Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 13:56
Static task
static1
Behavioral task
behavioral1
Sample
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe
-
Size
512KB
-
MD5
055735e29b5b10f70534747b4728f0e0
-
SHA1
9f532602425f9055a1ce843a141b1a8576c00a6d
-
SHA256
e5ce80ae6335e3de4780105efc6f0f92085fd34ebf91d33995128fb5890ac605
-
SHA512
764cca2c2c9cf312a4d30e0661d0091e46ed3e357561eb10c48cb81d079e1740ab6e863f0440734d1d7e2db19a2ba683a941bf22b2c46b203c7cab567dc09135
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6A:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5T
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
nulloawdjh.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nulloawdjh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
nulloawdjh.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nulloawdjh.exe -
Processes:
nulloawdjh.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nulloawdjh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nulloawdjh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nulloawdjh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nulloawdjh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nulloawdjh.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
nulloawdjh.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nulloawdjh.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
Processes:
nulloawdjh.exeibzdqisomfwkyqc.exellisgqza.exetlsbfmmznivkl.exellisgqza.exepid process 2544 nulloawdjh.exe 2624 ibzdqisomfwkyqc.exe 2540 llisgqza.exe 2712 tlsbfmmznivkl.exe 2552 llisgqza.exe -
Loads dropped DLL 5 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exenulloawdjh.exepid process 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2544 nulloawdjh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
nulloawdjh.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nulloawdjh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nulloawdjh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nulloawdjh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nulloawdjh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" nulloawdjh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nulloawdjh.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ibzdqisomfwkyqc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msbshbux = "nulloawdjh.exe" ibzdqisomfwkyqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctuioktd = "ibzdqisomfwkyqc.exe" ibzdqisomfwkyqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tlsbfmmznivkl.exe" ibzdqisomfwkyqc.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
llisgqza.exenulloawdjh.exellisgqza.exedescription ioc process File opened (read-only) \??\a: llisgqza.exe File opened (read-only) \??\i: nulloawdjh.exe File opened (read-only) \??\l: nulloawdjh.exe File opened (read-only) \??\o: llisgqza.exe File opened (read-only) \??\e: nulloawdjh.exe File opened (read-only) \??\x: llisgqza.exe File opened (read-only) \??\n: llisgqza.exe File opened (read-only) \??\t: llisgqza.exe File opened (read-only) \??\g: nulloawdjh.exe File opened (read-only) \??\g: llisgqza.exe File opened (read-only) \??\r: nulloawdjh.exe File opened (read-only) \??\t: nulloawdjh.exe File opened (read-only) \??\y: llisgqza.exe File opened (read-only) \??\r: llisgqza.exe File opened (read-only) \??\w: llisgqza.exe File opened (read-only) \??\k: llisgqza.exe File opened (read-only) \??\u: llisgqza.exe File opened (read-only) \??\j: nulloawdjh.exe File opened (read-only) \??\n: nulloawdjh.exe File opened (read-only) \??\e: llisgqza.exe File opened (read-only) \??\i: llisgqza.exe File opened (read-only) \??\x: nulloawdjh.exe File opened (read-only) \??\y: nulloawdjh.exe File opened (read-only) \??\b: llisgqza.exe File opened (read-only) \??\n: llisgqza.exe File opened (read-only) \??\b: llisgqza.exe File opened (read-only) \??\m: llisgqza.exe File opened (read-only) \??\s: llisgqza.exe File opened (read-only) \??\t: llisgqza.exe File opened (read-only) \??\s: llisgqza.exe File opened (read-only) \??\r: llisgqza.exe File opened (read-only) \??\y: llisgqza.exe File opened (read-only) \??\w: nulloawdjh.exe File opened (read-only) \??\a: llisgqza.exe File opened (read-only) \??\i: llisgqza.exe File opened (read-only) \??\e: llisgqza.exe File opened (read-only) \??\x: llisgqza.exe File opened (read-only) \??\j: llisgqza.exe File opened (read-only) \??\v: llisgqza.exe File opened (read-only) \??\l: llisgqza.exe File opened (read-only) \??\v: nulloawdjh.exe File opened (read-only) \??\z: llisgqza.exe File opened (read-only) \??\q: llisgqza.exe File opened (read-only) \??\h: nulloawdjh.exe File opened (read-only) \??\g: llisgqza.exe File opened (read-only) \??\k: llisgqza.exe File opened (read-only) \??\q: llisgqza.exe File opened (read-only) \??\u: llisgqza.exe File opened (read-only) \??\w: llisgqza.exe File opened (read-only) \??\k: nulloawdjh.exe File opened (read-only) \??\p: nulloawdjh.exe File opened (read-only) \??\z: nulloawdjh.exe File opened (read-only) \??\m: llisgqza.exe File opened (read-only) \??\v: llisgqza.exe File opened (read-only) \??\a: nulloawdjh.exe File opened (read-only) \??\b: nulloawdjh.exe File opened (read-only) \??\q: nulloawdjh.exe File opened (read-only) \??\s: nulloawdjh.exe File opened (read-only) \??\j: llisgqza.exe File opened (read-only) \??\p: llisgqza.exe File opened (read-only) \??\h: llisgqza.exe File opened (read-only) \??\p: llisgqza.exe File opened (read-only) \??\h: llisgqza.exe File opened (read-only) \??\o: llisgqza.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
nulloawdjh.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" nulloawdjh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" nulloawdjh.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2188-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\ibzdqisomfwkyqc.exe autoit_exe \Windows\SysWOW64\nulloawdjh.exe autoit_exe \Windows\SysWOW64\llisgqza.exe autoit_exe C:\Windows\SysWOW64\tlsbfmmznivkl.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exenulloawdjh.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ibzdqisomfwkyqc.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll nulloawdjh.exe File opened for modification C:\Windows\SysWOW64\llisgqza.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File created C:\Windows\SysWOW64\tlsbfmmznivkl.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tlsbfmmznivkl.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File created C:\Windows\SysWOW64\nulloawdjh.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\nulloawdjh.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File created C:\Windows\SysWOW64\ibzdqisomfwkyqc.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File created C:\Windows\SysWOW64\llisgqza.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
llisgqza.exellisgqza.exedescription ioc process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe llisgqza.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe llisgqza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal llisgqza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal llisgqza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe llisgqza.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe llisgqza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal llisgqza.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe llisgqza.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe llisgqza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe llisgqza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal llisgqza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe llisgqza.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe llisgqza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe llisgqza.exe -
Drops file in Windows directory 4 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
nulloawdjh.exeWINWORD.EXEexplorer.exe055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc nulloawdjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf nulloawdjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" nulloawdjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCFACDFE67F1E2840E3B31819839E5B0F9028B42160332E2BE459A08A9" 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC77514E7DAB2B8CB7C94ECE534CD" 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FF8B4F5A85139145D72A7DE7BCE7E13C593766416335D798" 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh nulloawdjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat nulloawdjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" nulloawdjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2444 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exenulloawdjh.exellisgqza.exeibzdqisomfwkyqc.exetlsbfmmznivkl.exellisgqza.exepid process 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2544 nulloawdjh.exe 2544 nulloawdjh.exe 2544 nulloawdjh.exe 2544 nulloawdjh.exe 2544 nulloawdjh.exe 2540 llisgqza.exe 2540 llisgqza.exe 2540 llisgqza.exe 2540 llisgqza.exe 2624 ibzdqisomfwkyqc.exe 2624 ibzdqisomfwkyqc.exe 2624 ibzdqisomfwkyqc.exe 2624 ibzdqisomfwkyqc.exe 2624 ibzdqisomfwkyqc.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2552 llisgqza.exe 2552 llisgqza.exe 2552 llisgqza.exe 2552 llisgqza.exe 2624 ibzdqisomfwkyqc.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2624 ibzdqisomfwkyqc.exe 2624 ibzdqisomfwkyqc.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2624 ibzdqisomfwkyqc.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2624 ibzdqisomfwkyqc.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2624 ibzdqisomfwkyqc.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2624 ibzdqisomfwkyqc.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2624 ibzdqisomfwkyqc.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2624 ibzdqisomfwkyqc.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2624 ibzdqisomfwkyqc.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2624 ibzdqisomfwkyqc.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2624 ibzdqisomfwkyqc.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exenulloawdjh.exellisgqza.exeibzdqisomfwkyqc.exetlsbfmmznivkl.exellisgqza.exeexplorer.exepid process 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2544 nulloawdjh.exe 2544 nulloawdjh.exe 2544 nulloawdjh.exe 2540 llisgqza.exe 2540 llisgqza.exe 2540 llisgqza.exe 2624 ibzdqisomfwkyqc.exe 2624 ibzdqisomfwkyqc.exe 2624 ibzdqisomfwkyqc.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2552 llisgqza.exe 2552 llisgqza.exe 2552 llisgqza.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe -
Suspicious use of SendNotifyMessage 37 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exenulloawdjh.exellisgqza.exeibzdqisomfwkyqc.exetlsbfmmznivkl.exellisgqza.exeexplorer.exepid process 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 2544 nulloawdjh.exe 2544 nulloawdjh.exe 2544 nulloawdjh.exe 2540 llisgqza.exe 2540 llisgqza.exe 2540 llisgqza.exe 2624 ibzdqisomfwkyqc.exe 2624 ibzdqisomfwkyqc.exe 2624 ibzdqisomfwkyqc.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2712 tlsbfmmznivkl.exe 2552 llisgqza.exe 2552 llisgqza.exe 2552 llisgqza.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2444 WINWORD.EXE 2444 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exenulloawdjh.exedescription pid process target process PID 2188 wrote to memory of 2544 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe nulloawdjh.exe PID 2188 wrote to memory of 2544 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe nulloawdjh.exe PID 2188 wrote to memory of 2544 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe nulloawdjh.exe PID 2188 wrote to memory of 2544 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe nulloawdjh.exe PID 2188 wrote to memory of 2624 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe ibzdqisomfwkyqc.exe PID 2188 wrote to memory of 2624 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe ibzdqisomfwkyqc.exe PID 2188 wrote to memory of 2624 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe ibzdqisomfwkyqc.exe PID 2188 wrote to memory of 2624 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe ibzdqisomfwkyqc.exe PID 2188 wrote to memory of 2540 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe llisgqza.exe PID 2188 wrote to memory of 2540 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe llisgqza.exe PID 2188 wrote to memory of 2540 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe llisgqza.exe PID 2188 wrote to memory of 2540 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe llisgqza.exe PID 2188 wrote to memory of 2712 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe tlsbfmmznivkl.exe PID 2188 wrote to memory of 2712 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe tlsbfmmznivkl.exe PID 2188 wrote to memory of 2712 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe tlsbfmmznivkl.exe PID 2188 wrote to memory of 2712 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe tlsbfmmznivkl.exe PID 2544 wrote to memory of 2552 2544 nulloawdjh.exe llisgqza.exe PID 2544 wrote to memory of 2552 2544 nulloawdjh.exe llisgqza.exe PID 2544 wrote to memory of 2552 2544 nulloawdjh.exe llisgqza.exe PID 2544 wrote to memory of 2552 2544 nulloawdjh.exe llisgqza.exe PID 2188 wrote to memory of 2444 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe WINWORD.EXE PID 2188 wrote to memory of 2444 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe WINWORD.EXE PID 2188 wrote to memory of 2444 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe WINWORD.EXE PID 2188 wrote to memory of 2444 2188 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nulloawdjh.exenulloawdjh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\llisgqza.exeC:\Windows\system32\llisgqza.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ibzdqisomfwkyqc.exeibzdqisomfwkyqc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\llisgqza.exellisgqza.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\tlsbfmmznivkl.exetlsbfmmznivkl.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
8Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
512KB
MD54d0d085a4439f9b24fecd1f43e8df3c3
SHA10b1b2b37e3b0d02671686f2a42b7dc5823dc47e1
SHA256966fb6d8b2f8b7d0f298c1716a6815fd153187dbc9b188632f1320c03926b4e6
SHA5128e41e384b07dd5a25dd7eac3a0cd2294f7acbf6193411117991f4b210535a0c32dcb0cfd266a15a9387d1d073811495d563feab2af73bf0d7f6bdea0dae5c05a
-
C:\Windows\SysWOW64\ibzdqisomfwkyqc.exeFilesize
512KB
MD527d7645031b25e85a992f8d2bb5c33f2
SHA166c8c903cefc4128cb0bb36cfb609e9d39ab8902
SHA2561e8fb59c5d752f98f1bb04c40f60e026a12f8f4e9f1832b3aa61b967a89f11ff
SHA512882eab9e125a7c7b1eca28a65236a59f43eeffb2790461113cd94ad4d38e66987928beb0be3f6c136b3db2197520d444335ca025d4bd7de12112c3e42cdadd59
-
C:\Windows\SysWOW64\tlsbfmmznivkl.exeFilesize
512KB
MD5255afee29dff5d33d263370c2ee9c111
SHA1451fb8f50929c8c74979ef74e653710e959c7989
SHA256c1bb3cb8de62a51dd288e02cbc4c9ad7bf32f7581ef9465044729ec34ff914cf
SHA512a25482cf7c8099dcca5b9a745922519ede3494b2791b8120eac5c5aa508ab12078ae57e2a400382bd5aed8b5e8317a9205b4515ebcd2a94ac26838f2189fa1d3
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\llisgqza.exeFilesize
512KB
MD554da357be2237a5677d84d4b7a156e7a
SHA19afd3162ba85f3c2289b1ff97cfd7c7b9b13e337
SHA2560d4c8c8416e6fb7ab4a64ec78608d08eb8bc573b9e0ed16e450d2a98b4e028ea
SHA5126b8537dc26c57b2658accda2d40ba20d01860e79ded0369b6c203895f80844c9e9102f3affe3fcafd6746e292f05930aac2750c0dce63b078e96ebc5445bc1d5
-
\Windows\SysWOW64\nulloawdjh.exeFilesize
512KB
MD5f4d3b31e2bc65e4fd84d7f40895fefae
SHA10a6eb3ad97c9c984849321f622b057ff8e53f021
SHA256932d109708ae6f15b975f99e45fbe98772efa070ce17870a4a5c77eb18838ea2
SHA512abe6bf5441b2cc0689210897c53d8404a50212cf2622fb3b365b9333371bbbb964f778b7f8bb101088445f7b601fe182a31e61be4e6e29db8cd3b8026f6affb2
-
memory/2188-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2444-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2464-78-0x0000000002B50000-0x0000000002B60000-memory.dmpFilesize
64KB