Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe
-
Size
512KB
-
MD5
05f8c3a1ecea0c3b115e4d6fd4beb6a7
-
SHA1
263ae7765ea9c118042ff4f6364a7fdb9e3aad34
-
SHA256
9c1666e9dbc1884a056d79e7271e449e4b3e873e21c5ecdd18a0f559da81a064
-
SHA512
28b26667018dea51285174a070ff0b0c7989b6d098cfb73f7aa0ac9c0c46ccd61de928523e3fd989af7be326505dc5a530cc1a85de784802cbc206536621b6ea
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6R:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5g
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
eebjltfncl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" eebjltfncl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
eebjltfncl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" eebjltfncl.exe -
Processes:
eebjltfncl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eebjltfncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eebjltfncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eebjltfncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eebjltfncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" eebjltfncl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
eebjltfncl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eebjltfncl.exe -
Executes dropped EXE 5 IoCs
Processes:
eebjltfncl.execckikonyicfzgsq.exeikbkqtit.exewzkjazeplfuzq.exeikbkqtit.exepid process 2508 eebjltfncl.exe 2700 cckikonyicfzgsq.exe 2536 ikbkqtit.exe 2720 wzkjazeplfuzq.exe 2200 ikbkqtit.exe -
Loads dropped DLL 5 IoCs
Processes:
05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exeeebjltfncl.exepid process 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2508 eebjltfncl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
eebjltfncl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eebjltfncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eebjltfncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eebjltfncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" eebjltfncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eebjltfncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" eebjltfncl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
cckikonyicfzgsq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vadsuikm = "cckikonyicfzgsq.exe" cckikonyicfzgsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wzkjazeplfuzq.exe" cckikonyicfzgsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xojgtqlk = "eebjltfncl.exe" cckikonyicfzgsq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ikbkqtit.exeikbkqtit.exeeebjltfncl.exedescription ioc process File opened (read-only) \??\p: ikbkqtit.exe File opened (read-only) \??\o: ikbkqtit.exe File opened (read-only) \??\q: ikbkqtit.exe File opened (read-only) \??\b: eebjltfncl.exe File opened (read-only) \??\l: ikbkqtit.exe File opened (read-only) \??\t: eebjltfncl.exe File opened (read-only) \??\u: eebjltfncl.exe File opened (read-only) \??\x: ikbkqtit.exe File opened (read-only) \??\z: ikbkqtit.exe File opened (read-only) \??\i: ikbkqtit.exe File opened (read-only) \??\m: ikbkqtit.exe File opened (read-only) \??\g: eebjltfncl.exe File opened (read-only) \??\s: eebjltfncl.exe File opened (read-only) \??\r: ikbkqtit.exe File opened (read-only) \??\t: ikbkqtit.exe File opened (read-only) \??\e: ikbkqtit.exe File opened (read-only) \??\h: eebjltfncl.exe File opened (read-only) \??\l: eebjltfncl.exe File opened (read-only) \??\a: ikbkqtit.exe File opened (read-only) \??\n: ikbkqtit.exe File opened (read-only) \??\w: ikbkqtit.exe File opened (read-only) \??\z: eebjltfncl.exe File opened (read-only) \??\y: ikbkqtit.exe File opened (read-only) \??\h: ikbkqtit.exe File opened (read-only) \??\j: ikbkqtit.exe File opened (read-only) \??\k: eebjltfncl.exe File opened (read-only) \??\m: eebjltfncl.exe File opened (read-only) \??\k: ikbkqtit.exe File opened (read-only) \??\m: ikbkqtit.exe File opened (read-only) \??\v: ikbkqtit.exe File opened (read-only) \??\j: eebjltfncl.exe File opened (read-only) \??\y: eebjltfncl.exe File opened (read-only) \??\e: ikbkqtit.exe File opened (read-only) \??\n: ikbkqtit.exe File opened (read-only) \??\o: ikbkqtit.exe File opened (read-only) \??\a: eebjltfncl.exe File opened (read-only) \??\v: eebjltfncl.exe File opened (read-only) \??\j: ikbkqtit.exe File opened (read-only) \??\b: ikbkqtit.exe File opened (read-only) \??\r: ikbkqtit.exe File opened (read-only) \??\u: ikbkqtit.exe File opened (read-only) \??\l: ikbkqtit.exe File opened (read-only) \??\i: eebjltfncl.exe File opened (read-only) \??\q: eebjltfncl.exe File opened (read-only) \??\g: ikbkqtit.exe File opened (read-only) \??\h: ikbkqtit.exe File opened (read-only) \??\k: ikbkqtit.exe File opened (read-only) \??\s: ikbkqtit.exe File opened (read-only) \??\x: ikbkqtit.exe File opened (read-only) \??\e: eebjltfncl.exe File opened (read-only) \??\o: eebjltfncl.exe File opened (read-only) \??\q: ikbkqtit.exe File opened (read-only) \??\t: ikbkqtit.exe File opened (read-only) \??\p: ikbkqtit.exe File opened (read-only) \??\u: ikbkqtit.exe File opened (read-only) \??\v: ikbkqtit.exe File opened (read-only) \??\y: ikbkqtit.exe File opened (read-only) \??\p: eebjltfncl.exe File opened (read-only) \??\a: ikbkqtit.exe File opened (read-only) \??\g: ikbkqtit.exe File opened (read-only) \??\i: ikbkqtit.exe File opened (read-only) \??\s: ikbkqtit.exe File opened (read-only) \??\n: eebjltfncl.exe File opened (read-only) \??\r: eebjltfncl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
eebjltfncl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" eebjltfncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" eebjltfncl.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2484-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\cckikonyicfzgsq.exe autoit_exe \Windows\SysWOW64\eebjltfncl.exe autoit_exe \Windows\SysWOW64\ikbkqtit.exe autoit_exe \Windows\SysWOW64\wzkjazeplfuzq.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exeeebjltfncl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\eebjltfncl.exe 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe File created C:\Windows\SysWOW64\cckikonyicfzgsq.exe 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cckikonyicfzgsq.exe 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe File created C:\Windows\SysWOW64\ikbkqtit.exe 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wzkjazeplfuzq.exe 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll eebjltfncl.exe File created C:\Windows\SysWOW64\eebjltfncl.exe 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ikbkqtit.exe 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe File created C:\Windows\SysWOW64\wzkjazeplfuzq.exe 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ikbkqtit.exeikbkqtit.exedescription ioc process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ikbkqtit.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ikbkqtit.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ikbkqtit.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ikbkqtit.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ikbkqtit.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ikbkqtit.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ikbkqtit.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ikbkqtit.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ikbkqtit.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ikbkqtit.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ikbkqtit.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ikbkqtit.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ikbkqtit.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ikbkqtit.exe -
Drops file in Windows directory 5 IoCs
Processes:
WINWORD.EXE05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEeebjltfncl.exe05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" eebjltfncl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" eebjltfncl.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC60915E6DBC3B9C17C92ED9534BD" 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc eebjltfncl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg eebjltfncl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2456 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exeeebjltfncl.exeikbkqtit.execckikonyicfzgsq.exewzkjazeplfuzq.exeikbkqtit.exepid process 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2508 eebjltfncl.exe 2508 eebjltfncl.exe 2508 eebjltfncl.exe 2508 eebjltfncl.exe 2508 eebjltfncl.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2536 ikbkqtit.exe 2536 ikbkqtit.exe 2536 ikbkqtit.exe 2536 ikbkqtit.exe 2700 cckikonyicfzgsq.exe 2700 cckikonyicfzgsq.exe 2700 cckikonyicfzgsq.exe 2700 cckikonyicfzgsq.exe 2700 cckikonyicfzgsq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2200 ikbkqtit.exe 2200 ikbkqtit.exe 2200 ikbkqtit.exe 2200 ikbkqtit.exe 2700 cckikonyicfzgsq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2700 cckikonyicfzgsq.exe 2700 cckikonyicfzgsq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2700 cckikonyicfzgsq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2700 cckikonyicfzgsq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2700 cckikonyicfzgsq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2700 cckikonyicfzgsq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2700 cckikonyicfzgsq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2700 cckikonyicfzgsq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2700 cckikonyicfzgsq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2700 cckikonyicfzgsq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2700 cckikonyicfzgsq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exeeebjltfncl.exeikbkqtit.execckikonyicfzgsq.exewzkjazeplfuzq.exeikbkqtit.exepid process 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2508 eebjltfncl.exe 2508 eebjltfncl.exe 2508 eebjltfncl.exe 2536 ikbkqtit.exe 2536 ikbkqtit.exe 2536 ikbkqtit.exe 2700 cckikonyicfzgsq.exe 2700 cckikonyicfzgsq.exe 2700 cckikonyicfzgsq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2200 ikbkqtit.exe 2200 ikbkqtit.exe 2200 ikbkqtit.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exeeebjltfncl.exeikbkqtit.execckikonyicfzgsq.exewzkjazeplfuzq.exeikbkqtit.exepid process 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe 2508 eebjltfncl.exe 2508 eebjltfncl.exe 2508 eebjltfncl.exe 2536 ikbkqtit.exe 2536 ikbkqtit.exe 2536 ikbkqtit.exe 2700 cckikonyicfzgsq.exe 2700 cckikonyicfzgsq.exe 2700 cckikonyicfzgsq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2720 wzkjazeplfuzq.exe 2200 ikbkqtit.exe 2200 ikbkqtit.exe 2200 ikbkqtit.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2456 WINWORD.EXE 2456 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exeeebjltfncl.exeWINWORD.EXEdescription pid process target process PID 2484 wrote to memory of 2508 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe eebjltfncl.exe PID 2484 wrote to memory of 2508 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe eebjltfncl.exe PID 2484 wrote to memory of 2508 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe eebjltfncl.exe PID 2484 wrote to memory of 2508 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe eebjltfncl.exe PID 2484 wrote to memory of 2700 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe cckikonyicfzgsq.exe PID 2484 wrote to memory of 2700 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe cckikonyicfzgsq.exe PID 2484 wrote to memory of 2700 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe cckikonyicfzgsq.exe PID 2484 wrote to memory of 2700 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe cckikonyicfzgsq.exe PID 2484 wrote to memory of 2536 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe ikbkqtit.exe PID 2484 wrote to memory of 2536 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe ikbkqtit.exe PID 2484 wrote to memory of 2536 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe ikbkqtit.exe PID 2484 wrote to memory of 2536 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe ikbkqtit.exe PID 2484 wrote to memory of 2720 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe wzkjazeplfuzq.exe PID 2484 wrote to memory of 2720 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe wzkjazeplfuzq.exe PID 2484 wrote to memory of 2720 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe wzkjazeplfuzq.exe PID 2484 wrote to memory of 2720 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe wzkjazeplfuzq.exe PID 2508 wrote to memory of 2200 2508 eebjltfncl.exe ikbkqtit.exe PID 2508 wrote to memory of 2200 2508 eebjltfncl.exe ikbkqtit.exe PID 2508 wrote to memory of 2200 2508 eebjltfncl.exe ikbkqtit.exe PID 2508 wrote to memory of 2200 2508 eebjltfncl.exe ikbkqtit.exe PID 2484 wrote to memory of 2456 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe WINWORD.EXE PID 2484 wrote to memory of 2456 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe WINWORD.EXE PID 2484 wrote to memory of 2456 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe WINWORD.EXE PID 2484 wrote to memory of 2456 2484 05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe WINWORD.EXE PID 2456 wrote to memory of 1580 2456 WINWORD.EXE splwow64.exe PID 2456 wrote to memory of 1580 2456 WINWORD.EXE splwow64.exe PID 2456 wrote to memory of 1580 2456 WINWORD.EXE splwow64.exe PID 2456 wrote to memory of 1580 2456 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05f8c3a1ecea0c3b115e4d6fd4beb6a7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\eebjltfncl.exeeebjltfncl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ikbkqtit.exeC:\Windows\system32\ikbkqtit.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cckikonyicfzgsq.execckikonyicfzgsq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ikbkqtit.exeikbkqtit.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\wzkjazeplfuzq.exewzkjazeplfuzq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
7Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD536c081bdeb3ab1d42ab27f41592eea19
SHA1e757c367f8c798c8d75f26aa9569ef382a29aaa8
SHA25678333bac77878eea2173a53836d76e4d6cc3b6dfda7fb84652b6d429ade347f5
SHA512eb39443d54e33c0f9ad8644e085b2d15040307d946db280eee07f9f2b53c301cce4a8605b88ef751fd7394fe7c131f4b9d7d2e16b145102466f2d9c59860ebc3
-
C:\Windows\SysWOW64\cckikonyicfzgsq.exeFilesize
512KB
MD5c1e6b01cdc013e99f8e8af9d9239d372
SHA19170f21678fd459168c1c5849ae55a76bd6d7317
SHA25600307811d5d310fb85bca3e01051cf2bbd8da31fd07912ff83b9bc8ba68a83d6
SHA512f549f25181ec5b575e2c8c79fcf3f246c77489f1afdff88d46cdd7ca1174a0611d3798abf32aa60e4ddba6ca63a57b32dfaecabcd3c7882a0f7cc6f2927629d2
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\eebjltfncl.exeFilesize
512KB
MD5716d0dc2e8b09c1080cea09f27839227
SHA15316c352218cda22034f24326fd03c0b35729b02
SHA256f4841e1be92c6f795423b9e64bf3c94208a4e3925f720d607794138a065c3435
SHA5121578b5d2bfed0bca9ac9edacc36a78f337c867cbb231fd3a83cd5d1dff7f0f78f155be33cbcee25dd8dfa57d334d3259b47fb4308669fe9f0b15ae2bfbe94fd0
-
\Windows\SysWOW64\ikbkqtit.exeFilesize
512KB
MD5c6b0e32bd01cfd0819c54558fe9ce122
SHA18f239e1db12b23e6f7507128cb27f0499a53a356
SHA256fc8f8bad7b8a803302f839c4a0f0f628131b60fd8c10c11c38566872dbd33948
SHA51206bcb5d61ce3354234ca0e2e655a596f50ac011548717434efc0eb0437c7fd437ef1e09c00e62a3f55543c96634534ea87437f4fed08146ecaef4358edf60934
-
\Windows\SysWOW64\wzkjazeplfuzq.exeFilesize
512KB
MD518d233a52d6ce482656843f11b51699c
SHA1e500b98a6dce243f5c8c51877a801883dc20bdea
SHA256818a9251242d23cf59da43955f89201897c8fe716da45104439fb207cd59e603
SHA512b3cb26f6f1db416614c8f12eef47545fc7e9a335da9c2c2760336eda03d9cd72a6180348d3b4026c4b6020484535f6567cf6cf201a3f677c840b54d8f9b97e0c
-
memory/2456-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2456-92-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2484-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB