Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 13:59
Static task
static1
Behavioral task
behavioral1
Sample
0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe
-
Size
512KB
-
MD5
0558a4458f2ae7f8cdb4374bcb5d59c3
-
SHA1
35fef0d8e3cabbab1e0a637aa59aeb8a03025f25
-
SHA256
0130c611831a1d1fc13740cd600d7eeb505fac3b1c6b1de09415b2655763d57d
-
SHA512
0070f850a651942d963dba1ae883433c949463c3243d21b75e304589af3a9fd45739566decd898f14388a9ff7e553a1301fff0395dda68c3ea7d3e1ff509ecfb
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5i
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
wlbswcznug.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wlbswcznug.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
wlbswcznug.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wlbswcznug.exe -
Processes:
wlbswcznug.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wlbswcznug.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wlbswcznug.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wlbswcznug.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wlbswcznug.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wlbswcznug.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wlbswcznug.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wlbswcznug.exe -
Executes dropped EXE 5 IoCs
Processes:
wlbswcznug.exevmetczsodewqlke.exewzwytclq.exethqqyyhxbemrf.exewzwytclq.exepid process 2540 wlbswcznug.exe 2544 vmetczsodewqlke.exe 2552 wzwytclq.exe 2464 thqqyyhxbemrf.exe 2436 wzwytclq.exe -
Loads dropped DLL 5 IoCs
Processes:
0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exewlbswcznug.exepid process 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2540 wlbswcznug.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
wlbswcznug.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wlbswcznug.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wlbswcznug.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wlbswcznug.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wlbswcznug.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wlbswcznug.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wlbswcznug.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
vmetczsodewqlke.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cgdtmufv = "wlbswcznug.exe" vmetczsodewqlke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ilxsocic = "vmetczsodewqlke.exe" vmetczsodewqlke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "thqqyyhxbemrf.exe" vmetczsodewqlke.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wlbswcznug.exewzwytclq.exewzwytclq.exedescription ioc process File opened (read-only) \??\x: wlbswcznug.exe File opened (read-only) \??\i: wzwytclq.exe File opened (read-only) \??\t: wzwytclq.exe File opened (read-only) \??\k: wzwytclq.exe File opened (read-only) \??\e: wlbswcznug.exe File opened (read-only) \??\k: wlbswcznug.exe File opened (read-only) \??\p: wlbswcznug.exe File opened (read-only) \??\q: wlbswcznug.exe File opened (read-only) \??\h: wzwytclq.exe File opened (read-only) \??\r: wzwytclq.exe File opened (read-only) \??\a: wlbswcznug.exe File opened (read-only) \??\n: wlbswcznug.exe File opened (read-only) \??\w: wlbswcznug.exe File opened (read-only) \??\z: wlbswcznug.exe File opened (read-only) \??\r: wzwytclq.exe File opened (read-only) \??\y: wzwytclq.exe File opened (read-only) \??\g: wzwytclq.exe File opened (read-only) \??\m: wzwytclq.exe File opened (read-only) \??\s: wzwytclq.exe File opened (read-only) \??\n: wzwytclq.exe File opened (read-only) \??\q: wzwytclq.exe File opened (read-only) \??\h: wlbswcznug.exe File opened (read-only) \??\j: wzwytclq.exe File opened (read-only) \??\p: wzwytclq.exe File opened (read-only) \??\u: wzwytclq.exe File opened (read-only) \??\h: wzwytclq.exe File opened (read-only) \??\p: wzwytclq.exe File opened (read-only) \??\v: wzwytclq.exe File opened (read-only) \??\x: wzwytclq.exe File opened (read-only) \??\b: wlbswcznug.exe File opened (read-only) \??\y: wzwytclq.exe File opened (read-only) \??\b: wzwytclq.exe File opened (read-only) \??\n: wzwytclq.exe File opened (read-only) \??\a: wzwytclq.exe File opened (read-only) \??\j: wzwytclq.exe File opened (read-only) \??\j: wlbswcznug.exe File opened (read-only) \??\q: wzwytclq.exe File opened (read-only) \??\e: wzwytclq.exe File opened (read-only) \??\i: wzwytclq.exe File opened (read-only) \??\u: wzwytclq.exe File opened (read-only) \??\t: wlbswcznug.exe File opened (read-only) \??\e: wzwytclq.exe File opened (read-only) \??\g: wlbswcznug.exe File opened (read-only) \??\z: wzwytclq.exe File opened (read-only) \??\m: wzwytclq.exe File opened (read-only) \??\i: wlbswcznug.exe File opened (read-only) \??\s: wlbswcznug.exe File opened (read-only) \??\w: wzwytclq.exe File opened (read-only) \??\o: wlbswcznug.exe File opened (read-only) \??\l: wzwytclq.exe File opened (read-only) \??\v: wzwytclq.exe File opened (read-only) \??\b: wzwytclq.exe File opened (read-only) \??\t: wzwytclq.exe File opened (read-only) \??\z: wzwytclq.exe File opened (read-only) \??\m: wlbswcznug.exe File opened (read-only) \??\o: wzwytclq.exe File opened (read-only) \??\w: wzwytclq.exe File opened (read-only) \??\g: wzwytclq.exe File opened (read-only) \??\l: wzwytclq.exe File opened (read-only) \??\o: wzwytclq.exe File opened (read-only) \??\l: wlbswcznug.exe File opened (read-only) \??\v: wlbswcznug.exe File opened (read-only) \??\k: wzwytclq.exe File opened (read-only) \??\s: wzwytclq.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
wlbswcznug.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wlbswcznug.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wlbswcznug.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2616-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\vmetczsodewqlke.exe autoit_exe \Windows\SysWOW64\wlbswcznug.exe autoit_exe \Windows\SysWOW64\wzwytclq.exe autoit_exe \Windows\SysWOW64\thqqyyhxbemrf.exe autoit_exe C:\Program Files\SuspendCompare.doc.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exewlbswcznug.exedescription ioc process File created C:\Windows\SysWOW64\wlbswcznug.exe 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wlbswcznug.exe 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe File created C:\Windows\SysWOW64\vmetczsodewqlke.exe 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vmetczsodewqlke.exe 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wlbswcznug.exe File created C:\Windows\SysWOW64\wzwytclq.exe 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wzwytclq.exe 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe File created C:\Windows\SysWOW64\thqqyyhxbemrf.exe 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\thqqyyhxbemrf.exe 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe -
Drops file in Program Files directory 21 IoCs
Processes:
wzwytclq.exewzwytclq.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wzwytclq.exe File opened for modification C:\Program Files\SuspendCompare.doc.exe wzwytclq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal wzwytclq.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wzwytclq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wzwytclq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wzwytclq.exe File opened for modification C:\Program Files\SuspendCompare.nal wzwytclq.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wzwytclq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal wzwytclq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal wzwytclq.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wzwytclq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal wzwytclq.exe File created \??\c:\Program Files\SuspendCompare.doc.exe wzwytclq.exe File opened for modification C:\Program Files\SuspendCompare.nal wzwytclq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wzwytclq.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wzwytclq.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wzwytclq.exe File opened for modification \??\c:\Program Files\SuspendCompare.doc.exe wzwytclq.exe File opened for modification C:\Program Files\SuspendCompare.doc.exe wzwytclq.exe File opened for modification \??\c:\Program Files\SuspendCompare.doc.exe wzwytclq.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wzwytclq.exe -
Drops file in Windows directory 5 IoCs
Processes:
WINWORD.EXE0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEwlbswcznug.exe0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wlbswcznug.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BB2FE1B22DCD27DD1D28A7F9017" 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wlbswcznug.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wlbswcznug.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2192 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exewlbswcznug.exevmetczsodewqlke.exewzwytclq.exethqqyyhxbemrf.exewzwytclq.exepid process 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2540 wlbswcznug.exe 2540 wlbswcznug.exe 2540 wlbswcznug.exe 2540 wlbswcznug.exe 2540 wlbswcznug.exe 2544 vmetczsodewqlke.exe 2544 vmetczsodewqlke.exe 2544 vmetczsodewqlke.exe 2544 vmetczsodewqlke.exe 2544 vmetczsodewqlke.exe 2552 wzwytclq.exe 2552 wzwytclq.exe 2552 wzwytclq.exe 2552 wzwytclq.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2436 wzwytclq.exe 2436 wzwytclq.exe 2436 wzwytclq.exe 2436 wzwytclq.exe 2544 vmetczsodewqlke.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2544 vmetczsodewqlke.exe 2544 vmetczsodewqlke.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2544 vmetczsodewqlke.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2544 vmetczsodewqlke.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2544 vmetczsodewqlke.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2544 vmetczsodewqlke.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2544 vmetczsodewqlke.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2544 vmetczsodewqlke.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2544 vmetczsodewqlke.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2544 vmetczsodewqlke.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2544 vmetczsodewqlke.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exewlbswcznug.exevmetczsodewqlke.exewzwytclq.exethqqyyhxbemrf.exewzwytclq.exepid process 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2540 wlbswcznug.exe 2540 wlbswcznug.exe 2540 wlbswcznug.exe 2544 vmetczsodewqlke.exe 2544 vmetczsodewqlke.exe 2544 vmetczsodewqlke.exe 2552 wzwytclq.exe 2552 wzwytclq.exe 2552 wzwytclq.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2436 wzwytclq.exe 2436 wzwytclq.exe 2436 wzwytclq.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exewlbswcznug.exevmetczsodewqlke.exewzwytclq.exethqqyyhxbemrf.exewzwytclq.exepid process 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe 2540 wlbswcznug.exe 2540 wlbswcznug.exe 2540 wlbswcznug.exe 2544 vmetczsodewqlke.exe 2544 vmetczsodewqlke.exe 2544 vmetczsodewqlke.exe 2552 wzwytclq.exe 2552 wzwytclq.exe 2552 wzwytclq.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2464 thqqyyhxbemrf.exe 2436 wzwytclq.exe 2436 wzwytclq.exe 2436 wzwytclq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2192 WINWORD.EXE 2192 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exewlbswcznug.exeWINWORD.EXEdescription pid process target process PID 2616 wrote to memory of 2540 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe wlbswcznug.exe PID 2616 wrote to memory of 2540 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe wlbswcznug.exe PID 2616 wrote to memory of 2540 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe wlbswcznug.exe PID 2616 wrote to memory of 2540 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe wlbswcznug.exe PID 2616 wrote to memory of 2544 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe vmetczsodewqlke.exe PID 2616 wrote to memory of 2544 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe vmetczsodewqlke.exe PID 2616 wrote to memory of 2544 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe vmetczsodewqlke.exe PID 2616 wrote to memory of 2544 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe vmetczsodewqlke.exe PID 2616 wrote to memory of 2552 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe wzwytclq.exe PID 2616 wrote to memory of 2552 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe wzwytclq.exe PID 2616 wrote to memory of 2552 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe wzwytclq.exe PID 2616 wrote to memory of 2552 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe wzwytclq.exe PID 2616 wrote to memory of 2464 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe thqqyyhxbemrf.exe PID 2616 wrote to memory of 2464 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe thqqyyhxbemrf.exe PID 2616 wrote to memory of 2464 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe thqqyyhxbemrf.exe PID 2616 wrote to memory of 2464 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe thqqyyhxbemrf.exe PID 2540 wrote to memory of 2436 2540 wlbswcznug.exe wzwytclq.exe PID 2540 wrote to memory of 2436 2540 wlbswcznug.exe wzwytclq.exe PID 2540 wrote to memory of 2436 2540 wlbswcznug.exe wzwytclq.exe PID 2540 wrote to memory of 2436 2540 wlbswcznug.exe wzwytclq.exe PID 2616 wrote to memory of 2192 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe WINWORD.EXE PID 2616 wrote to memory of 2192 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe WINWORD.EXE PID 2616 wrote to memory of 2192 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe WINWORD.EXE PID 2616 wrote to memory of 2192 2616 0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe WINWORD.EXE PID 2192 wrote to memory of 1688 2192 WINWORD.EXE splwow64.exe PID 2192 wrote to memory of 1688 2192 WINWORD.EXE splwow64.exe PID 2192 wrote to memory of 1688 2192 WINWORD.EXE splwow64.exe PID 2192 wrote to memory of 1688 2192 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0558a4458f2ae7f8cdb4374bcb5d59c3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\wlbswcznug.exewlbswcznug.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\wzwytclq.exeC:\Windows\system32\wzwytclq.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2436 -
C:\Windows\SysWOW64\vmetczsodewqlke.exevmetczsodewqlke.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2544 -
C:\Windows\SysWOW64\wzwytclq.exewzwytclq.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2552 -
C:\Windows\SysWOW64\thqqyyhxbemrf.exethqqyyhxbemrf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2464 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1688
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\SuspendCompare.doc.exeFilesize
512KB
MD57e79a704dd38dafaacdb5cf838f53140
SHA1b6c141df8a6ec4842100acb1f4df8fab73ca2e39
SHA2569600b4ecd82d3e26f2c39287668dd7bc07adde2b3550d4b7fd435c82c2b57f0b
SHA51276c6e16105c8f2ab2c9cc6d615a2caf378332cde43abde3d90f75b2c4b6a1fccf22329999ae1da6b7085c9381692fa3eb842f0433cb511aa214210189081923c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5d43f191124ed1f12e9a3555f47b505ab
SHA111f39489b1106c3ca48f85477d758110b63ea2fa
SHA25687af2a9c9c0618a0621b7faeb38699e010d60235a7f199bee0b33a8836e603e3
SHA5121d3e7ebb5b99e4150b63bd4be79fb1eafe59f3ca38cf9ef46538b344457f98406db86705aff66e501124c5c32b3be51e2ee6d167a69eaed381078e90868a4fff
-
C:\Windows\SysWOW64\vmetczsodewqlke.exeFilesize
512KB
MD5d0e385a099fc20646cf4ae2a5c7d3aab
SHA171c9bf3d302e99d78cb61cb6018e08b821ab5530
SHA256b0989391e8c4b5d4861eae1ca769e5665bcb8de73d0885744e58309b4e325d0a
SHA5120d3d4729084a885a687eddaf3de64bd670e44aca1a021da562bcc6080dce08cc1f974b812403fb4633840602e1cd77cdb6fd7e2611437e95488c05ecd12139da
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\thqqyyhxbemrf.exeFilesize
512KB
MD50d46073c41a37f8b3a657af0b2b35aea
SHA1c7e1689b99da2044fb601b9780a6911df3294de3
SHA256969c6f3ad0b84a9684fd0b62b6d28ee3943a101a00d06f2c99f7bddb449fada4
SHA5121c2f6299ee0eb0cd28e96c31cfc101427c34f240394b66e61a38231ac69bee4d1b86a30e3f84a05e72e752b71407ffef6dbacf9808571ae9264bd1a592862fac
-
\Windows\SysWOW64\wlbswcznug.exeFilesize
512KB
MD5cab3d715cea12b454f0e2b77deaaef04
SHA156d9fb71df9a7c82d49c3d205219a1f2ca03d09a
SHA256a4f2f7bfe262fe7103edc17db0e756e6c90ad279cb0c42fd61f46a08b5ac9034
SHA512dc5717ed82b64730a2b11d2bd99c015b6f059d8b6e462ec20e7f765052197cf8ea258e669b0b7efcfe28cf3da0d29ad9265f3a06d2874f7490f4c46deb72d46f
-
\Windows\SysWOW64\wzwytclq.exeFilesize
512KB
MD5fd2c6ca84f1a2ac37f74fc078a1770f0
SHA1e39cb5e602285e096cbbe32ed3cbaf8f9e66a270
SHA256096be0bad71ce2408031d2155def3564beaff85947b7c968b2a9d3ad1223ad4f
SHA512f199b73e78d2e06a281e38c0cc7bfc93d7021d90f198a5d56a69a8c6b53c9afdc896edc034c0e554315107ded5e53753c2943bf1d039c870710cc55b7b9def6c
-
memory/2192-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2192-102-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2616-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB