Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 10:40
Static task
static1
Behavioral task
behavioral1
Sample
6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
-
Size
512KB
-
MD5
6aab9bd82370095b5e1178ecd611e0ae
-
SHA1
b33a97878cc406b595a3a74c4508027d30dfc8e4
-
SHA256
8b3b2054d960cd704fe424d65b49b2c0de130ce231ae370672f79f94ef5f2329
-
SHA512
fe855e33ccf53688866e77132e50dfeefeec15595005aa7fed49109871b8f82aeef026c47923741fb35e705884e329346128cee5349443b60c3cad9ecac0fc25
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
jwvejgbxix.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jwvejgbxix.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
jwvejgbxix.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jwvejgbxix.exe -
Processes:
jwvejgbxix.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jwvejgbxix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jwvejgbxix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jwvejgbxix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jwvejgbxix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jwvejgbxix.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
jwvejgbxix.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jwvejgbxix.exe -
Executes dropped EXE 5 IoCs
Processes:
jwvejgbxix.execbisbksfrgljmqt.exewovtnmqa.execrzkgthgfjdaw.exewovtnmqa.exepid process 2612 jwvejgbxix.exe 2992 cbisbksfrgljmqt.exe 2636 wovtnmqa.exe 2624 crzkgthgfjdaw.exe 2752 wovtnmqa.exe -
Loads dropped DLL 5 IoCs
Processes:
6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exejwvejgbxix.exepid process 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 2612 jwvejgbxix.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
jwvejgbxix.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jwvejgbxix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jwvejgbxix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jwvejgbxix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jwvejgbxix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jwvejgbxix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jwvejgbxix.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
cbisbksfrgljmqt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bgvrdozw = "jwvejgbxix.exe" cbisbksfrgljmqt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cetomyhd = "cbisbksfrgljmqt.exe" cbisbksfrgljmqt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "crzkgthgfjdaw.exe" cbisbksfrgljmqt.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wovtnmqa.exewovtnmqa.exejwvejgbxix.exedescription ioc process File opened (read-only) \??\e: wovtnmqa.exe File opened (read-only) \??\h: wovtnmqa.exe File opened (read-only) \??\s: wovtnmqa.exe File opened (read-only) \??\t: wovtnmqa.exe File opened (read-only) \??\w: wovtnmqa.exe File opened (read-only) \??\m: wovtnmqa.exe File opened (read-only) \??\n: wovtnmqa.exe File opened (read-only) \??\y: wovtnmqa.exe File opened (read-only) \??\y: wovtnmqa.exe File opened (read-only) \??\z: wovtnmqa.exe File opened (read-only) \??\k: jwvejgbxix.exe File opened (read-only) \??\m: jwvejgbxix.exe File opened (read-only) \??\o: wovtnmqa.exe File opened (read-only) \??\x: wovtnmqa.exe File opened (read-only) \??\i: wovtnmqa.exe File opened (read-only) \??\a: wovtnmqa.exe File opened (read-only) \??\a: wovtnmqa.exe File opened (read-only) \??\h: wovtnmqa.exe File opened (read-only) \??\v: wovtnmqa.exe File opened (read-only) \??\r: wovtnmqa.exe File opened (read-only) \??\a: jwvejgbxix.exe File opened (read-only) \??\o: jwvejgbxix.exe File opened (read-only) \??\q: jwvejgbxix.exe File opened (read-only) \??\z: jwvejgbxix.exe File opened (read-only) \??\m: wovtnmqa.exe File opened (read-only) \??\i: jwvejgbxix.exe File opened (read-only) \??\k: wovtnmqa.exe File opened (read-only) \??\p: wovtnmqa.exe File opened (read-only) \??\u: wovtnmqa.exe File opened (read-only) \??\g: wovtnmqa.exe File opened (read-only) \??\e: jwvejgbxix.exe File opened (read-only) \??\b: wovtnmqa.exe File opened (read-only) \??\j: wovtnmqa.exe File opened (read-only) \??\t: wovtnmqa.exe File opened (read-only) \??\p: jwvejgbxix.exe File opened (read-only) \??\w: jwvejgbxix.exe File opened (read-only) \??\g: wovtnmqa.exe File opened (read-only) \??\z: wovtnmqa.exe File opened (read-only) \??\k: wovtnmqa.exe File opened (read-only) \??\o: wovtnmqa.exe File opened (read-only) \??\j: jwvejgbxix.exe File opened (read-only) \??\s: jwvejgbxix.exe File opened (read-only) \??\v: jwvejgbxix.exe File opened (read-only) \??\q: wovtnmqa.exe File opened (read-only) \??\b: jwvejgbxix.exe File opened (read-only) \??\u: jwvejgbxix.exe File opened (read-only) \??\l: wovtnmqa.exe File opened (read-only) \??\x: wovtnmqa.exe File opened (read-only) \??\p: wovtnmqa.exe File opened (read-only) \??\v: wovtnmqa.exe File opened (read-only) \??\n: jwvejgbxix.exe File opened (read-only) \??\r: jwvejgbxix.exe File opened (read-only) \??\t: jwvejgbxix.exe File opened (read-only) \??\l: wovtnmqa.exe File opened (read-only) \??\l: jwvejgbxix.exe File opened (read-only) \??\w: wovtnmqa.exe File opened (read-only) \??\b: wovtnmqa.exe File opened (read-only) \??\q: wovtnmqa.exe File opened (read-only) \??\g: jwvejgbxix.exe File opened (read-only) \??\x: jwvejgbxix.exe File opened (read-only) \??\y: jwvejgbxix.exe File opened (read-only) \??\r: wovtnmqa.exe File opened (read-only) \??\n: wovtnmqa.exe File opened (read-only) \??\u: wovtnmqa.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
jwvejgbxix.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jwvejgbxix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jwvejgbxix.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1632-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\cbisbksfrgljmqt.exe autoit_exe \Windows\SysWOW64\jwvejgbxix.exe autoit_exe \Windows\SysWOW64\wovtnmqa.exe autoit_exe C:\Windows\SysWOW64\crzkgthgfjdaw.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\WaitHide.doc.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exejwvejgbxix.exedescription ioc process File created C:\Windows\SysWOW64\jwvejgbxix.exe 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cbisbksfrgljmqt.exe 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe File created C:\Windows\SysWOW64\wovtnmqa.exe 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe File created C:\Windows\SysWOW64\crzkgthgfjdaw.exe 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\crzkgthgfjdaw.exe 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jwvejgbxix.exe 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe File created C:\Windows\SysWOW64\cbisbksfrgljmqt.exe 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wovtnmqa.exe 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jwvejgbxix.exe -
Drops file in Program Files directory 14 IoCs
Processes:
wovtnmqa.exewovtnmqa.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal wovtnmqa.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wovtnmqa.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wovtnmqa.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wovtnmqa.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wovtnmqa.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal wovtnmqa.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wovtnmqa.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wovtnmqa.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wovtnmqa.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe wovtnmqa.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal wovtnmqa.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal wovtnmqa.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wovtnmqa.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe wovtnmqa.exe -
Drops file in Windows directory 5 IoCs
Processes:
WINWORD.EXE6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEjwvejgbxix.exe6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" jwvejgbxix.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" jwvejgbxix.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg jwvejgbxix.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F36BB2FF1D22DAD20FD0A18B089014" 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B15A4493389F53BFBAA633EDD7BC" 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFACDF964F2E3830B3B4A81983997B38D028843640333E1BA459A09D5" 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" jwvejgbxix.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFCFC4F2A851A9146D6587D9DBD95E13459366743633FD6EA" 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc jwvejgbxix.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf jwvejgbxix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2672 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exejwvejgbxix.execbisbksfrgljmqt.execrzkgthgfjdaw.exewovtnmqa.exewovtnmqa.exepid process 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 2612 jwvejgbxix.exe 2612 jwvejgbxix.exe 2612 jwvejgbxix.exe 2612 jwvejgbxix.exe 2612 jwvejgbxix.exe 2992 cbisbksfrgljmqt.exe 2992 cbisbksfrgljmqt.exe 2992 cbisbksfrgljmqt.exe 2992 cbisbksfrgljmqt.exe 2992 cbisbksfrgljmqt.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2636 wovtnmqa.exe 2636 wovtnmqa.exe 2636 wovtnmqa.exe 2636 wovtnmqa.exe 2752 wovtnmqa.exe 2752 wovtnmqa.exe 2752 wovtnmqa.exe 2752 wovtnmqa.exe 2992 cbisbksfrgljmqt.exe 2992 cbisbksfrgljmqt.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2992 cbisbksfrgljmqt.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2992 cbisbksfrgljmqt.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2992 cbisbksfrgljmqt.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2992 cbisbksfrgljmqt.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2992 cbisbksfrgljmqt.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2992 cbisbksfrgljmqt.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2992 cbisbksfrgljmqt.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2992 cbisbksfrgljmqt.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2992 cbisbksfrgljmqt.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2992 cbisbksfrgljmqt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exejwvejgbxix.execbisbksfrgljmqt.execrzkgthgfjdaw.exewovtnmqa.exewovtnmqa.exepid process 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 2612 jwvejgbxix.exe 2612 jwvejgbxix.exe 2612 jwvejgbxix.exe 2992 cbisbksfrgljmqt.exe 2992 cbisbksfrgljmqt.exe 2992 cbisbksfrgljmqt.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2636 wovtnmqa.exe 2636 wovtnmqa.exe 2636 wovtnmqa.exe 2752 wovtnmqa.exe 2752 wovtnmqa.exe 2752 wovtnmqa.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exejwvejgbxix.execbisbksfrgljmqt.execrzkgthgfjdaw.exewovtnmqa.exewovtnmqa.exepid process 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe 2612 jwvejgbxix.exe 2612 jwvejgbxix.exe 2612 jwvejgbxix.exe 2992 cbisbksfrgljmqt.exe 2992 cbisbksfrgljmqt.exe 2992 cbisbksfrgljmqt.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2624 crzkgthgfjdaw.exe 2636 wovtnmqa.exe 2636 wovtnmqa.exe 2636 wovtnmqa.exe 2752 wovtnmqa.exe 2752 wovtnmqa.exe 2752 wovtnmqa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2672 WINWORD.EXE 2672 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exejwvejgbxix.exeWINWORD.EXEdescription pid process target process PID 1632 wrote to memory of 2612 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe jwvejgbxix.exe PID 1632 wrote to memory of 2612 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe jwvejgbxix.exe PID 1632 wrote to memory of 2612 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe jwvejgbxix.exe PID 1632 wrote to memory of 2612 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe jwvejgbxix.exe PID 1632 wrote to memory of 2992 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe cbisbksfrgljmqt.exe PID 1632 wrote to memory of 2992 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe cbisbksfrgljmqt.exe PID 1632 wrote to memory of 2992 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe cbisbksfrgljmqt.exe PID 1632 wrote to memory of 2992 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe cbisbksfrgljmqt.exe PID 1632 wrote to memory of 2636 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe wovtnmqa.exe PID 1632 wrote to memory of 2636 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe wovtnmqa.exe PID 1632 wrote to memory of 2636 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe wovtnmqa.exe PID 1632 wrote to memory of 2636 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe wovtnmqa.exe PID 1632 wrote to memory of 2624 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe crzkgthgfjdaw.exe PID 1632 wrote to memory of 2624 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe crzkgthgfjdaw.exe PID 1632 wrote to memory of 2624 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe crzkgthgfjdaw.exe PID 1632 wrote to memory of 2624 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe crzkgthgfjdaw.exe PID 2612 wrote to memory of 2752 2612 jwvejgbxix.exe wovtnmqa.exe PID 2612 wrote to memory of 2752 2612 jwvejgbxix.exe wovtnmqa.exe PID 2612 wrote to memory of 2752 2612 jwvejgbxix.exe wovtnmqa.exe PID 2612 wrote to memory of 2752 2612 jwvejgbxix.exe wovtnmqa.exe PID 1632 wrote to memory of 2672 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe WINWORD.EXE PID 1632 wrote to memory of 2672 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe WINWORD.EXE PID 1632 wrote to memory of 2672 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe WINWORD.EXE PID 1632 wrote to memory of 2672 1632 6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe WINWORD.EXE PID 2672 wrote to memory of 1960 2672 WINWORD.EXE splwow64.exe PID 2672 wrote to memory of 1960 2672 WINWORD.EXE splwow64.exe PID 2672 wrote to memory of 1960 2672 WINWORD.EXE splwow64.exe PID 2672 wrote to memory of 1960 2672 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jwvejgbxix.exejwvejgbxix.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wovtnmqa.exeC:\Windows\system32\wovtnmqa.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cbisbksfrgljmqt.execbisbksfrgljmqt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\wovtnmqa.exewovtnmqa.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\crzkgthgfjdaw.execrzkgthgfjdaw.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
7Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
512KB
MD53eeb46c781ba790cae668d2ebf93cecd
SHA1ce4981b2961a557eeb2c42772816b90aa7b36ff8
SHA256adb4f4fe34fbc37e7e595313017124c6435646c40a4546ccaecb5a75fdd223ca
SHA512eb41796048b361d8ba580bddbe87811683426808f5ebf5ef4cd2e5c6c4055c9b3c8fbe302101591e5c3585ce5ca597c85622d68e94283fad16c63419cdef6646
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5480260807f8bbbdbc9766b21d4ec7a62
SHA1a5b6dc40807ad87a2aaf78fee80bc3a2a00378cc
SHA2564ba8847b74d219bfa9598a1d2ce59225b82493332d14369631f06038a4ff7c50
SHA512d10447bbb133fae7e53e526e86d58409894226e2c35debdec0d555b02e8ef532b43c2cbc663e48a00020753a0beec0928682f8c0775ce7e9f8ca32516dab77f9
-
C:\Users\Admin\Documents\WaitHide.doc.exeFilesize
512KB
MD5b7f44f029fd4da4f447543443d243e97
SHA13c72e9a81cc7dbd90499a963a843de63f1f750f1
SHA256242020da19906d26aecd2b019e4c3478f50a26084ed0332088bb1c5d14989e84
SHA512b1d4cdf130d870ffff17222bba19daf4333f12603712629ddebc59e0153aea086336ea0d072b07cec7d914a94faeecef30bd5df7aa37f0a68ffe6c046196e31f
-
C:\Windows\SysWOW64\cbisbksfrgljmqt.exeFilesize
512KB
MD5f9f7a93c1ba10247e8e3e16c0d942d28
SHA1a87bccaaf811163f87ac1bcd45d81b7ccade4245
SHA2569d11874ab5563f90ef84ccdc7d9247b9ca5df73b7db4a4ab6eddca23e31a641d
SHA5122a8098f4956a0c93a0922255030ab1f82e68035efc1c1297c59264663d622e13cf4d6f9b290e5c5a24e7110d60483e2e7021d52c28ed3cbb79502fbf3bddff29
-
C:\Windows\SysWOW64\crzkgthgfjdaw.exeFilesize
512KB
MD5c6af15024f3a6e030539885b2815da06
SHA1e7d7696737dc25477d5d91d73d14cc817ac4e7dc
SHA2562f1a0a6969b11e144e0b25b8b6a1ada3d241fd9c182252db17c167567cb78f5b
SHA5122aa7da97bc5ce8401cf0ded48a28797235b1080ab5da63e7df3333266e269834fa5a5ee987d4f7df1625585e9e9aa612c48624412368c1ada9742728be3b18ad
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\jwvejgbxix.exeFilesize
512KB
MD5c5f7eda1c1ea1985759070929c4713b4
SHA17f96237b8f06dadc4c286110bd4affb41541c54b
SHA2569c230a2c813b7ef623d3dc31674a1f75cd73593630c3429cfcb76e82fdb451ad
SHA51212beb3926be718feb6f3a965562854d3fbd76367c1cc76bb2637cc16d575195096bf3ef07d2d4d6776f3f845915622271ac0087f6a00f95ececedc442df5992f
-
\Windows\SysWOW64\wovtnmqa.exeFilesize
512KB
MD513de2b1966933dff8f1094f603f61b64
SHA1f20c22c133f56929b304e164ed217d1870888957
SHA256a67239831d99bfb00f3df1ac5b4d920fe552e01ca6b18aaa9c176fe37b2427a4
SHA5128b483a626a07b2526068ca220d5d40c6100f7ac5fb3f76bdfce9f21b6ce205fd9539b149dc2f7f52a1415133b9e1a8d8b11bdfa3bb67fd7bf01f71df54eafdde
-
memory/1632-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2672-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2672-99-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB