Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 09:09
Static task
static1
Behavioral task
behavioral1
Sample
04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe
-
Size
512KB
-
MD5
04d94caa6a97084b6b204a3e81070c5a
-
SHA1
abd419bb1fabfde4cd8cc5c8558ad8db73a14508
-
SHA256
9866404f1c221e476925793f6023f38bf0ddbab112316315239c98af6647e9e9
-
SHA512
713df4b771ef148893091c5fd7f84073b832d41b6408c6c2dcae3761faf8c80bd17393943fda848092ec5df671ff56e85fdb9bc385873680943e14d402497d6d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5J
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ienbljagqe.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ienbljagqe.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ienbljagqe.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ienbljagqe.exe -
Processes:
ienbljagqe.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ienbljagqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ienbljagqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ienbljagqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ienbljagqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ienbljagqe.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ienbljagqe.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ienbljagqe.exe -
Executes dropped EXE 6 IoCs
Processes:
ienbljagqe.exetzcbzvypefsjmmj.exeydawfiva.exeuuimtppakfysv.exeydawfiva.exeuuimtppakfysv.exepid process 2684 ienbljagqe.exe 2516 tzcbzvypefsjmmj.exe 2624 ydawfiva.exe 2572 uuimtppakfysv.exe 2608 ydawfiva.exe 2844 uuimtppakfysv.exe -
Loads dropped DLL 6 IoCs
Processes:
04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exeienbljagqe.execmd.exepid process 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2684 ienbljagqe.exe 2412 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ienbljagqe.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ienbljagqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ienbljagqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ienbljagqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ienbljagqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ienbljagqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ienbljagqe.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tzcbzvypefsjmmj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dwlglicj = "ienbljagqe.exe" tzcbzvypefsjmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xidlmqib = "tzcbzvypefsjmmj.exe" tzcbzvypefsjmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "uuimtppakfysv.exe" tzcbzvypefsjmmj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ienbljagqe.exeydawfiva.exeydawfiva.exedescription ioc process File opened (read-only) \??\n: ienbljagqe.exe File opened (read-only) \??\v: ienbljagqe.exe File opened (read-only) \??\s: ydawfiva.exe File opened (read-only) \??\b: ydawfiva.exe File opened (read-only) \??\a: ienbljagqe.exe File opened (read-only) \??\k: ienbljagqe.exe File opened (read-only) \??\e: ydawfiva.exe File opened (read-only) \??\w: ydawfiva.exe File opened (read-only) \??\r: ienbljagqe.exe File opened (read-only) \??\p: ydawfiva.exe File opened (read-only) \??\x: ydawfiva.exe File opened (read-only) \??\v: ydawfiva.exe File opened (read-only) \??\y: ienbljagqe.exe File opened (read-only) \??\m: ydawfiva.exe File opened (read-only) \??\n: ydawfiva.exe File opened (read-only) \??\y: ydawfiva.exe File opened (read-only) \??\a: ydawfiva.exe File opened (read-only) \??\r: ydawfiva.exe File opened (read-only) \??\p: ienbljagqe.exe File opened (read-only) \??\s: ienbljagqe.exe File opened (read-only) \??\g: ydawfiva.exe File opened (read-only) \??\b: ienbljagqe.exe File opened (read-only) \??\j: ienbljagqe.exe File opened (read-only) \??\a: ydawfiva.exe File opened (read-only) \??\h: ydawfiva.exe File opened (read-only) \??\x: ydawfiva.exe File opened (read-only) \??\t: ienbljagqe.exe File opened (read-only) \??\z: ienbljagqe.exe File opened (read-only) \??\b: ydawfiva.exe File opened (read-only) \??\g: ydawfiva.exe File opened (read-only) \??\r: ydawfiva.exe File opened (read-only) \??\k: ydawfiva.exe File opened (read-only) \??\s: ydawfiva.exe File opened (read-only) \??\h: ienbljagqe.exe File opened (read-only) \??\m: ienbljagqe.exe File opened (read-only) \??\w: ienbljagqe.exe File opened (read-only) \??\i: ydawfiva.exe File opened (read-only) \??\l: ydawfiva.exe File opened (read-only) \??\q: ydawfiva.exe File opened (read-only) \??\g: ienbljagqe.exe File opened (read-only) \??\l: ienbljagqe.exe File opened (read-only) \??\i: ydawfiva.exe File opened (read-only) \??\u: ydawfiva.exe File opened (read-only) \??\q: ienbljagqe.exe File opened (read-only) \??\q: ydawfiva.exe File opened (read-only) \??\j: ydawfiva.exe File opened (read-only) \??\t: ydawfiva.exe File opened (read-only) \??\u: ydawfiva.exe File opened (read-only) \??\v: ydawfiva.exe File opened (read-only) \??\w: ydawfiva.exe File opened (read-only) \??\l: ydawfiva.exe File opened (read-only) \??\i: ienbljagqe.exe File opened (read-only) \??\e: ydawfiva.exe File opened (read-only) \??\z: ydawfiva.exe File opened (read-only) \??\k: ydawfiva.exe File opened (read-only) \??\o: ydawfiva.exe File opened (read-only) \??\m: ydawfiva.exe File opened (read-only) \??\z: ydawfiva.exe File opened (read-only) \??\h: ydawfiva.exe File opened (read-only) \??\t: ydawfiva.exe File opened (read-only) \??\n: ydawfiva.exe File opened (read-only) \??\o: ydawfiva.exe File opened (read-only) \??\p: ydawfiva.exe File opened (read-only) \??\e: ienbljagqe.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ienbljagqe.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ienbljagqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ienbljagqe.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2656-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\tzcbzvypefsjmmj.exe autoit_exe \Windows\SysWOW64\ienbljagqe.exe autoit_exe \Windows\SysWOW64\ydawfiva.exe autoit_exe \Windows\SysWOW64\uuimtppakfysv.exe autoit_exe \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
ienbljagqe.exe04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ienbljagqe.exe File created C:\Windows\SysWOW64\ienbljagqe.exe 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ienbljagqe.exe 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe File created C:\Windows\SysWOW64\tzcbzvypefsjmmj.exe 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ydawfiva.exe 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe File created C:\Windows\SysWOW64\uuimtppakfysv.exe 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uuimtppakfysv.exe 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tzcbzvypefsjmmj.exe 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe File created C:\Windows\SysWOW64\ydawfiva.exe 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ydawfiva.exeydawfiva.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ydawfiva.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ydawfiva.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ydawfiva.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ydawfiva.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ydawfiva.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ydawfiva.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ydawfiva.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ydawfiva.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ydawfiva.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ydawfiva.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ydawfiva.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ydawfiva.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ydawfiva.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ydawfiva.exe -
Drops file in Windows directory 5 IoCs
Processes:
WINWORD.EXE04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXE04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exeienbljagqe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B12E47EF389E53C8BAA23393D7BC" 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ienbljagqe.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ienbljagqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ienbljagqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ienbljagqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1992 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exeienbljagqe.exetzcbzvypefsjmmj.exeydawfiva.exeuuimtppakfysv.exeydawfiva.exeuuimtppakfysv.exepid process 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2684 ienbljagqe.exe 2684 ienbljagqe.exe 2684 ienbljagqe.exe 2684 ienbljagqe.exe 2684 ienbljagqe.exe 2516 tzcbzvypefsjmmj.exe 2516 tzcbzvypefsjmmj.exe 2516 tzcbzvypefsjmmj.exe 2516 tzcbzvypefsjmmj.exe 2516 tzcbzvypefsjmmj.exe 2624 ydawfiva.exe 2624 ydawfiva.exe 2624 ydawfiva.exe 2624 ydawfiva.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2516 tzcbzvypefsjmmj.exe 2608 ydawfiva.exe 2608 ydawfiva.exe 2608 ydawfiva.exe 2608 ydawfiva.exe 2844 uuimtppakfysv.exe 2844 uuimtppakfysv.exe 2844 uuimtppakfysv.exe 2844 uuimtppakfysv.exe 2844 uuimtppakfysv.exe 2844 uuimtppakfysv.exe 2516 tzcbzvypefsjmmj.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2516 tzcbzvypefsjmmj.exe 2844 uuimtppakfysv.exe 2844 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2516 tzcbzvypefsjmmj.exe 2844 uuimtppakfysv.exe 2844 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2844 uuimtppakfysv.exe 2844 uuimtppakfysv.exe 2516 tzcbzvypefsjmmj.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2516 tzcbzvypefsjmmj.exe 2844 uuimtppakfysv.exe 2844 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2516 tzcbzvypefsjmmj.exe 2844 uuimtppakfysv.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exeienbljagqe.exetzcbzvypefsjmmj.exeydawfiva.exeuuimtppakfysv.exeydawfiva.exeuuimtppakfysv.exepid process 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2684 ienbljagqe.exe 2684 ienbljagqe.exe 2684 ienbljagqe.exe 2516 tzcbzvypefsjmmj.exe 2516 tzcbzvypefsjmmj.exe 2516 tzcbzvypefsjmmj.exe 2624 ydawfiva.exe 2624 ydawfiva.exe 2624 ydawfiva.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2608 ydawfiva.exe 2608 ydawfiva.exe 2608 ydawfiva.exe 2844 uuimtppakfysv.exe 2844 uuimtppakfysv.exe 2844 uuimtppakfysv.exe -
Suspicious use of SendNotifyMessage 21 IoCs
Processes:
04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exeienbljagqe.exetzcbzvypefsjmmj.exeydawfiva.exeuuimtppakfysv.exeydawfiva.exeuuimtppakfysv.exepid process 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe 2684 ienbljagqe.exe 2684 ienbljagqe.exe 2684 ienbljagqe.exe 2516 tzcbzvypefsjmmj.exe 2516 tzcbzvypefsjmmj.exe 2516 tzcbzvypefsjmmj.exe 2624 ydawfiva.exe 2624 ydawfiva.exe 2624 ydawfiva.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2572 uuimtppakfysv.exe 2608 ydawfiva.exe 2608 ydawfiva.exe 2608 ydawfiva.exe 2844 uuimtppakfysv.exe 2844 uuimtppakfysv.exe 2844 uuimtppakfysv.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1992 WINWORD.EXE 1992 WINWORD.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exeienbljagqe.exetzcbzvypefsjmmj.execmd.exeWINWORD.EXEdescription pid process target process PID 2656 wrote to memory of 2684 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe ienbljagqe.exe PID 2656 wrote to memory of 2684 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe ienbljagqe.exe PID 2656 wrote to memory of 2684 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe ienbljagqe.exe PID 2656 wrote to memory of 2684 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe ienbljagqe.exe PID 2656 wrote to memory of 2516 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe tzcbzvypefsjmmj.exe PID 2656 wrote to memory of 2516 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe tzcbzvypefsjmmj.exe PID 2656 wrote to memory of 2516 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe tzcbzvypefsjmmj.exe PID 2656 wrote to memory of 2516 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe tzcbzvypefsjmmj.exe PID 2656 wrote to memory of 2624 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe ydawfiva.exe PID 2656 wrote to memory of 2624 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe ydawfiva.exe PID 2656 wrote to memory of 2624 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe ydawfiva.exe PID 2656 wrote to memory of 2624 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe ydawfiva.exe PID 2656 wrote to memory of 2572 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe uuimtppakfysv.exe PID 2656 wrote to memory of 2572 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe uuimtppakfysv.exe PID 2656 wrote to memory of 2572 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe uuimtppakfysv.exe PID 2656 wrote to memory of 2572 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe uuimtppakfysv.exe PID 2684 wrote to memory of 2608 2684 ienbljagqe.exe ydawfiva.exe PID 2684 wrote to memory of 2608 2684 ienbljagqe.exe ydawfiva.exe PID 2684 wrote to memory of 2608 2684 ienbljagqe.exe ydawfiva.exe PID 2684 wrote to memory of 2608 2684 ienbljagqe.exe ydawfiva.exe PID 2516 wrote to memory of 2412 2516 tzcbzvypefsjmmj.exe cmd.exe PID 2516 wrote to memory of 2412 2516 tzcbzvypefsjmmj.exe cmd.exe PID 2516 wrote to memory of 2412 2516 tzcbzvypefsjmmj.exe cmd.exe PID 2516 wrote to memory of 2412 2516 tzcbzvypefsjmmj.exe cmd.exe PID 2412 wrote to memory of 2844 2412 cmd.exe uuimtppakfysv.exe PID 2412 wrote to memory of 2844 2412 cmd.exe uuimtppakfysv.exe PID 2412 wrote to memory of 2844 2412 cmd.exe uuimtppakfysv.exe PID 2412 wrote to memory of 2844 2412 cmd.exe uuimtppakfysv.exe PID 2656 wrote to memory of 1992 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe WINWORD.EXE PID 2656 wrote to memory of 1992 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe WINWORD.EXE PID 2656 wrote to memory of 1992 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe WINWORD.EXE PID 2656 wrote to memory of 1992 2656 04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe WINWORD.EXE PID 1992 wrote to memory of 1116 1992 WINWORD.EXE splwow64.exe PID 1992 wrote to memory of 1116 1992 WINWORD.EXE splwow64.exe PID 1992 wrote to memory of 1116 1992 WINWORD.EXE splwow64.exe PID 1992 wrote to memory of 1116 1992 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ienbljagqe.exeienbljagqe.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ydawfiva.exeC:\Windows\system32\ydawfiva.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\tzcbzvypefsjmmj.exetzcbzvypefsjmmj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c uuimtppakfysv.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\uuimtppakfysv.exeuuimtppakfysv.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ydawfiva.exeydawfiva.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\uuimtppakfysv.exeuuimtppakfysv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
7Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5c196a12198f2a0038c52f0be2b7243ff
SHA172d6f747d6e46d987ae41584e94060dd382ed480
SHA256e04da2d4f4527bdb6ec480caf971021d23440bf9c9f39ef17eee41fa7a9d0256
SHA512837ea629f6c878723976d640d4037ef249d73b9e1b38df177d91f3a6da3fa3af1839ecb72c33f567b887c1b80b8882a35b0b5c59399850f2e983d367e379681e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5811f2927ed31a901b8db494174bb192e
SHA1cc51adee52f07fcd55b7c01525a105bbcb73d84d
SHA256e1f20659cd66776c20049765f3cd88f7abf64f7e9c4649e630f0796ea0bcde2b
SHA5122592c6f8df0161a41965950f41d5f6a02b7b48b90bc784dec15fd48cb4e98dd84bb1ba812f9847f5346ce56eee0787126135761e774faf462b5aaf41fc6ec25f
-
C:\Windows\SysWOW64\tzcbzvypefsjmmj.exeFilesize
512KB
MD5947ce7d661caf15d6713c67e3374afa2
SHA1dcf2d5936dd14f20c7a95ea29b295a42d74b9869
SHA2564903e27ffef6abd78da3fb5fa808357a1733fde11984e7cecd3cf7de29347588
SHA512178be1e91a61a7e19a37ab521490383ff8d67ccc699bd096628a1a04061cc23c663693c5d8d99e1c5ffc85d06a76c65f07d9b4799d29b65c28a9cb9a7aa18686
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
512KB
MD57d479404878a1f6480db245dd85a96f7
SHA1cdfc7832aa33ae6ffbef202a1d241455a5970695
SHA256267265805ad10224a52676dd1ab1670919a62ef6ef41665793c85b6ad0478af4
SHA512881d724cc718b975f24620ef3b6af7cadae406579e942505d54a5be84cd15d89a7b9f69897ceb266e1fdd9a02b614e97e79786a5456446b7e9e34d8f9847803c
-
\Windows\SysWOW64\ienbljagqe.exeFilesize
512KB
MD5d17a65384779c883acf5cbb98ac658da
SHA11125e3b7eba902740a980495d2d7aa99df063435
SHA256fe0d19ee8657513030180648da8371244dabb70cab68059aa4179982103a300e
SHA512ceca3beec5ae2316da43e42b8346fb0fa85db490e32bc87e4c5757562e2df2899f4cd4cd0e2c502df7c4d646c2712970a0d3378eaa24f97eb52bf8c5245a0b9f
-
\Windows\SysWOW64\uuimtppakfysv.exeFilesize
512KB
MD5c2c2723a26cf58350f5ded6beb3777c4
SHA16046d1f2ff03545cb84587be5f147a04f4f4e785
SHA2569fe347c20870cc1578cbb9c33461b6039075160454a574f5fd1e4ab68c792038
SHA51285266f334eab8a83a1e2923a1ab278d96f34cdc360f5e8837d4bb50e13928b1039c4792766a167bc49fd82e3f7e96e48c325da40bb6e646b11f9b2ebbbd81b4c
-
\Windows\SysWOW64\ydawfiva.exeFilesize
512KB
MD5851b6efe913b48c6accf7fa8e3d98a04
SHA167baf154815f9f90859416c178740be62e13299c
SHA25609564ad071cf7ff96a045dc882acbad8ace7d73bb14aca48a1523143fa261ae6
SHA512a63f20eb41bf1bd1e8c4d97d430d8d852f837b7bcb523eeff1f1a863817c9a415bc9204c09ecf023fb0466e412121b5b856fcf87ee91f923c073026aa806a98e
-
memory/1992-48-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1992-106-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2656-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB