Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 06:17
Static task
static1
Behavioral task
behavioral1
Sample
6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe
-
Size
512KB
-
MD5
6a02ab31f7a70f5877b70074bdd17bd9
-
SHA1
2f7fab74ef473167bbbd8abb911be5045fb873e4
-
SHA256
94545f12bdc0240b6f76320d6fd0a004020d49e229399e4a6254951b76c83eba
-
SHA512
73b7f5e0dcf918ee45a0d3665445c27e6d7137b886122089d79ffe615a889707864269b814eaff470d5fda54e4d14e6ea9f2dad33c8be1a8c36e6bcd97450843
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6f:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
qzcishhlky.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qzcishhlky.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
qzcishhlky.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qzcishhlky.exe -
Processes:
qzcishhlky.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qzcishhlky.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qzcishhlky.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" qzcishhlky.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qzcishhlky.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qzcishhlky.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
qzcishhlky.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qzcishhlky.exe -
Executes dropped EXE 6 IoCs
Processes:
qzcishhlky.execxiuayepdruthrd.exeimsrcyov.exeoyizjossonwsr.exeimsrcyov.exeoyizjossonwsr.exepid process 1940 qzcishhlky.exe 2900 cxiuayepdruthrd.exe 2600 imsrcyov.exe 2732 oyizjossonwsr.exe 2828 imsrcyov.exe 2572 oyizjossonwsr.exe -
Loads dropped DLL 6 IoCs
Processes:
6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exeqzcishhlky.execmd.exepid process 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 1940 qzcishhlky.exe 2276 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
qzcishhlky.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qzcishhlky.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qzcishhlky.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" qzcishhlky.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qzcishhlky.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qzcishhlky.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qzcishhlky.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
cxiuayepdruthrd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wskrllcf = "qzcishhlky.exe" cxiuayepdruthrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jedvmaur = "cxiuayepdruthrd.exe" cxiuayepdruthrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oyizjossonwsr.exe" cxiuayepdruthrd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
imsrcyov.exeimsrcyov.exeqzcishhlky.exedescription ioc process File opened (read-only) \??\s: imsrcyov.exe File opened (read-only) \??\k: imsrcyov.exe File opened (read-only) \??\z: qzcishhlky.exe File opened (read-only) \??\l: imsrcyov.exe File opened (read-only) \??\i: qzcishhlky.exe File opened (read-only) \??\w: qzcishhlky.exe File opened (read-only) \??\r: imsrcyov.exe File opened (read-only) \??\t: imsrcyov.exe File opened (read-only) \??\g: qzcishhlky.exe File opened (read-only) \??\z: imsrcyov.exe File opened (read-only) \??\h: qzcishhlky.exe File opened (read-only) \??\r: qzcishhlky.exe File opened (read-only) \??\r: imsrcyov.exe File opened (read-only) \??\k: imsrcyov.exe File opened (read-only) \??\u: imsrcyov.exe File opened (read-only) \??\x: imsrcyov.exe File opened (read-only) \??\n: qzcishhlky.exe File opened (read-only) \??\e: imsrcyov.exe File opened (read-only) \??\s: qzcishhlky.exe File opened (read-only) \??\n: imsrcyov.exe File opened (read-only) \??\v: imsrcyov.exe File opened (read-only) \??\l: imsrcyov.exe File opened (read-only) \??\q: imsrcyov.exe File opened (read-only) \??\a: qzcishhlky.exe File opened (read-only) \??\m: imsrcyov.exe File opened (read-only) \??\m: qzcishhlky.exe File opened (read-only) \??\o: qzcishhlky.exe File opened (read-only) \??\g: imsrcyov.exe File opened (read-only) \??\s: imsrcyov.exe File opened (read-only) \??\v: imsrcyov.exe File opened (read-only) \??\x: imsrcyov.exe File opened (read-only) \??\u: imsrcyov.exe File opened (read-only) \??\o: imsrcyov.exe File opened (read-only) \??\q: imsrcyov.exe File opened (read-only) \??\t: imsrcyov.exe File opened (read-only) \??\z: imsrcyov.exe File opened (read-only) \??\b: qzcishhlky.exe File opened (read-only) \??\i: imsrcyov.exe File opened (read-only) \??\p: qzcishhlky.exe File opened (read-only) \??\q: qzcishhlky.exe File opened (read-only) \??\j: imsrcyov.exe File opened (read-only) \??\m: imsrcyov.exe File opened (read-only) \??\n: imsrcyov.exe File opened (read-only) \??\w: imsrcyov.exe File opened (read-only) \??\j: qzcishhlky.exe File opened (read-only) \??\v: qzcishhlky.exe File opened (read-only) \??\y: qzcishhlky.exe File opened (read-only) \??\b: imsrcyov.exe File opened (read-only) \??\e: imsrcyov.exe File opened (read-only) \??\h: imsrcyov.exe File opened (read-only) \??\k: qzcishhlky.exe File opened (read-only) \??\o: imsrcyov.exe File opened (read-only) \??\p: imsrcyov.exe File opened (read-only) \??\e: qzcishhlky.exe File opened (read-only) \??\b: imsrcyov.exe File opened (read-only) \??\y: imsrcyov.exe File opened (read-only) \??\a: imsrcyov.exe File opened (read-only) \??\y: imsrcyov.exe File opened (read-only) \??\u: qzcishhlky.exe File opened (read-only) \??\a: imsrcyov.exe File opened (read-only) \??\x: qzcishhlky.exe File opened (read-only) \??\w: imsrcyov.exe File opened (read-only) \??\g: imsrcyov.exe File opened (read-only) \??\i: imsrcyov.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
qzcishhlky.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qzcishhlky.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qzcishhlky.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2784-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\cxiuayepdruthrd.exe autoit_exe \Windows\SysWOW64\qzcishhlky.exe autoit_exe \Windows\SysWOW64\imsrcyov.exe autoit_exe \Windows\SysWOW64\oyizjossonwsr.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exeqzcishhlky.exedescription ioc process File created C:\Windows\SysWOW64\cxiuayepdruthrd.exe 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cxiuayepdruthrd.exe 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe File created C:\Windows\SysWOW64\imsrcyov.exe 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qzcishhlky.exe File created C:\Windows\SysWOW64\qzcishhlky.exe 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qzcishhlky.exe 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\oyizjossonwsr.exe 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\imsrcyov.exe 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe File created C:\Windows\SysWOW64\oyizjossonwsr.exe 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
imsrcyov.exeimsrcyov.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal imsrcyov.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe imsrcyov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe imsrcyov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe imsrcyov.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe imsrcyov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe imsrcyov.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe imsrcyov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal imsrcyov.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe imsrcyov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal imsrcyov.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe imsrcyov.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe imsrcyov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe imsrcyov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal imsrcyov.exe -
Drops file in Windows directory 5 IoCs
Processes:
WINWORD.EXE6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEqzcishhlky.exe6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qzcishhlky.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qzcishhlky.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qzcishhlky.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B15C4494389953CDB9A2329AD4B9" 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qzcishhlky.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC67415E6DBC4B8C97CE5ECE237CB" 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qzcishhlky.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qzcishhlky.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qzcishhlky.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFC8E4829821B9132D7287E96BCEEE13D593266406246D6ED" 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qzcishhlky.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qzcishhlky.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qzcishhlky.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2464 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exeqzcishhlky.execxiuayepdruthrd.exeimsrcyov.exeoyizjossonwsr.exeimsrcyov.exeoyizjossonwsr.exepid process 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 1940 qzcishhlky.exe 1940 qzcishhlky.exe 1940 qzcishhlky.exe 1940 qzcishhlky.exe 1940 qzcishhlky.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2900 cxiuayepdruthrd.exe 2900 cxiuayepdruthrd.exe 2900 cxiuayepdruthrd.exe 2900 cxiuayepdruthrd.exe 2900 cxiuayepdruthrd.exe 2600 imsrcyov.exe 2600 imsrcyov.exe 2600 imsrcyov.exe 2600 imsrcyov.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2900 cxiuayepdruthrd.exe 2828 imsrcyov.exe 2828 imsrcyov.exe 2828 imsrcyov.exe 2828 imsrcyov.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2900 cxiuayepdruthrd.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2900 cxiuayepdruthrd.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2900 cxiuayepdruthrd.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2900 cxiuayepdruthrd.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2900 cxiuayepdruthrd.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exeqzcishhlky.execxiuayepdruthrd.exeimsrcyov.exeoyizjossonwsr.exeimsrcyov.exeoyizjossonwsr.exepid process 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 1940 qzcishhlky.exe 1940 qzcishhlky.exe 1940 qzcishhlky.exe 2900 cxiuayepdruthrd.exe 2900 cxiuayepdruthrd.exe 2900 cxiuayepdruthrd.exe 2600 imsrcyov.exe 2600 imsrcyov.exe 2600 imsrcyov.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2828 imsrcyov.exe 2828 imsrcyov.exe 2828 imsrcyov.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe -
Suspicious use of SendNotifyMessage 21 IoCs
Processes:
6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exeqzcishhlky.execxiuayepdruthrd.exeimsrcyov.exeoyizjossonwsr.exeimsrcyov.exeoyizjossonwsr.exepid process 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe 1940 qzcishhlky.exe 1940 qzcishhlky.exe 1940 qzcishhlky.exe 2900 cxiuayepdruthrd.exe 2900 cxiuayepdruthrd.exe 2900 cxiuayepdruthrd.exe 2600 imsrcyov.exe 2600 imsrcyov.exe 2600 imsrcyov.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2732 oyizjossonwsr.exe 2828 imsrcyov.exe 2828 imsrcyov.exe 2828 imsrcyov.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe 2572 oyizjossonwsr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2464 WINWORD.EXE 2464 WINWORD.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.execxiuayepdruthrd.exeqzcishhlky.execmd.exeWINWORD.EXEdescription pid process target process PID 2784 wrote to memory of 1940 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe qzcishhlky.exe PID 2784 wrote to memory of 1940 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe qzcishhlky.exe PID 2784 wrote to memory of 1940 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe qzcishhlky.exe PID 2784 wrote to memory of 1940 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe qzcishhlky.exe PID 2784 wrote to memory of 2900 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe cxiuayepdruthrd.exe PID 2784 wrote to memory of 2900 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe cxiuayepdruthrd.exe PID 2784 wrote to memory of 2900 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe cxiuayepdruthrd.exe PID 2784 wrote to memory of 2900 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe cxiuayepdruthrd.exe PID 2784 wrote to memory of 2600 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe imsrcyov.exe PID 2784 wrote to memory of 2600 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe imsrcyov.exe PID 2784 wrote to memory of 2600 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe imsrcyov.exe PID 2784 wrote to memory of 2600 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe imsrcyov.exe PID 2784 wrote to memory of 2732 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe oyizjossonwsr.exe PID 2784 wrote to memory of 2732 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe oyizjossonwsr.exe PID 2784 wrote to memory of 2732 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe oyizjossonwsr.exe PID 2784 wrote to memory of 2732 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe oyizjossonwsr.exe PID 2900 wrote to memory of 2276 2900 cxiuayepdruthrd.exe cmd.exe PID 2900 wrote to memory of 2276 2900 cxiuayepdruthrd.exe cmd.exe PID 2900 wrote to memory of 2276 2900 cxiuayepdruthrd.exe cmd.exe PID 2900 wrote to memory of 2276 2900 cxiuayepdruthrd.exe cmd.exe PID 1940 wrote to memory of 2828 1940 qzcishhlky.exe imsrcyov.exe PID 1940 wrote to memory of 2828 1940 qzcishhlky.exe imsrcyov.exe PID 1940 wrote to memory of 2828 1940 qzcishhlky.exe imsrcyov.exe PID 1940 wrote to memory of 2828 1940 qzcishhlky.exe imsrcyov.exe PID 2276 wrote to memory of 2572 2276 cmd.exe oyizjossonwsr.exe PID 2276 wrote to memory of 2572 2276 cmd.exe oyizjossonwsr.exe PID 2276 wrote to memory of 2572 2276 cmd.exe oyizjossonwsr.exe PID 2276 wrote to memory of 2572 2276 cmd.exe oyizjossonwsr.exe PID 2784 wrote to memory of 2464 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe WINWORD.EXE PID 2784 wrote to memory of 2464 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe WINWORD.EXE PID 2784 wrote to memory of 2464 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe WINWORD.EXE PID 2784 wrote to memory of 2464 2784 6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe WINWORD.EXE PID 2464 wrote to memory of 2920 2464 WINWORD.EXE splwow64.exe PID 2464 wrote to memory of 2920 2464 WINWORD.EXE splwow64.exe PID 2464 wrote to memory of 2920 2464 WINWORD.EXE splwow64.exe PID 2464 wrote to memory of 2920 2464 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6a02ab31f7a70f5877b70074bdd17bd9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\qzcishhlky.exeqzcishhlky.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\imsrcyov.exeC:\Windows\system32\imsrcyov.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cxiuayepdruthrd.execxiuayepdruthrd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c oyizjossonwsr.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\oyizjossonwsr.exeoyizjossonwsr.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\imsrcyov.exeimsrcyov.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\oyizjossonwsr.exeoyizjossonwsr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
7Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD55532b77b025363074576fb2f58716545
SHA13063097c6dc5f7332d010cd0bb72494c67fb53f5
SHA2569cae04e70c570c18d9ce6539e99ae45d3b80a1ddbc14ace0f2230d02cb5394fe
SHA5128344f8e4143f9e7b395aa10b787aab112653a77fe0c4fc174b1daa9603dc826e9fe2cbc4b0eee526293b4803f748842cbf040f56d76cbf1966cd79549a4d27c6
-
C:\Windows\SysWOW64\cxiuayepdruthrd.exeFilesize
512KB
MD539d20469a0ea4d2a5e62b2513f88975e
SHA1557c0f131ad8ecca54592cb56a8cc3f653148e24
SHA2567fbb083a976e91f684a93a9c50a80a65e525e7a92f93d660b85b59619c82d096
SHA512d4bbff62575a22e9dd7c67777ef37ae380f613b08be294d9fdcc70ae6146fae5e27b5eebf2f576f8d4c42ccb3e6e7204fa1765aeac76cf4d5d12a5978925f2d4
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\imsrcyov.exeFilesize
512KB
MD5fdcf4d05344484ced8940d4b2030de21
SHA1ca12fcfd465a7f91b74236b3f09b4ecbc06b7adc
SHA25634912380c122ddfc0ff1bf612d4df833d95d59ced7b50273b939f59953a97ff4
SHA512b49355a020e866f2e5b3c0e4deae824239834250aa304fdec78692d7c2f1521d2c6bfa7f9dafb751711f8428a83d4077a86eb4d570cae2fde87e4fd70de6df11
-
\Windows\SysWOW64\oyizjossonwsr.exeFilesize
512KB
MD5c9744bc251e582740f1f58331beb8121
SHA19274a6f4f6ff1b8d5df0e2588e75d81017bb33a8
SHA25612487df6917dc3fe110c612e1aa9cf3ad30670b36ba1163badbdef5a1678a806
SHA512ab17a1d9079579410d1da9eb63c501b9b8cb1b6087988b3ced03d14e6894fbf95d2ddaa5e6053d66ee3ce8a0d9c115a6cbc107908191aec57005bd8e1cc8c267
-
\Windows\SysWOW64\qzcishhlky.exeFilesize
512KB
MD5459f2fc3f2b9a5775c11e330846c926f
SHA17d7de5b4b8524f04614c876912ca3b6a9cbad48a
SHA256cf8eb4ca64ed63d3b577fe5e299c3e0696d498258dad8bdfec89ddd32e603d84
SHA512ddc5706db65368ec0976db19d6c3093d0d6739831dbf5259c316b00be60c98b83aacfa871bd23cb32027a9f807d80868227351bf9be9b47897f89b019ac873c5
-
memory/2464-48-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2464-95-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2784-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB