Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 02:27
Static task
static1
Behavioral task
behavioral1
Sample
6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
-
Size
512KB
-
MD5
6d0ee4af41a8ee2139a4e3bcfe862e27
-
SHA1
6d6b28a1da461971e9efb095625c7c12d6b99b24
-
SHA256
91e9e889927ed93e95baf92d1d56570824c6c4a00998d43f02d193d04f06b91c
-
SHA512
c4ca7f3c8907be0355b0a4c67b6078f9984685d6033a7c87f4307fac64f0b27320f12bae6b5fda8a9290d922703480444c83b07b010923886002568c32c34fa6
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Z
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
dlsulngkio.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dlsulngkio.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
dlsulngkio.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dlsulngkio.exe -
Processes:
dlsulngkio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" dlsulngkio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dlsulngkio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dlsulngkio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dlsulngkio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dlsulngkio.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
dlsulngkio.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dlsulngkio.exe -
Executes dropped EXE 5 IoCs
Processes:
dlsulngkio.exeuzqnukouhrmyntg.exealajmlhv.exeacokjqjemuami.exealajmlhv.exepid process 2324 dlsulngkio.exe 2708 uzqnukouhrmyntg.exe 2972 alajmlhv.exe 2820 acokjqjemuami.exe 2540 alajmlhv.exe -
Loads dropped DLL 5 IoCs
Processes:
6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exepid process 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2324 dlsulngkio.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
dlsulngkio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dlsulngkio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dlsulngkio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dlsulngkio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" dlsulngkio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dlsulngkio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dlsulngkio.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
uzqnukouhrmyntg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ohfmiwjd = "uzqnukouhrmyntg.exe" uzqnukouhrmyntg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "acokjqjemuami.exe" uzqnukouhrmyntg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcvxmnew = "dlsulngkio.exe" uzqnukouhrmyntg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
alajmlhv.exedlsulngkio.exealajmlhv.exedescription ioc process File opened (read-only) \??\t: alajmlhv.exe File opened (read-only) \??\h: dlsulngkio.exe File opened (read-only) \??\z: alajmlhv.exe File opened (read-only) \??\v: dlsulngkio.exe File opened (read-only) \??\u: alajmlhv.exe File opened (read-only) \??\k: alajmlhv.exe File opened (read-only) \??\m: alajmlhv.exe File opened (read-only) \??\y: alajmlhv.exe File opened (read-only) \??\v: alajmlhv.exe File opened (read-only) \??\i: alajmlhv.exe File opened (read-only) \??\w: dlsulngkio.exe File opened (read-only) \??\a: alajmlhv.exe File opened (read-only) \??\b: alajmlhv.exe File opened (read-only) \??\e: alajmlhv.exe File opened (read-only) \??\x: dlsulngkio.exe File opened (read-only) \??\b: alajmlhv.exe File opened (read-only) \??\s: alajmlhv.exe File opened (read-only) \??\j: alajmlhv.exe File opened (read-only) \??\l: alajmlhv.exe File opened (read-only) \??\n: alajmlhv.exe File opened (read-only) \??\u: alajmlhv.exe File opened (read-only) \??\l: alajmlhv.exe File opened (read-only) \??\g: alajmlhv.exe File opened (read-only) \??\h: alajmlhv.exe File opened (read-only) \??\r: alajmlhv.exe File opened (read-only) \??\r: alajmlhv.exe File opened (read-only) \??\y: dlsulngkio.exe File opened (read-only) \??\o: alajmlhv.exe File opened (read-only) \??\h: alajmlhv.exe File opened (read-only) \??\n: alajmlhv.exe File opened (read-only) \??\s: dlsulngkio.exe File opened (read-only) \??\q: alajmlhv.exe File opened (read-only) \??\t: alajmlhv.exe File opened (read-only) \??\x: alajmlhv.exe File opened (read-only) \??\x: alajmlhv.exe File opened (read-only) \??\r: dlsulngkio.exe File opened (read-only) \??\j: dlsulngkio.exe File opened (read-only) \??\o: dlsulngkio.exe File opened (read-only) \??\a: alajmlhv.exe File opened (read-only) \??\g: alajmlhv.exe File opened (read-only) \??\z: alajmlhv.exe File opened (read-only) \??\e: dlsulngkio.exe File opened (read-only) \??\g: dlsulngkio.exe File opened (read-only) \??\o: alajmlhv.exe File opened (read-only) \??\v: alajmlhv.exe File opened (read-only) \??\p: alajmlhv.exe File opened (read-only) \??\y: alajmlhv.exe File opened (read-only) \??\k: dlsulngkio.exe File opened (read-only) \??\l: dlsulngkio.exe File opened (read-only) \??\m: dlsulngkio.exe File opened (read-only) \??\z: dlsulngkio.exe File opened (read-only) \??\j: alajmlhv.exe File opened (read-only) \??\i: alajmlhv.exe File opened (read-only) \??\s: alajmlhv.exe File opened (read-only) \??\q: alajmlhv.exe File opened (read-only) \??\e: alajmlhv.exe File opened (read-only) \??\q: dlsulngkio.exe File opened (read-only) \??\t: dlsulngkio.exe File opened (read-only) \??\w: alajmlhv.exe File opened (read-only) \??\a: dlsulngkio.exe File opened (read-only) \??\i: dlsulngkio.exe File opened (read-only) \??\p: dlsulngkio.exe File opened (read-only) \??\u: dlsulngkio.exe File opened (read-only) \??\m: alajmlhv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
dlsulngkio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dlsulngkio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dlsulngkio.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2244-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\uzqnukouhrmyntg.exe autoit_exe \Windows\SysWOW64\dlsulngkio.exe autoit_exe \Windows\SysWOW64\alajmlhv.exe autoit_exe \Windows\SysWOW64\acokjqjemuami.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Desktop\EnterWrite.doc.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exedescription ioc process File created C:\Windows\SysWOW64\dlsulngkio.exe 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uzqnukouhrmyntg.exe 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe File created C:\Windows\SysWOW64\alajmlhv.exe 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\alajmlhv.exe 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe File created C:\Windows\SysWOW64\acokjqjemuami.exe 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dlsulngkio.exe File opened for modification C:\Windows\SysWOW64\dlsulngkio.exe 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe File created C:\Windows\SysWOW64\uzqnukouhrmyntg.exe 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\acokjqjemuami.exe 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
alajmlhv.exealajmlhv.exedescription ioc process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe alajmlhv.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe alajmlhv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe alajmlhv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe alajmlhv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe alajmlhv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe alajmlhv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal alajmlhv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal alajmlhv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal alajmlhv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe alajmlhv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe alajmlhv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe alajmlhv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe alajmlhv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal alajmlhv.exe -
Drops file in Windows directory 5 IoCs
Processes:
6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXE6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFF9BEFE17F19784753B4A86ED3E94B0FE038F4365024BE1BF459D08D4" 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dlsulngkio.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dlsulngkio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB15F47EF39E853BABAA5329DD4B9" 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dlsulngkio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dlsulngkio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FFFF482F851A9132D65F7DE6BD93E144584267466333D79D" 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dlsulngkio.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2560 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exealajmlhv.exeuzqnukouhrmyntg.exeacokjqjemuami.exealajmlhv.exepid process 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2324 dlsulngkio.exe 2324 dlsulngkio.exe 2324 dlsulngkio.exe 2324 dlsulngkio.exe 2324 dlsulngkio.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2972 alajmlhv.exe 2972 alajmlhv.exe 2972 alajmlhv.exe 2972 alajmlhv.exe 2708 uzqnukouhrmyntg.exe 2708 uzqnukouhrmyntg.exe 2708 uzqnukouhrmyntg.exe 2708 uzqnukouhrmyntg.exe 2708 uzqnukouhrmyntg.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2540 alajmlhv.exe 2540 alajmlhv.exe 2540 alajmlhv.exe 2540 alajmlhv.exe 2708 uzqnukouhrmyntg.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2708 uzqnukouhrmyntg.exe 2708 uzqnukouhrmyntg.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2708 uzqnukouhrmyntg.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2708 uzqnukouhrmyntg.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2708 uzqnukouhrmyntg.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2708 uzqnukouhrmyntg.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2708 uzqnukouhrmyntg.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2708 uzqnukouhrmyntg.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2708 uzqnukouhrmyntg.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2708 uzqnukouhrmyntg.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2708 uzqnukouhrmyntg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exealajmlhv.exeuzqnukouhrmyntg.exeacokjqjemuami.exealajmlhv.exepid process 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2324 dlsulngkio.exe 2324 dlsulngkio.exe 2324 dlsulngkio.exe 2972 alajmlhv.exe 2972 alajmlhv.exe 2972 alajmlhv.exe 2708 uzqnukouhrmyntg.exe 2708 uzqnukouhrmyntg.exe 2708 uzqnukouhrmyntg.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2540 alajmlhv.exe 2540 alajmlhv.exe 2540 alajmlhv.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exealajmlhv.exeuzqnukouhrmyntg.exeacokjqjemuami.exealajmlhv.exepid process 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe 2324 dlsulngkio.exe 2324 dlsulngkio.exe 2324 dlsulngkio.exe 2972 alajmlhv.exe 2972 alajmlhv.exe 2972 alajmlhv.exe 2708 uzqnukouhrmyntg.exe 2708 uzqnukouhrmyntg.exe 2708 uzqnukouhrmyntg.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2820 acokjqjemuami.exe 2540 alajmlhv.exe 2540 alajmlhv.exe 2540 alajmlhv.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2560 WINWORD.EXE 2560 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exeWINWORD.EXEdescription pid process target process PID 2244 wrote to memory of 2324 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe dlsulngkio.exe PID 2244 wrote to memory of 2324 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe dlsulngkio.exe PID 2244 wrote to memory of 2324 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe dlsulngkio.exe PID 2244 wrote to memory of 2324 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe dlsulngkio.exe PID 2244 wrote to memory of 2708 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe uzqnukouhrmyntg.exe PID 2244 wrote to memory of 2708 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe uzqnukouhrmyntg.exe PID 2244 wrote to memory of 2708 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe uzqnukouhrmyntg.exe PID 2244 wrote to memory of 2708 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe uzqnukouhrmyntg.exe PID 2244 wrote to memory of 2972 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe alajmlhv.exe PID 2244 wrote to memory of 2972 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe alajmlhv.exe PID 2244 wrote to memory of 2972 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe alajmlhv.exe PID 2244 wrote to memory of 2972 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe alajmlhv.exe PID 2244 wrote to memory of 2820 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe acokjqjemuami.exe PID 2244 wrote to memory of 2820 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe acokjqjemuami.exe PID 2244 wrote to memory of 2820 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe acokjqjemuami.exe PID 2244 wrote to memory of 2820 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe acokjqjemuami.exe PID 2324 wrote to memory of 2540 2324 dlsulngkio.exe alajmlhv.exe PID 2324 wrote to memory of 2540 2324 dlsulngkio.exe alajmlhv.exe PID 2324 wrote to memory of 2540 2324 dlsulngkio.exe alajmlhv.exe PID 2324 wrote to memory of 2540 2324 dlsulngkio.exe alajmlhv.exe PID 2244 wrote to memory of 2560 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe WINWORD.EXE PID 2244 wrote to memory of 2560 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe WINWORD.EXE PID 2244 wrote to memory of 2560 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe WINWORD.EXE PID 2244 wrote to memory of 2560 2244 6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe WINWORD.EXE PID 2560 wrote to memory of 804 2560 WINWORD.EXE splwow64.exe PID 2560 wrote to memory of 804 2560 WINWORD.EXE splwow64.exe PID 2560 wrote to memory of 804 2560 WINWORD.EXE splwow64.exe PID 2560 wrote to memory of 804 2560 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\dlsulngkio.exedlsulngkio.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\alajmlhv.exeC:\Windows\system32\alajmlhv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2540 -
C:\Windows\SysWOW64\uzqnukouhrmyntg.exeuzqnukouhrmyntg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708 -
C:\Windows\SysWOW64\alajmlhv.exealajmlhv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2972 -
C:\Windows\SysWOW64\acokjqjemuami.exeacokjqjemuami.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2820 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:804
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
512KB
MD595e6e18463957131e11e04a19ce2e889
SHA1526b76aaef3e1227bdfa14f8b7c2e3d5b9e735d7
SHA256d16ce4df6c1b24450bf9f90618cb7a486b3b84e9daa2de9c93d18df8bd90861c
SHA5127d0ae98612d537f18959debc19d8503ace3ca09931c96408b26033ce659a091bbfa74dad1269ef75332b8409c057174ee82803074eba6f81e76b624de1a90baf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD575b19e87614eb881f2d20762df3369b9
SHA1c11920d713402ffaa61146c0da7318074621c23a
SHA256e5b87eff5a87a0f7f96c6af2cd76b5f58ec422b3394c9482a90c3d5187b5f53a
SHA512b84df98195c98f2c244e224f5f4e8b8f70cf0f77b767381e490caa23af2557d8a1f58820f3ae87b47ed0cebd8a03d5fc6781274124337c3ac47772ba271368b9
-
C:\Users\Admin\Desktop\EnterWrite.doc.exeFilesize
512KB
MD5c0f3adf80ecd0055c0ddbf5743676b04
SHA18908db0eed7c8c3b226cfdc27c3252c5ea8e48b2
SHA2562ad99d049fed1ba82caa9f87d93343b4bf17fdc8b5311ea21170a2a542ef0d54
SHA5122feca2558f3b26faa8fea43dc0cc34b27de6742b337d261c6082c2a4aad09bb7c1b51409d2846973140803ce707e775fdddfbd4177c376463fa68063f4334603
-
C:\Windows\SysWOW64\uzqnukouhrmyntg.exeFilesize
512KB
MD5f331e47c44baabd9fbce6a22d6df4c19
SHA15db16023fc5c9bae34bf66cc3dae24eeab6301fd
SHA256eabf7bd5f7b2623a4a6a81425c0ca5a6cbbd9b1c3c0d3c79208a3f5d3ed6533e
SHA5123083efa7fb7a1686e202401c6f96860dc5ea7ca53f242f99a2570e2cc3b0a7ead3c669c5aaceb9c64380c1ba3f46e012aaf284345a429fb4a3b7a1fb9a4b3fa6
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\acokjqjemuami.exeFilesize
512KB
MD5051aff36be46d3ebed2ae63c7dafd289
SHA130cf7afc4ebbc16ea37595ee97a2148aa8a5f168
SHA2565fd356fb23f5f8124c8f4e876ba502612813d8fdc077bafb1cfc7f630740d37c
SHA512db956d453d17c2b610cc803495a9329679129fcc50d5504d55b1370ad25d9673698e89bc408722d64c682306ecaefffbfca233b9a674faae02f2f1c68499e67c
-
\Windows\SysWOW64\alajmlhv.exeFilesize
512KB
MD50ecca09ece0ebe4d9a109e7ad4ff3a4a
SHA15c9bf0b4ffb9b64ece3ceb8549ffe5edfa9e4ddf
SHA2565544b4b4235414cc2cb206cda8c3d1628ceed43f0de983f34f79d4da1d2be6c6
SHA5121be8e87f3d56c99b8a4f450295ed95d625c844a99c73a73f3305b6d99ef25587b331eddacb4fb359acf88170ebdfc7e6c567ecb272c0ea0dab2fdaecfa50d236
-
\Windows\SysWOW64\dlsulngkio.exeFilesize
512KB
MD54ecff865a7a0ce40b01448a674f79791
SHA17611d39eb3403d3ad1c3d924839ef75eeb4559e9
SHA2562651fbefe767c3e30c2b7e078d8cc8e5a867c2055654fce72fd4d87020bf295f
SHA5126d015ad09cbab4ed5896d7e1d0a411c2a75ae2b6dbf6e9d34380d253aae465232dfbb3839b1fdba2be77a610efbb3842524fb3e31aec154f4363e2936ebc39d7
-
memory/2244-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2560-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2560-104-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB