Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 03:29
Static task
static1
Behavioral task
behavioral1
Sample
0446e413d0015932fb6129acfc846917_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0446e413d0015932fb6129acfc846917_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
0446e413d0015932fb6129acfc846917_JaffaCakes118.exe
-
Size
512KB
-
MD5
0446e413d0015932fb6129acfc846917
-
SHA1
1bd1b53a8cd37078d2031b2b717f3f9b896ee403
-
SHA256
5803fefda64f73ecfceeb179720413aeb2cd9ba0fbc8084c0bd98db9a68c8894
-
SHA512
c33424fca6bd7b8543ef1d0f67b1607a3c9f08a924d83bc75ee19cf4133d631f92bf033766db717e7fb52badba67fdc9d500cc4e09348524e7a77c1208ca50f2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
nbwfpbbbmv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nbwfpbbbmv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
nbwfpbbbmv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nbwfpbbbmv.exe -
Processes:
nbwfpbbbmv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nbwfpbbbmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nbwfpbbbmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nbwfpbbbmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nbwfpbbbmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nbwfpbbbmv.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
nbwfpbbbmv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nbwfpbbbmv.exe -
Executes dropped EXE 5 IoCs
Processes:
nbwfpbbbmv.exedknobdathuhdgbs.exetofpugqe.exermuigezhvnrgj.exetofpugqe.exepid process 2068 nbwfpbbbmv.exe 2572 dknobdathuhdgbs.exe 2644 tofpugqe.exe 2432 rmuigezhvnrgj.exe 2316 tofpugqe.exe -
Loads dropped DLL 5 IoCs
Processes:
0446e413d0015932fb6129acfc846917_JaffaCakes118.exenbwfpbbbmv.exepid process 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2068 nbwfpbbbmv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
nbwfpbbbmv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nbwfpbbbmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nbwfpbbbmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nbwfpbbbmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" nbwfpbbbmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nbwfpbbbmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nbwfpbbbmv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
dknobdathuhdgbs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pjukmxwe = "nbwfpbbbmv.exe" dknobdathuhdgbs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nhiyywkt = "dknobdathuhdgbs.exe" dknobdathuhdgbs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rmuigezhvnrgj.exe" dknobdathuhdgbs.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
nbwfpbbbmv.exetofpugqe.exetofpugqe.exedescription ioc process File opened (read-only) \??\x: nbwfpbbbmv.exe File opened (read-only) \??\n: tofpugqe.exe File opened (read-only) \??\p: tofpugqe.exe File opened (read-only) \??\t: tofpugqe.exe File opened (read-only) \??\k: tofpugqe.exe File opened (read-only) \??\w: tofpugqe.exe File opened (read-only) \??\b: tofpugqe.exe File opened (read-only) \??\e: tofpugqe.exe File opened (read-only) \??\k: tofpugqe.exe File opened (read-only) \??\j: tofpugqe.exe File opened (read-only) \??\j: tofpugqe.exe File opened (read-only) \??\n: tofpugqe.exe File opened (read-only) \??\p: tofpugqe.exe File opened (read-only) \??\z: tofpugqe.exe File opened (read-only) \??\b: nbwfpbbbmv.exe File opened (read-only) \??\o: tofpugqe.exe File opened (read-only) \??\z: tofpugqe.exe File opened (read-only) \??\s: tofpugqe.exe File opened (read-only) \??\p: nbwfpbbbmv.exe File opened (read-only) \??\y: nbwfpbbbmv.exe File opened (read-only) \??\a: tofpugqe.exe File opened (read-only) \??\l: tofpugqe.exe File opened (read-only) \??\h: tofpugqe.exe File opened (read-only) \??\l: tofpugqe.exe File opened (read-only) \??\h: nbwfpbbbmv.exe File opened (read-only) \??\z: nbwfpbbbmv.exe File opened (read-only) \??\k: nbwfpbbbmv.exe File opened (read-only) \??\v: nbwfpbbbmv.exe File opened (read-only) \??\h: tofpugqe.exe File opened (read-only) \??\i: tofpugqe.exe File opened (read-only) \??\u: tofpugqe.exe File opened (read-only) \??\e: tofpugqe.exe File opened (read-only) \??\e: nbwfpbbbmv.exe File opened (read-only) \??\g: nbwfpbbbmv.exe File opened (read-only) \??\j: nbwfpbbbmv.exe File opened (read-only) \??\s: nbwfpbbbmv.exe File opened (read-only) \??\r: tofpugqe.exe File opened (read-only) \??\n: nbwfpbbbmv.exe File opened (read-only) \??\q: tofpugqe.exe File opened (read-only) \??\y: tofpugqe.exe File opened (read-only) \??\i: nbwfpbbbmv.exe File opened (read-only) \??\q: tofpugqe.exe File opened (read-only) \??\w: tofpugqe.exe File opened (read-only) \??\o: tofpugqe.exe File opened (read-only) \??\u: tofpugqe.exe File opened (read-only) \??\v: tofpugqe.exe File opened (read-only) \??\l: nbwfpbbbmv.exe File opened (read-only) \??\g: tofpugqe.exe File opened (read-only) \??\i: tofpugqe.exe File opened (read-only) \??\m: tofpugqe.exe File opened (read-only) \??\m: nbwfpbbbmv.exe File opened (read-only) \??\x: tofpugqe.exe File opened (read-only) \??\q: nbwfpbbbmv.exe File opened (read-only) \??\t: nbwfpbbbmv.exe File opened (read-only) \??\u: nbwfpbbbmv.exe File opened (read-only) \??\r: tofpugqe.exe File opened (read-only) \??\v: tofpugqe.exe File opened (read-only) \??\g: tofpugqe.exe File opened (read-only) \??\a: nbwfpbbbmv.exe File opened (read-only) \??\o: nbwfpbbbmv.exe File opened (read-only) \??\w: nbwfpbbbmv.exe File opened (read-only) \??\m: tofpugqe.exe File opened (read-only) \??\a: tofpugqe.exe File opened (read-only) \??\b: tofpugqe.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
nbwfpbbbmv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" nbwfpbbbmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" nbwfpbbbmv.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2612-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\dknobdathuhdgbs.exe autoit_exe \Windows\SysWOW64\nbwfpbbbmv.exe autoit_exe \Windows\SysWOW64\tofpugqe.exe autoit_exe \Windows\SysWOW64\rmuigezhvnrgj.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
0446e413d0015932fb6129acfc846917_JaffaCakes118.exenbwfpbbbmv.exedescription ioc process File opened for modification C:\Windows\SysWOW64\nbwfpbbbmv.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File created C:\Windows\SysWOW64\dknobdathuhdgbs.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll nbwfpbbbmv.exe File created C:\Windows\SysWOW64\nbwfpbbbmv.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dknobdathuhdgbs.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File created C:\Windows\SysWOW64\tofpugqe.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tofpugqe.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File created C:\Windows\SysWOW64\rmuigezhvnrgj.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rmuigezhvnrgj.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
tofpugqe.exetofpugqe.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal tofpugqe.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tofpugqe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tofpugqe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal tofpugqe.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tofpugqe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tofpugqe.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tofpugqe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal tofpugqe.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tofpugqe.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tofpugqe.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tofpugqe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tofpugqe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tofpugqe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal tofpugqe.exe -
Drops file in Windows directory 5 IoCs
Processes:
WINWORD.EXE0446e413d0015932fb6129acfc846917_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
nbwfpbbbmv.exeWINWORD.EXE0446e413d0015932fb6129acfc846917_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" nbwfpbbbmv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC6791590DBB2B9CD7FE3ED9537CD" 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat nbwfpbbbmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" nbwfpbbbmv.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2480 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0446e413d0015932fb6129acfc846917_JaffaCakes118.exenbwfpbbbmv.exedknobdathuhdgbs.exetofpugqe.exermuigezhvnrgj.exetofpugqe.exepid process 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2068 nbwfpbbbmv.exe 2068 nbwfpbbbmv.exe 2068 nbwfpbbbmv.exe 2068 nbwfpbbbmv.exe 2068 nbwfpbbbmv.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2572 dknobdathuhdgbs.exe 2572 dknobdathuhdgbs.exe 2572 dknobdathuhdgbs.exe 2572 dknobdathuhdgbs.exe 2572 dknobdathuhdgbs.exe 2644 tofpugqe.exe 2644 tofpugqe.exe 2644 tofpugqe.exe 2644 tofpugqe.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2316 tofpugqe.exe 2316 tofpugqe.exe 2316 tofpugqe.exe 2316 tofpugqe.exe 2572 dknobdathuhdgbs.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2572 dknobdathuhdgbs.exe 2572 dknobdathuhdgbs.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2572 dknobdathuhdgbs.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2572 dknobdathuhdgbs.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2572 dknobdathuhdgbs.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2572 dknobdathuhdgbs.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2572 dknobdathuhdgbs.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2572 dknobdathuhdgbs.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2572 dknobdathuhdgbs.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2572 dknobdathuhdgbs.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2572 dknobdathuhdgbs.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
0446e413d0015932fb6129acfc846917_JaffaCakes118.exenbwfpbbbmv.exedknobdathuhdgbs.exetofpugqe.exermuigezhvnrgj.exetofpugqe.exepid process 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2068 nbwfpbbbmv.exe 2068 nbwfpbbbmv.exe 2068 nbwfpbbbmv.exe 2572 dknobdathuhdgbs.exe 2572 dknobdathuhdgbs.exe 2572 dknobdathuhdgbs.exe 2644 tofpugqe.exe 2644 tofpugqe.exe 2644 tofpugqe.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2316 tofpugqe.exe 2316 tofpugqe.exe 2316 tofpugqe.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
0446e413d0015932fb6129acfc846917_JaffaCakes118.exenbwfpbbbmv.exedknobdathuhdgbs.exetofpugqe.exermuigezhvnrgj.exetofpugqe.exepid process 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 2068 nbwfpbbbmv.exe 2068 nbwfpbbbmv.exe 2068 nbwfpbbbmv.exe 2572 dknobdathuhdgbs.exe 2572 dknobdathuhdgbs.exe 2572 dknobdathuhdgbs.exe 2644 tofpugqe.exe 2644 tofpugqe.exe 2644 tofpugqe.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2432 rmuigezhvnrgj.exe 2316 tofpugqe.exe 2316 tofpugqe.exe 2316 tofpugqe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2480 WINWORD.EXE 2480 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
0446e413d0015932fb6129acfc846917_JaffaCakes118.exenbwfpbbbmv.exeWINWORD.EXEdescription pid process target process PID 2612 wrote to memory of 2068 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe nbwfpbbbmv.exe PID 2612 wrote to memory of 2068 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe nbwfpbbbmv.exe PID 2612 wrote to memory of 2068 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe nbwfpbbbmv.exe PID 2612 wrote to memory of 2068 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe nbwfpbbbmv.exe PID 2612 wrote to memory of 2572 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe dknobdathuhdgbs.exe PID 2612 wrote to memory of 2572 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe dknobdathuhdgbs.exe PID 2612 wrote to memory of 2572 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe dknobdathuhdgbs.exe PID 2612 wrote to memory of 2572 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe dknobdathuhdgbs.exe PID 2612 wrote to memory of 2644 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe tofpugqe.exe PID 2612 wrote to memory of 2644 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe tofpugqe.exe PID 2612 wrote to memory of 2644 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe tofpugqe.exe PID 2612 wrote to memory of 2644 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe tofpugqe.exe PID 2612 wrote to memory of 2432 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe rmuigezhvnrgj.exe PID 2612 wrote to memory of 2432 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe rmuigezhvnrgj.exe PID 2612 wrote to memory of 2432 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe rmuigezhvnrgj.exe PID 2612 wrote to memory of 2432 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe rmuigezhvnrgj.exe PID 2068 wrote to memory of 2316 2068 nbwfpbbbmv.exe tofpugqe.exe PID 2068 wrote to memory of 2316 2068 nbwfpbbbmv.exe tofpugqe.exe PID 2068 wrote to memory of 2316 2068 nbwfpbbbmv.exe tofpugqe.exe PID 2068 wrote to memory of 2316 2068 nbwfpbbbmv.exe tofpugqe.exe PID 2612 wrote to memory of 2480 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe WINWORD.EXE PID 2612 wrote to memory of 2480 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe WINWORD.EXE PID 2612 wrote to memory of 2480 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe WINWORD.EXE PID 2612 wrote to memory of 2480 2612 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe WINWORD.EXE PID 2480 wrote to memory of 1556 2480 WINWORD.EXE splwow64.exe PID 2480 wrote to memory of 1556 2480 WINWORD.EXE splwow64.exe PID 2480 wrote to memory of 1556 2480 WINWORD.EXE splwow64.exe PID 2480 wrote to memory of 1556 2480 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0446e413d0015932fb6129acfc846917_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0446e413d0015932fb6129acfc846917_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nbwfpbbbmv.exenbwfpbbbmv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tofpugqe.exeC:\Windows\system32\tofpugqe.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\dknobdathuhdgbs.exedknobdathuhdgbs.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\tofpugqe.exetofpugqe.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\rmuigezhvnrgj.exermuigezhvnrgj.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
7Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
512KB
MD51d4e38f5211035b8adca513450cb1a1a
SHA170c4b140fbcf40c0513e95721c261639c35bdd2a
SHA25665c930d0c55d647430de9a1342e51a8da65cf3b24a291de5255af26259332bb6
SHA51206daf3c85eecfffed6bef69e5a8793ac4ebdfb0f501b064f1e81f80a3e13627251c44d97a9a741d1ccd9de61ec6101b73fe001dc1ffd90897c10c0f21a022450
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5711674c453ad142482e2f1874edc7e53
SHA10f8eb58fbef000ab1ca44fed156333d11b5fc018
SHA256dce325546c58745d7d047ac8b38e4ae2d375d945f54565315b359af31e72af0c
SHA5122061e86ed54f0f3f2caabeb09a73ea71e61b1999e07cf0791febe795b3587a0b02cf90ee5ba9858f7f8f86ba6970fd70b0a64356b1bd957f832e68315315a772
-
C:\Windows\SysWOW64\dknobdathuhdgbs.exeFilesize
512KB
MD57294c675bfb15bf92858d46e8b33a854
SHA13af4727f7c479c322cc0dbbf15a3fc2eb568accb
SHA256885d02a6015f536e1fc432361a0570ba9b5448b194fd9b24158d7f36ebc97adf
SHA5124ebd71087100e11cf30d144a5143bd3fe64236c1e779d85014054d55808aeb51acd9c10f57e8b4fe5a4070791231d6d6ff603eac4ee53e90609c291b552d2770
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\nbwfpbbbmv.exeFilesize
512KB
MD5c51ae5e7e5b358791887b03cc591cb25
SHA1eed68357ead134dfaa28922faca6e3d01f1770a5
SHA25613e0ef70d1ec9f775e17ec5ba04379176460c3bc3a8fc1a218245305d81441fc
SHA5125a3a90d8189666a05f4a410deefa7269d87edfa9812e0fe6f50ad76a73f2466649e3dd3e5b89b1b1ab546ffd0b31fbf64519565af67d1bb6739749abc006a6a5
-
\Windows\SysWOW64\rmuigezhvnrgj.exeFilesize
512KB
MD5b2d6ec0d3629f1cce2aa232a3a0361d7
SHA18987b7bc77782a45ac343d7bd45cc5d8abc09a1e
SHA256fde135668f672b5b704d0a8156d291a2b45c6942488f62a389b324b35bd6be4f
SHA512b1befe5812d819cfdca36392dde710df85289173ce4f8d49d6b254d9f45371748f858410f706853fcbeab7e7bc0d7b97b021bcb2be39f0a40525252918842217
-
\Windows\SysWOW64\tofpugqe.exeFilesize
512KB
MD5baf4cc40a803fcc95c5b1200177cc2c3
SHA11857cf4cb24ad0be2f17307536b89f9bb3918307
SHA256aca821be6e687eb3babc29a24da9afd3ca07d6d8880c2d515a71ac31975601b1
SHA51246ba1f72e8d18e681360ea57173304f38309b55da491a0bc1db4b25ad7bb2cfb5713834590539040a5825faed3dc606732ad495fe387e02cabb632123bd5e251
-
memory/2480-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2480-94-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2612-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB