Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 15:29
Static task
static1
Behavioral task
behavioral1
Sample
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe
-
Size
512KB
-
MD5
0580f46d13a54fe2a64a944f5208765c
-
SHA1
f143ec3e80757ec10a7a296e8ad575ab6234370b
-
SHA256
494160f303a008a58bbba3c70052761dbb2d5f83e07a027d1a2e54c839c231cd
-
SHA512
58379d29025cb6d10589a19e900b5e4b4a1f76eeb1575a825ad7a1debff3de05e2911db92e7a4c7596f8193be64a144ce475ce610f3268e515e41b95ca63a0dc
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6f:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5s
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
gnaxtjwqal.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gnaxtjwqal.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
gnaxtjwqal.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gnaxtjwqal.exe -
Processes:
gnaxtjwqal.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gnaxtjwqal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gnaxtjwqal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gnaxtjwqal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gnaxtjwqal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" gnaxtjwqal.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
gnaxtjwqal.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gnaxtjwqal.exe -
Executes dropped EXE 5 IoCs
Processes:
gnaxtjwqal.exelwadynorixuyrlv.exerreuvjrv.exetibqdcbrqnogv.exerreuvjrv.exepid process 2664 gnaxtjwqal.exe 1712 lwadynorixuyrlv.exe 2948 rreuvjrv.exe 2652 tibqdcbrqnogv.exe 2692 rreuvjrv.exe -
Loads dropped DLL 5 IoCs
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exegnaxtjwqal.exepid process 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2664 gnaxtjwqal.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
gnaxtjwqal.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gnaxtjwqal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gnaxtjwqal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gnaxtjwqal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gnaxtjwqal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gnaxtjwqal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" gnaxtjwqal.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
lwadynorixuyrlv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xeytndlt = "lwadynorixuyrlv.exe" lwadynorixuyrlv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tibqdcbrqnogv.exe" lwadynorixuyrlv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wnwldoka = "gnaxtjwqal.exe" lwadynorixuyrlv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gnaxtjwqal.exerreuvjrv.exerreuvjrv.exedescription ioc process File opened (read-only) \??\u: gnaxtjwqal.exe File opened (read-only) \??\i: rreuvjrv.exe File opened (read-only) \??\j: rreuvjrv.exe File opened (read-only) \??\t: rreuvjrv.exe File opened (read-only) \??\x: rreuvjrv.exe File opened (read-only) \??\m: rreuvjrv.exe File opened (read-only) \??\e: gnaxtjwqal.exe File opened (read-only) \??\v: rreuvjrv.exe File opened (read-only) \??\x: rreuvjrv.exe File opened (read-only) \??\j: gnaxtjwqal.exe File opened (read-only) \??\y: gnaxtjwqal.exe File opened (read-only) \??\i: rreuvjrv.exe File opened (read-only) \??\u: rreuvjrv.exe File opened (read-only) \??\q: gnaxtjwqal.exe File opened (read-only) \??\o: rreuvjrv.exe File opened (read-only) \??\e: rreuvjrv.exe File opened (read-only) \??\y: rreuvjrv.exe File opened (read-only) \??\g: rreuvjrv.exe File opened (read-only) \??\k: rreuvjrv.exe File opened (read-only) \??\p: rreuvjrv.exe File opened (read-only) \??\r: rreuvjrv.exe File opened (read-only) \??\z: rreuvjrv.exe File opened (read-only) \??\l: rreuvjrv.exe File opened (read-only) \??\b: rreuvjrv.exe File opened (read-only) \??\p: gnaxtjwqal.exe File opened (read-only) \??\w: gnaxtjwqal.exe File opened (read-only) \??\e: rreuvjrv.exe File opened (read-only) \??\l: rreuvjrv.exe File opened (read-only) \??\i: gnaxtjwqal.exe File opened (read-only) \??\l: gnaxtjwqal.exe File opened (read-only) \??\a: rreuvjrv.exe File opened (read-only) \??\u: rreuvjrv.exe File opened (read-only) \??\s: rreuvjrv.exe File opened (read-only) \??\b: rreuvjrv.exe File opened (read-only) \??\g: rreuvjrv.exe File opened (read-only) \??\g: gnaxtjwqal.exe File opened (read-only) \??\n: gnaxtjwqal.exe File opened (read-only) \??\t: gnaxtjwqal.exe File opened (read-only) \??\a: rreuvjrv.exe File opened (read-only) \??\j: rreuvjrv.exe File opened (read-only) \??\s: gnaxtjwqal.exe File opened (read-only) \??\n: rreuvjrv.exe File opened (read-only) \??\y: rreuvjrv.exe File opened (read-only) \??\o: rreuvjrv.exe File opened (read-only) \??\a: gnaxtjwqal.exe File opened (read-only) \??\w: rreuvjrv.exe File opened (read-only) \??\h: gnaxtjwqal.exe File opened (read-only) \??\r: gnaxtjwqal.exe File opened (read-only) \??\h: rreuvjrv.exe File opened (read-only) \??\m: rreuvjrv.exe File opened (read-only) \??\b: gnaxtjwqal.exe File opened (read-only) \??\m: gnaxtjwqal.exe File opened (read-only) \??\o: gnaxtjwqal.exe File opened (read-only) \??\q: rreuvjrv.exe File opened (read-only) \??\q: rreuvjrv.exe File opened (read-only) \??\t: rreuvjrv.exe File opened (read-only) \??\w: rreuvjrv.exe File opened (read-only) \??\k: gnaxtjwqal.exe File opened (read-only) \??\z: gnaxtjwqal.exe File opened (read-only) \??\h: rreuvjrv.exe File opened (read-only) \??\k: rreuvjrv.exe File opened (read-only) \??\z: rreuvjrv.exe File opened (read-only) \??\s: rreuvjrv.exe File opened (read-only) \??\x: gnaxtjwqal.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
gnaxtjwqal.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gnaxtjwqal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gnaxtjwqal.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2284-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\lwadynorixuyrlv.exe autoit_exe \Windows\SysWOW64\gnaxtjwqal.exe autoit_exe \Windows\SysWOW64\rreuvjrv.exe autoit_exe \Windows\SysWOW64\tibqdcbrqnogv.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe C:\Users\Admin\AppData\Roaming\PushPop.doc.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exegnaxtjwqal.exedescription ioc process File created C:\Windows\SysWOW64\gnaxtjwqal.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gnaxtjwqal.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lwadynorixuyrlv.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File created C:\Windows\SysWOW64\rreuvjrv.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rreuvjrv.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tibqdcbrqnogv.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gnaxtjwqal.exe File created C:\Windows\SysWOW64\lwadynorixuyrlv.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File created C:\Windows\SysWOW64\tibqdcbrqnogv.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
rreuvjrv.exerreuvjrv.exedescription ioc process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe rreuvjrv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe rreuvjrv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe rreuvjrv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe rreuvjrv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe rreuvjrv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal rreuvjrv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe rreuvjrv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal rreuvjrv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe rreuvjrv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal rreuvjrv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe rreuvjrv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe rreuvjrv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal rreuvjrv.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe rreuvjrv.exe -
Drops file in Windows directory 5 IoCs
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXE0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exegnaxtjwqal.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf gnaxtjwqal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gnaxtjwqal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B0284792389852C8BAA733E8D4B9" 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gnaxtjwqal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gnaxtjwqal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" gnaxtjwqal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gnaxtjwqal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C6741490DBBFB8CA7CE0ED9237CD" 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C769C5782576D4176A177212DDF7D8F64AC" 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gnaxtjwqal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" gnaxtjwqal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gnaxtjwqal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2524 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exegnaxtjwqal.exelwadynorixuyrlv.exerreuvjrv.exetibqdcbrqnogv.exerreuvjrv.exepid process 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2664 gnaxtjwqal.exe 2664 gnaxtjwqal.exe 2664 gnaxtjwqal.exe 2664 gnaxtjwqal.exe 2664 gnaxtjwqal.exe 1712 lwadynorixuyrlv.exe 1712 lwadynorixuyrlv.exe 1712 lwadynorixuyrlv.exe 1712 lwadynorixuyrlv.exe 2948 rreuvjrv.exe 2948 rreuvjrv.exe 2948 rreuvjrv.exe 2948 rreuvjrv.exe 1712 lwadynorixuyrlv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 2692 rreuvjrv.exe 2692 rreuvjrv.exe 2692 rreuvjrv.exe 2692 rreuvjrv.exe 1712 lwadynorixuyrlv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 1712 lwadynorixuyrlv.exe 1712 lwadynorixuyrlv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 1712 lwadynorixuyrlv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 1712 lwadynorixuyrlv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 1712 lwadynorixuyrlv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 1712 lwadynorixuyrlv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 1712 lwadynorixuyrlv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 1712 lwadynorixuyrlv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 1712 lwadynorixuyrlv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 1712 lwadynorixuyrlv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 1712 lwadynorixuyrlv.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exegnaxtjwqal.exerreuvjrv.exelwadynorixuyrlv.exetibqdcbrqnogv.exerreuvjrv.exepid process 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2664 gnaxtjwqal.exe 2664 gnaxtjwqal.exe 2664 gnaxtjwqal.exe 2948 rreuvjrv.exe 1712 lwadynorixuyrlv.exe 1712 lwadynorixuyrlv.exe 1712 lwadynorixuyrlv.exe 2948 rreuvjrv.exe 2948 rreuvjrv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 2692 rreuvjrv.exe 2692 rreuvjrv.exe 2692 rreuvjrv.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exegnaxtjwqal.exerreuvjrv.exelwadynorixuyrlv.exetibqdcbrqnogv.exerreuvjrv.exepid process 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 2664 gnaxtjwqal.exe 2664 gnaxtjwqal.exe 2664 gnaxtjwqal.exe 2948 rreuvjrv.exe 1712 lwadynorixuyrlv.exe 1712 lwadynorixuyrlv.exe 1712 lwadynorixuyrlv.exe 2948 rreuvjrv.exe 2948 rreuvjrv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 2652 tibqdcbrqnogv.exe 2692 rreuvjrv.exe 2692 rreuvjrv.exe 2692 rreuvjrv.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2524 WINWORD.EXE 2524 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exegnaxtjwqal.exeWINWORD.EXEdescription pid process target process PID 2284 wrote to memory of 2664 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe gnaxtjwqal.exe PID 2284 wrote to memory of 2664 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe gnaxtjwqal.exe PID 2284 wrote to memory of 2664 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe gnaxtjwqal.exe PID 2284 wrote to memory of 2664 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe gnaxtjwqal.exe PID 2284 wrote to memory of 1712 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe lwadynorixuyrlv.exe PID 2284 wrote to memory of 1712 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe lwadynorixuyrlv.exe PID 2284 wrote to memory of 1712 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe lwadynorixuyrlv.exe PID 2284 wrote to memory of 1712 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe lwadynorixuyrlv.exe PID 2284 wrote to memory of 2948 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe rreuvjrv.exe PID 2284 wrote to memory of 2948 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe rreuvjrv.exe PID 2284 wrote to memory of 2948 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe rreuvjrv.exe PID 2284 wrote to memory of 2948 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe rreuvjrv.exe PID 2284 wrote to memory of 2652 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe tibqdcbrqnogv.exe PID 2284 wrote to memory of 2652 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe tibqdcbrqnogv.exe PID 2284 wrote to memory of 2652 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe tibqdcbrqnogv.exe PID 2284 wrote to memory of 2652 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe tibqdcbrqnogv.exe PID 2664 wrote to memory of 2692 2664 gnaxtjwqal.exe rreuvjrv.exe PID 2664 wrote to memory of 2692 2664 gnaxtjwqal.exe rreuvjrv.exe PID 2664 wrote to memory of 2692 2664 gnaxtjwqal.exe rreuvjrv.exe PID 2664 wrote to memory of 2692 2664 gnaxtjwqal.exe rreuvjrv.exe PID 2284 wrote to memory of 2524 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe WINWORD.EXE PID 2284 wrote to memory of 2524 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe WINWORD.EXE PID 2284 wrote to memory of 2524 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe WINWORD.EXE PID 2284 wrote to memory of 2524 2284 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe WINWORD.EXE PID 2524 wrote to memory of 288 2524 WINWORD.EXE splwow64.exe PID 2524 wrote to memory of 288 2524 WINWORD.EXE splwow64.exe PID 2524 wrote to memory of 288 2524 WINWORD.EXE splwow64.exe PID 2524 wrote to memory of 288 2524 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\gnaxtjwqal.exegnaxtjwqal.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rreuvjrv.exeC:\Windows\system32\rreuvjrv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\lwadynorixuyrlv.exelwadynorixuyrlv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\rreuvjrv.exerreuvjrv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\tibqdcbrqnogv.exetibqdcbrqnogv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
7Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
512KB
MD579abb8e3fe184dcc11da705227ab17e8
SHA11ef481f68d559f3e697c8ddea36b3d4ad17cc1c0
SHA256020cdbf464398ebd1ba56dcdf7a631a52690b5051b93903206fee8a7d36d0f90
SHA51250b0fb521ffcb1798391f759466e349c97f8835df5c1baf28c57f045beef3b1fc48cb4d879432bd46455237d9bc491bab3d0fe0ee6a519ba752d2785727eb494
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5ffa3b3e2ba530e54a026ec83978cb8e7
SHA161a17b24ad7d83b2ea4417eb1f86d615c33bf7ca
SHA2563a221d904f21da47cfd3de79502bfaa4d0ad2c0b44476f6c009ae584908b0ce6
SHA5125879590eab8917dc80aff45048ab5c6c2328c3a3f52050c9336df8bb68a8bb2722cd58f51aa857da0e9edbb1b22c58febdf0313214e29f7201a1f1f698928cce
-
C:\Users\Admin\AppData\Roaming\PushPop.doc.exeFilesize
512KB
MD581957fb7e996818eadcac58632b6340c
SHA130265235be6caa9dffd0a25e1d921d00a02acf2f
SHA256e442664c3596812411fcfe14c852d13f02b382fc88a3756743affbc08990f072
SHA512203e9abe0e0ead968a608ffc880144f989887d94c2cf54a8ae8a5ef17a8daf9adc77fc10d7fe66eb9c8876650aba97ea09714c1d364fc14d9c1b534ba59f4908
-
C:\Windows\SysWOW64\lwadynorixuyrlv.exeFilesize
512KB
MD54ec1ca8b36cbad0a49deb099b600eac3
SHA1c4d273649708cb4f98a13f95f147e645bd372eb7
SHA256972d397a16c31f0c807681973511f07ab86fee98a55d4c57125fad838f7077f8
SHA51289b0793c8a6cc50bad595dce4687e71cc4c5f3a70f2c931b01d51f5e7207704546befd09a85f4b0c7915cc6181a19457c84c72f3d2e4b9cd069181a57b3b72dd
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\gnaxtjwqal.exeFilesize
512KB
MD5fadf06f0768f5eff4c6737cc86841d28
SHA1f829946564dc1ddd0441c6461b319c3f9619ab78
SHA256caa5ff90910456d99f3171ccbeb596a18cfc359950810b7e1de8f37175436b1d
SHA512f0d2f1e5cfab79d49f20cc2a213690dde08d3c51b49657b37af284ddbc8e501118b0cc0273d64c4c3ce108a6196b0bf61e63440e2fdf6b2f1b196b62b86d3301
-
\Windows\SysWOW64\rreuvjrv.exeFilesize
512KB
MD5d6caa1e22747c52cb0621604fe15e9a5
SHA12d125967e251492781918112906cce157b55da4d
SHA25692ad5dcd7f055f4d6b5ca565f56eef0c79f26ec8b18391def68a5c7413e262bb
SHA5122dfc5bf0218b99083dd0371703f3de15004bdc1d4d83cb115df8f9fa7d12e750ab7b6ac2e880ef40b3d97354aad30f08bc5f5011d3121796ca7705ab0842cb74
-
\Windows\SysWOW64\tibqdcbrqnogv.exeFilesize
512KB
MD52aa0d3f133b65de2805ef62052d2e69f
SHA1b9837f5051e6e71da5600567a04804e85d3894e3
SHA2561d997084b56357bbb5ba0a2617d15f260a856331bd231f1ab5afeef90ea65af8
SHA512948c4aac8afd983040f295e5c9328bd977a4916fa8e4dcd7e761361c55cc5dac4b794440ab1aac2883d6b34df39fc91b542e8a5ccd2a497abd98c253ba4dab61
-
memory/2284-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2524-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2524-99-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB