjyddmof.exepid Process 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 1396 inaywyhzidajcwq.exe 1396 inaywyhzidajcwq.exe 1396 inaywyhzidajcwq.exe 1396 inaywyhzidajcwq.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1568 qjyddmof.exe 1568 qjyddmof.exe 1568 qjyddmof.exe 1568 qjyddmof.exe 944 prmrhtjqoa.exe 944 prmrhtjqoa.exe 944 prmrhtjqoa.exe 944 prmrhtjqoa.exe 944 prmrhtjqoa.exe 596 qjyddmof.exe 596 qjyddmof.exe 596 qjyddmof.exe 596 qjyddmof.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid Process 2664 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exedescription pid Process Token: SeShutdownPrivilege 2664 explorer.exe Token: SeShutdownPrivilege 2664 explorer.exe Token: SeShutdownPrivilege 2664 explorer.exe Token: SeShutdownPrivilege 2664 explorer.exe Token: SeShutdownPrivilege 2664 explorer.exe Token: SeShutdownPrivilege 2664 explorer.exe Token: SeShutdownPrivilege 2664 explorer.exe Token: SeShutdownPrivilege 2664 explorer.exe Token: SeShutdownPrivilege 2664 explorer.exe Token: SeShutdownPrivilege 2664 explorer.exe Token: SeShutdownPrivilege 2664 explorer.exe Token: SeShutdownPrivilege 2664 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exeprmrhtjqoa.exeqjyddmof.exeinaywyhzidajcwq.exescebbdaqpuqat.exeqjyddmof.exeexplorer.exepid Process 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 944 prmrhtjqoa.exe 944 prmrhtjqoa.exe 944 prmrhtjqoa.exe 1568 qjyddmof.exe 1568 qjyddmof.exe 1568 qjyddmof.exe 1396 inaywyhzidajcwq.exe 1396 inaywyhzidajcwq.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 596 qjyddmof.exe 596 qjyddmof.exe 596 qjyddmof.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exeprmrhtjqoa.exeqjyddmof.exeinaywyhzidajcwq.exescebbdaqpuqat.exeexplorer.exepid Process 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 944 prmrhtjqoa.exe 944 prmrhtjqoa.exe 944 prmrhtjqoa.exe 1568 qjyddmof.exe 1568 qjyddmof.exe 1568 qjyddmof.exe 1396 inaywyhzidajcwq.exe 1396 inaywyhzidajcwq.exe 1396 inaywyhzidajcwq.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 1956 scebbdaqpuqat.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid Process 2024 WINWORD.EXE 2024 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exeprmrhtjqoa.exedescription pid Process procid_target PID 2236 wrote to memory of 944 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 30 PID 2236 wrote to memory of 944 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 30 PID 2236 wrote to memory of 944 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 30 PID 2236 wrote to memory of 944 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 30 PID 2236 wrote to memory of 1396 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 31 PID 2236 wrote to memory of 1396 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 31 PID 2236 wrote to memory of 1396 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 31 PID 2236 wrote to memory of 1396 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 31 PID 2236 wrote to memory of 1568 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 32 PID 2236 wrote to memory of 1568 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 32 PID 2236 wrote to memory of 1568 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 32 PID 2236 wrote to memory of 1568 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 32 PID 2236 wrote to memory of 1956 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 33 PID 2236 wrote to memory of 1956 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 33 PID 2236 wrote to memory of 1956 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 33 PID 2236 wrote to memory of 1956 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 33 PID 2236 wrote to memory of 2024 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 34 PID 2236 wrote to memory of 2024 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 34 PID 2236 wrote to memory of 2024 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 34 PID 2236 wrote to memory of 2024 2236 e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe 34 PID 944 wrote to memory of 596 944 prmrhtjqoa.exe 35 PID 944 wrote to memory of 596 944 prmrhtjqoa.exe 35 PID 944 wrote to memory of 596 944 prmrhtjqoa.exe 35 PID 944 wrote to memory of 596 944 prmrhtjqoa.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\prmrhtjqoa.exeprmrhtjqoa.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\qjyddmof.exeC:\Windows\system32\qjyddmof.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:596
-
-
-
C:\Windows\SysWOW64\inaywyhzidajcwq.exeinaywyhzidajcwq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1396
-
-
C:\Windows\SysWOW64\qjyddmof.exeqjyddmof.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1568
-
-
C:\Windows\SysWOW64\scebbdaqpuqat.exescebbdaqpuqat.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1956
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2664
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5160c7df01ea779bd3a796185923f317b
SHA186b0a583a025e6ed8ab9c5e7b29b147a774f7b60
SHA256044b61580a0fdf5675eef520cd3149bc7b002e8dedbd82b4e9621409b5b557d8
SHA512723361c428e8f71d1c0b4e13d2488377c5242ded7375f506dac8eb3dcf01931f5a1828f05a4a0ba1893a53e7ac1007935d8df01bfae623456ecd41a9e48dcbc2
-
Filesize
512KB
MD51b6aaabc6c13139a7b68a52bfb6cfcaa
SHA1c1fca62d89f2b20c1bf555ab1767e72ce8803851
SHA2562cbe728e8651a87ab1a0ab48a70e2845648579ad5f481819dc8a8ad6853b392b
SHA51239392d8acab0ae1ab1be8ffd24f986dadfb7a793f58259b3876a05a8d738e37073b91bd8c3e9a261d6eb0500911f71908fd6fba3c1c1707b87cba9e81469877c
-
Filesize
512KB
MD567dc2fd7e885a5d778fb9a8544450a54
SHA1ab9e66e1ffde412b7aaf1c7c8e8803fc995cc704
SHA2566dedaa890a5fe2605dde7273ed8be43797bbdef2f7e54ff682987ff75094e158
SHA512dff8898ac266796d05c7b86acfacc0f428cd5e1a20a30fee72a5c90c3df654ffd41d38f69d65f0f55b5cb25c404d55aaac2fdcf229228b1310e63fb6cf354b6a
-
Filesize
512KB
MD52b2ce10d525d225362117606da037a6b
SHA1147fef4099419279f10d1cc5b57a00dde3aaa1a4
SHA2567dfadf9ea140d1b6efc842955e3d059bd210a4751001beaf3e1af748a3f97f28
SHA512d56b64fdb5eb016eb6cdede1f589393ddc97d9f779417567cf0d2a752d6e1f77df2a0489fa1a6ba8fc9cf57b01e92776998c92619fb8a7c8c109ba090067d6f4
-
Filesize
512KB
MD5c936aebf8f90265787dc341fdedc67d7
SHA160cb5275362d6a4da154f06b4f8dc558f3684e86
SHA2569d2f7aac0bbeb6d23f201489903936e31e48d8c5c599c8883c25a654e2f20b7d
SHA512a1501859bace1c01973c3fcb8ad3f7faa35771753093e1e0070972c13cbf1766c6e5d030e5b4f113485a5d7901848de9808f22fce2df61238f0f691d911624a0
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5da7cbd537325bde0b3e956d26598d4dc
SHA1e10c7fdd8cd0b0811fbaacb536a6a7a080b8f4ce
SHA256b223b09c7458ea65652e81138bbc0d9a0adedde23f12cfe4cd0d0544f217002b
SHA5125116d0247b772885d61e448cbd4a7a968afc84fbab96200aa718a35e94b156d9f7c5a6211691eb1ecd616fa51fb31e8bf9d1a309bea27cb02b0c756dcfc67c44
-
Filesize
512KB
MD5a88140312ef938c698f91effe670288e
SHA1a464ce2b48812fa3ca0330413af2e3e98e966b51
SHA25633a5d30d745e62dd30e47ed57c502b4ad0d02c4e103c77af475138fefa67fbd5
SHA5128f0ab7033a961fd99b73f31cd4361fdbe14f4c94cc14a77ee72abfbf888e2a79f76eaf588a1c9299e619f8eeac74ebc12e5325521406c70c6b615799244a96cf
-
Filesize
512KB
MD50d4fa131cbcb113f94aea7bfc1352430
SHA15ee297fac3c49efc83fd354b3d02e9865c7262c0
SHA256e169f74510a57b6c2a569703c7455109c636f4c061c16000420b68c3cb70a839
SHA5129bd09505d8e7e30bc85a5af4c03d6c4c0bf00bd70c9f00210af28c47977e95f10b716dd9bee0cd14a9ae2a928f14ddb84f3e3890dd5bd388eeb13b9f60cf859c