Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 06:21
Static task
static1
Behavioral task
behavioral1
Sample
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe
-
Size
512KB
-
MD5
6a042aa5266e3263592ebf6fcdfc51b0
-
SHA1
c62dcaa0d589027701bb26c675923496c34aef40
-
SHA256
146c72ff0fff7af77b6ae5f865500138bc513095b9279bc79607403772f6aafd
-
SHA512
60471e27abe0713e9c2727345b30138b2a4bdc02743f2a675323a3d5ce35491768bfa07cf2e355aa29f160d07ae259597d1f1933396a7d55ba301fbc9f554770
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6p:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ncildwcmpp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ncildwcmpp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ncildwcmpp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ncildwcmpp.exe -
Processes:
ncildwcmpp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ncildwcmpp.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ncildwcmpp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ncildwcmpp.exe -
Executes dropped EXE 5 IoCs
Processes:
ncildwcmpp.exeiqethasbmrtapqp.exedtykovlz.exeulugvwdfgqsff.exedtykovlz.exepid process 2944 ncildwcmpp.exe 2092 iqethasbmrtapqp.exe 2644 dtykovlz.exe 2544 ulugvwdfgqsff.exe 2712 dtykovlz.exe -
Loads dropped DLL 5 IoCs
Processes:
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exencildwcmpp.exepid process 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2944 ncildwcmpp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ncildwcmpp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ncildwcmpp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
iqethasbmrtapqp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nagscrxa = "ncildwcmpp.exe" iqethasbmrtapqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zzlyivos = "iqethasbmrtapqp.exe" iqethasbmrtapqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ulugvwdfgqsff.exe" iqethasbmrtapqp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ncildwcmpp.exedtykovlz.exedtykovlz.exedescription ioc process File opened (read-only) \??\r: ncildwcmpp.exe File opened (read-only) \??\l: dtykovlz.exe File opened (read-only) \??\b: dtykovlz.exe File opened (read-only) \??\h: dtykovlz.exe File opened (read-only) \??\b: ncildwcmpp.exe File opened (read-only) \??\e: ncildwcmpp.exe File opened (read-only) \??\g: ncildwcmpp.exe File opened (read-only) \??\v: ncildwcmpp.exe File opened (read-only) \??\s: dtykovlz.exe File opened (read-only) \??\j: ncildwcmpp.exe File opened (read-only) \??\x: ncildwcmpp.exe File opened (read-only) \??\j: dtykovlz.exe File opened (read-only) \??\q: ncildwcmpp.exe File opened (read-only) \??\t: dtykovlz.exe File opened (read-only) \??\v: dtykovlz.exe File opened (read-only) \??\a: ncildwcmpp.exe File opened (read-only) \??\o: ncildwcmpp.exe File opened (read-only) \??\o: dtykovlz.exe File opened (read-only) \??\w: dtykovlz.exe File opened (read-only) \??\i: dtykovlz.exe File opened (read-only) \??\x: dtykovlz.exe File opened (read-only) \??\w: ncildwcmpp.exe File opened (read-only) \??\u: dtykovlz.exe File opened (read-only) \??\k: dtykovlz.exe File opened (read-only) \??\p: dtykovlz.exe File opened (read-only) \??\r: dtykovlz.exe File opened (read-only) \??\q: dtykovlz.exe File opened (read-only) \??\x: dtykovlz.exe File opened (read-only) \??\n: dtykovlz.exe File opened (read-only) \??\p: ncildwcmpp.exe File opened (read-only) \??\s: ncildwcmpp.exe File opened (read-only) \??\k: dtykovlz.exe File opened (read-only) \??\y: dtykovlz.exe File opened (read-only) \??\h: ncildwcmpp.exe File opened (read-only) \??\n: ncildwcmpp.exe File opened (read-only) \??\y: ncildwcmpp.exe File opened (read-only) \??\g: dtykovlz.exe File opened (read-only) \??\j: dtykovlz.exe File opened (read-only) \??\n: dtykovlz.exe File opened (read-only) \??\w: dtykovlz.exe File opened (read-only) \??\t: ncildwcmpp.exe File opened (read-only) \??\o: dtykovlz.exe File opened (read-only) \??\s: dtykovlz.exe File opened (read-only) \??\i: ncildwcmpp.exe File opened (read-only) \??\r: dtykovlz.exe File opened (read-only) \??\t: dtykovlz.exe File opened (read-only) \??\q: dtykovlz.exe File opened (read-only) \??\l: dtykovlz.exe File opened (read-only) \??\m: dtykovlz.exe File opened (read-only) \??\p: dtykovlz.exe File opened (read-only) \??\k: ncildwcmpp.exe File opened (read-only) \??\m: ncildwcmpp.exe File opened (read-only) \??\z: ncildwcmpp.exe File opened (read-only) \??\a: dtykovlz.exe File opened (read-only) \??\e: dtykovlz.exe File opened (read-only) \??\v: dtykovlz.exe File opened (read-only) \??\a: dtykovlz.exe File opened (read-only) \??\u: dtykovlz.exe File opened (read-only) \??\z: dtykovlz.exe File opened (read-only) \??\l: ncildwcmpp.exe File opened (read-only) \??\g: dtykovlz.exe File opened (read-only) \??\y: dtykovlz.exe File opened (read-only) \??\b: dtykovlz.exe File opened (read-only) \??\e: dtykovlz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ncildwcmpp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ncildwcmpp.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2696-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\iqethasbmrtapqp.exe autoit_exe \Windows\SysWOW64\ncildwcmpp.exe autoit_exe \Windows\SysWOW64\dtykovlz.exe autoit_exe \Windows\SysWOW64\ulugvwdfgqsff.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exencildwcmpp.exedescription ioc process File opened for modification C:\Windows\SysWOW64\iqethasbmrtapqp.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File created C:\Windows\SysWOW64\dtykovlz.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ulugvwdfgqsff.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ncildwcmpp.exe File created C:\Windows\SysWOW64\ncildwcmpp.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ncildwcmpp.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File created C:\Windows\SysWOW64\ulugvwdfgqsff.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File created C:\Windows\SysWOW64\iqethasbmrtapqp.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dtykovlz.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
dtykovlz.exedtykovlz.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dtykovlz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal dtykovlz.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dtykovlz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dtykovlz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal dtykovlz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dtykovlz.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dtykovlz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dtykovlz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dtykovlz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dtykovlz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dtykovlz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal dtykovlz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal dtykovlz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dtykovlz.exe -
Drops file in Windows directory 5 IoCs
Processes:
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEncildwcmpp.exe6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ncildwcmpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ncildwcmpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ncildwcmpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC77B1597DBB2B8CD7FE2ED9137CA" 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2332 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exencildwcmpp.exeiqethasbmrtapqp.exedtykovlz.exeulugvwdfgqsff.exedtykovlz.exepid process 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2944 ncildwcmpp.exe 2944 ncildwcmpp.exe 2944 ncildwcmpp.exe 2944 ncildwcmpp.exe 2944 ncildwcmpp.exe 2092 iqethasbmrtapqp.exe 2092 iqethasbmrtapqp.exe 2092 iqethasbmrtapqp.exe 2092 iqethasbmrtapqp.exe 2092 iqethasbmrtapqp.exe 2644 dtykovlz.exe 2644 dtykovlz.exe 2644 dtykovlz.exe 2644 dtykovlz.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2712 dtykovlz.exe 2712 dtykovlz.exe 2712 dtykovlz.exe 2712 dtykovlz.exe 2092 iqethasbmrtapqp.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2092 iqethasbmrtapqp.exe 2092 iqethasbmrtapqp.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2092 iqethasbmrtapqp.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2092 iqethasbmrtapqp.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2092 iqethasbmrtapqp.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2092 iqethasbmrtapqp.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2092 iqethasbmrtapqp.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2092 iqethasbmrtapqp.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2092 iqethasbmrtapqp.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2092 iqethasbmrtapqp.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2092 iqethasbmrtapqp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exencildwcmpp.exeiqethasbmrtapqp.exedtykovlz.exeulugvwdfgqsff.exedtykovlz.exepid process 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2944 ncildwcmpp.exe 2944 ncildwcmpp.exe 2944 ncildwcmpp.exe 2092 iqethasbmrtapqp.exe 2092 iqethasbmrtapqp.exe 2092 iqethasbmrtapqp.exe 2644 dtykovlz.exe 2644 dtykovlz.exe 2644 dtykovlz.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2712 dtykovlz.exe 2712 dtykovlz.exe 2712 dtykovlz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exencildwcmpp.exeiqethasbmrtapqp.exedtykovlz.exeulugvwdfgqsff.exedtykovlz.exepid process 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 2944 ncildwcmpp.exe 2944 ncildwcmpp.exe 2944 ncildwcmpp.exe 2092 iqethasbmrtapqp.exe 2092 iqethasbmrtapqp.exe 2092 iqethasbmrtapqp.exe 2644 dtykovlz.exe 2644 dtykovlz.exe 2644 dtykovlz.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2544 ulugvwdfgqsff.exe 2712 dtykovlz.exe 2712 dtykovlz.exe 2712 dtykovlz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2332 WINWORD.EXE 2332 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exencildwcmpp.exeWINWORD.EXEdescription pid process target process PID 2696 wrote to memory of 2944 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ncildwcmpp.exe PID 2696 wrote to memory of 2944 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ncildwcmpp.exe PID 2696 wrote to memory of 2944 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ncildwcmpp.exe PID 2696 wrote to memory of 2944 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ncildwcmpp.exe PID 2696 wrote to memory of 2092 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe iqethasbmrtapqp.exe PID 2696 wrote to memory of 2092 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe iqethasbmrtapqp.exe PID 2696 wrote to memory of 2092 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe iqethasbmrtapqp.exe PID 2696 wrote to memory of 2092 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe iqethasbmrtapqp.exe PID 2696 wrote to memory of 2644 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe dtykovlz.exe PID 2696 wrote to memory of 2644 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe dtykovlz.exe PID 2696 wrote to memory of 2644 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe dtykovlz.exe PID 2696 wrote to memory of 2644 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe dtykovlz.exe PID 2696 wrote to memory of 2544 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ulugvwdfgqsff.exe PID 2696 wrote to memory of 2544 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ulugvwdfgqsff.exe PID 2696 wrote to memory of 2544 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ulugvwdfgqsff.exe PID 2696 wrote to memory of 2544 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ulugvwdfgqsff.exe PID 2944 wrote to memory of 2712 2944 ncildwcmpp.exe dtykovlz.exe PID 2944 wrote to memory of 2712 2944 ncildwcmpp.exe dtykovlz.exe PID 2944 wrote to memory of 2712 2944 ncildwcmpp.exe dtykovlz.exe PID 2944 wrote to memory of 2712 2944 ncildwcmpp.exe dtykovlz.exe PID 2696 wrote to memory of 2332 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe WINWORD.EXE PID 2696 wrote to memory of 2332 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe WINWORD.EXE PID 2696 wrote to memory of 2332 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe WINWORD.EXE PID 2696 wrote to memory of 2332 2696 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe WINWORD.EXE PID 2332 wrote to memory of 2304 2332 WINWORD.EXE splwow64.exe PID 2332 wrote to memory of 2304 2332 WINWORD.EXE splwow64.exe PID 2332 wrote to memory of 2304 2332 WINWORD.EXE splwow64.exe PID 2332 wrote to memory of 2304 2332 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\ncildwcmpp.exencildwcmpp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\dtykovlz.exeC:\Windows\system32\dtykovlz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2712 -
C:\Windows\SysWOW64\iqethasbmrtapqp.exeiqethasbmrtapqp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2092 -
C:\Windows\SysWOW64\dtykovlz.exedtykovlz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2644 -
C:\Windows\SysWOW64\ulugvwdfgqsff.exeulugvwdfgqsff.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2544 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2304
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5fab0e8b9fe12239719a2ea0145ee512a
SHA1c54883517c034a273811bb2be94f9233e7cfd250
SHA256de9729d03afae19d2477782d7fe1db894cd826c5e7828127c16f2bd9ac8e2414
SHA512282e2c6cda837535e76e6883866f2d804e07964fe98e65bfcb3b65761814d1282f0767a7d97f5c11d45ac8f1779f46677a8edd72ec6eab8bbab0f87a1a5db554
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5596fd181e483e04c2fbffa938b2a076f
SHA19e61c8bd77e1408004c2bf0737c920c6fa2c2a84
SHA25638fe90112258d00b7359e36e24c88a4b2a5f21456617f6b280752d8dc94c392d
SHA512f394eaec60e50d9211abdedbb95bc4cd8d3e0b74db85103ce9cb82f2828f7f55b76a3f3efc83283387cf501c86625b3b48ed12fc0b6460ce42fb23b1f536b1df
-
C:\Windows\SysWOW64\iqethasbmrtapqp.exeFilesize
512KB
MD531e815918b282f068357051113a76ddd
SHA1ab5811f10c328f015a0fbce6e69e8b5c1a3a5a4c
SHA256abbee9227f24c371f75852f17bdc7d6976cdc87a8bc5e438615b16c4ee62bcfc
SHA512c3861490dd080b185a055489689703f9a31692028c56b761117aaee105516edade04aed6047980a315e98347960747bc36c4083e82b8924842273517f3502b54
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\dtykovlz.exeFilesize
512KB
MD57479b105d53016681bdd634b2778af88
SHA14f85e9ef5658c01fa35cc75a9078ae0ca8925292
SHA2565614d24e028d3fcbb8b89a41540b66814075a6352dee5820f5f30230e53f03eb
SHA51250753fffc23d36b866c41712e558f54dc98da928fe2c13a995a2b702a22b082fe860013b14eadfecd88567bbeb56f76ee87d331bca45197b67af09755f204252
-
\Windows\SysWOW64\ncildwcmpp.exeFilesize
512KB
MD546dd08b45e58852dc3c2c909c3d15ac3
SHA164e2eb2b2a00e6e2d177639d4e6e2f175904b28b
SHA256fb0d2cbe49bb46cfc95b17b97a081b145f6a14624e9aacf0f4dffffabdaf7b89
SHA51283d31396269caa8b748cd9c398a41cd63925dcfa32407c31d72bddae9a4fef884cb5876c02a81c80c0b2bff2231ce958a6b057a5662ba4c355c8c09b16529ff7
-
\Windows\SysWOW64\ulugvwdfgqsff.exeFilesize
512KB
MD58f510187beef7a2afc457c2a38db249d
SHA1ea8a6dec732118af230e24efa2e9ac058628b277
SHA2560a1bd1c25802a985cf9902eaca7ba7e9dae46520ea03162759a8faf91370a687
SHA512aebab592463ef43a49424d0e268c0ae89ac34804c12fe6ce6f8d5cb533d4fcadbba07a651056b0ad2619cbc98c8f05b51cba30f9387495a5999559d1a2b9a23a
-
memory/2332-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2332-94-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2696-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB