Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 03:35
Static task
static1
Behavioral task
behavioral1
Sample
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe
-
Size
512KB
-
MD5
6d36a2d556802fde6ac418942073e3f8
-
SHA1
c4783854bb3d66bbbda9ccf74ae8f031d81a8763
-
SHA256
aab8019800b261ed759734dc7ea823e7bdc7e8ebe3396854114f3bd07f888d94
-
SHA512
7a394480492c6d0bfbcd8da780c42327fbe9f41ab2f2b5d73548aba9954c5eb24d23cd95d7310baf3adfc902ac0527cc65f0d5fdccb397623f2e5bb6cb59ac18
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ggdeschdqi.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ggdeschdqi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ggdeschdqi.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ggdeschdqi.exe -
Processes:
ggdeschdqi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ggdeschdqi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ggdeschdqi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ggdeschdqi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ggdeschdqi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ggdeschdqi.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ggdeschdqi.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ggdeschdqi.exe -
Executes dropped EXE 5 IoCs
Processes:
ggdeschdqi.exeblsticedxqdrpka.exetsvifcoh.exeyceipjwosafqf.exetsvifcoh.exepid process 2628 ggdeschdqi.exe 2704 blsticedxqdrpka.exe 2592 tsvifcoh.exe 2728 yceipjwosafqf.exe 2512 tsvifcoh.exe -
Loads dropped DLL 5 IoCs
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exeggdeschdqi.exepid process 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2628 ggdeschdqi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ggdeschdqi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ggdeschdqi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ggdeschdqi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ggdeschdqi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ggdeschdqi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ggdeschdqi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ggdeschdqi.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
blsticedxqdrpka.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\opehkiis = "ggdeschdqi.exe" blsticedxqdrpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lpwjqkjf = "blsticedxqdrpka.exe" blsticedxqdrpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yceipjwosafqf.exe" blsticedxqdrpka.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ggdeschdqi.exetsvifcoh.exetsvifcoh.exedescription ioc process File opened (read-only) \??\u: ggdeschdqi.exe File opened (read-only) \??\z: ggdeschdqi.exe File opened (read-only) \??\t: tsvifcoh.exe File opened (read-only) \??\w: tsvifcoh.exe File opened (read-only) \??\x: tsvifcoh.exe File opened (read-only) \??\o: ggdeschdqi.exe File opened (read-only) \??\r: ggdeschdqi.exe File opened (read-only) \??\h: tsvifcoh.exe File opened (read-only) \??\a: tsvifcoh.exe File opened (read-only) \??\g: tsvifcoh.exe File opened (read-only) \??\e: tsvifcoh.exe File opened (read-only) \??\w: tsvifcoh.exe File opened (read-only) \??\b: ggdeschdqi.exe File opened (read-only) \??\h: ggdeschdqi.exe File opened (read-only) \??\t: ggdeschdqi.exe File opened (read-only) \??\t: tsvifcoh.exe File opened (read-only) \??\u: tsvifcoh.exe File opened (read-only) \??\e: tsvifcoh.exe File opened (read-only) \??\k: tsvifcoh.exe File opened (read-only) \??\q: tsvifcoh.exe File opened (read-only) \??\j: tsvifcoh.exe File opened (read-only) \??\p: tsvifcoh.exe File opened (read-only) \??\r: tsvifcoh.exe File opened (read-only) \??\g: ggdeschdqi.exe File opened (read-only) \??\n: ggdeschdqi.exe File opened (read-only) \??\v: ggdeschdqi.exe File opened (read-only) \??\x: ggdeschdqi.exe File opened (read-only) \??\b: tsvifcoh.exe File opened (read-only) \??\m: tsvifcoh.exe File opened (read-only) \??\q: ggdeschdqi.exe File opened (read-only) \??\h: tsvifcoh.exe File opened (read-only) \??\k: tsvifcoh.exe File opened (read-only) \??\z: tsvifcoh.exe File opened (read-only) \??\a: ggdeschdqi.exe File opened (read-only) \??\b: tsvifcoh.exe File opened (read-only) \??\i: tsvifcoh.exe File opened (read-only) \??\n: tsvifcoh.exe File opened (read-only) \??\o: tsvifcoh.exe File opened (read-only) \??\i: tsvifcoh.exe File opened (read-only) \??\l: tsvifcoh.exe File opened (read-only) \??\y: tsvifcoh.exe File opened (read-only) \??\x: tsvifcoh.exe File opened (read-only) \??\j: ggdeschdqi.exe File opened (read-only) \??\n: tsvifcoh.exe File opened (read-only) \??\v: tsvifcoh.exe File opened (read-only) \??\a: tsvifcoh.exe File opened (read-only) \??\j: tsvifcoh.exe File opened (read-only) \??\s: ggdeschdqi.exe File opened (read-only) \??\w: ggdeschdqi.exe File opened (read-only) \??\m: tsvifcoh.exe File opened (read-only) \??\p: tsvifcoh.exe File opened (read-only) \??\v: tsvifcoh.exe File opened (read-only) \??\s: tsvifcoh.exe File opened (read-only) \??\y: ggdeschdqi.exe File opened (read-only) \??\l: tsvifcoh.exe File opened (read-only) \??\u: tsvifcoh.exe File opened (read-only) \??\e: ggdeschdqi.exe File opened (read-only) \??\i: ggdeschdqi.exe File opened (read-only) \??\l: ggdeschdqi.exe File opened (read-only) \??\m: ggdeschdqi.exe File opened (read-only) \??\s: tsvifcoh.exe File opened (read-only) \??\o: tsvifcoh.exe File opened (read-only) \??\y: tsvifcoh.exe File opened (read-only) \??\k: ggdeschdqi.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ggdeschdqi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ggdeschdqi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ggdeschdqi.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1560-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\blsticedxqdrpka.exe autoit_exe \Windows\SysWOW64\ggdeschdqi.exe autoit_exe \Windows\SysWOW64\tsvifcoh.exe autoit_exe \Windows\SysWOW64\yceipjwosafqf.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe C:\Users\Admin\AppData\Roaming\UnregisterUnlock.doc.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exeggdeschdqi.exedescription ioc process File created C:\Windows\SysWOW64\blsticedxqdrpka.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tsvifcoh.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yceipjwosafqf.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ggdeschdqi.exe File created C:\Windows\SysWOW64\ggdeschdqi.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ggdeschdqi.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\blsticedxqdrpka.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File created C:\Windows\SysWOW64\tsvifcoh.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File created C:\Windows\SysWOW64\yceipjwosafqf.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
Processes:
tsvifcoh.exetsvifcoh.exedescription ioc process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tsvifcoh.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tsvifcoh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tsvifcoh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tsvifcoh.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tsvifcoh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tsvifcoh.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tsvifcoh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal tsvifcoh.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tsvifcoh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal tsvifcoh.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tsvifcoh.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tsvifcoh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tsvifcoh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal tsvifcoh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal tsvifcoh.exe -
Drops file in Windows directory 5 IoCs
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exeWINWORD.EXEggdeschdqi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768B5FE1821D0D27BD0A78A099010" 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C7F9C2D83236D3F76D3702E2CDA7C8F64AB" 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ggdeschdqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFAB8FE11F2E283793B42869E3995B3FE038A4313023BE2CE42EB08D2" 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ggdeschdqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ggdeschdqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2488 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exeggdeschdqi.exetsvifcoh.exeblsticedxqdrpka.exeyceipjwosafqf.exetsvifcoh.exepid process 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2628 ggdeschdqi.exe 2628 ggdeschdqi.exe 2628 ggdeschdqi.exe 2628 ggdeschdqi.exe 2628 ggdeschdqi.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2592 tsvifcoh.exe 2592 tsvifcoh.exe 2592 tsvifcoh.exe 2592 tsvifcoh.exe 2704 blsticedxqdrpka.exe 2704 blsticedxqdrpka.exe 2704 blsticedxqdrpka.exe 2704 blsticedxqdrpka.exe 2704 blsticedxqdrpka.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2512 tsvifcoh.exe 2512 tsvifcoh.exe 2512 tsvifcoh.exe 2512 tsvifcoh.exe 2704 blsticedxqdrpka.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2704 blsticedxqdrpka.exe 2704 blsticedxqdrpka.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2704 blsticedxqdrpka.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2704 blsticedxqdrpka.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2704 blsticedxqdrpka.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2704 blsticedxqdrpka.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2704 blsticedxqdrpka.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2704 blsticedxqdrpka.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2704 blsticedxqdrpka.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2704 blsticedxqdrpka.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2704 blsticedxqdrpka.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exeggdeschdqi.exeblsticedxqdrpka.exetsvifcoh.exeyceipjwosafqf.exetsvifcoh.exepid process 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2628 ggdeschdqi.exe 2628 ggdeschdqi.exe 2628 ggdeschdqi.exe 2704 blsticedxqdrpka.exe 2704 blsticedxqdrpka.exe 2704 blsticedxqdrpka.exe 2592 tsvifcoh.exe 2592 tsvifcoh.exe 2592 tsvifcoh.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2512 tsvifcoh.exe 2512 tsvifcoh.exe 2512 tsvifcoh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exeggdeschdqi.exeblsticedxqdrpka.exetsvifcoh.exeyceipjwosafqf.exetsvifcoh.exepid process 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2628 ggdeschdqi.exe 2628 ggdeschdqi.exe 2628 ggdeschdqi.exe 2704 blsticedxqdrpka.exe 2704 blsticedxqdrpka.exe 2704 blsticedxqdrpka.exe 2592 tsvifcoh.exe 2592 tsvifcoh.exe 2592 tsvifcoh.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2728 yceipjwosafqf.exe 2512 tsvifcoh.exe 2512 tsvifcoh.exe 2512 tsvifcoh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2488 WINWORD.EXE 2488 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exeggdeschdqi.exeWINWORD.EXEdescription pid process target process PID 1560 wrote to memory of 2628 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe ggdeschdqi.exe PID 1560 wrote to memory of 2628 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe ggdeschdqi.exe PID 1560 wrote to memory of 2628 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe ggdeschdqi.exe PID 1560 wrote to memory of 2628 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe ggdeschdqi.exe PID 1560 wrote to memory of 2704 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe blsticedxqdrpka.exe PID 1560 wrote to memory of 2704 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe blsticedxqdrpka.exe PID 1560 wrote to memory of 2704 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe blsticedxqdrpka.exe PID 1560 wrote to memory of 2704 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe blsticedxqdrpka.exe PID 1560 wrote to memory of 2592 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe tsvifcoh.exe PID 1560 wrote to memory of 2592 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe tsvifcoh.exe PID 1560 wrote to memory of 2592 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe tsvifcoh.exe PID 1560 wrote to memory of 2592 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe tsvifcoh.exe PID 1560 wrote to memory of 2728 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe yceipjwosafqf.exe PID 1560 wrote to memory of 2728 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe yceipjwosafqf.exe PID 1560 wrote to memory of 2728 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe yceipjwosafqf.exe PID 1560 wrote to memory of 2728 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe yceipjwosafqf.exe PID 2628 wrote to memory of 2512 2628 ggdeschdqi.exe tsvifcoh.exe PID 2628 wrote to memory of 2512 2628 ggdeschdqi.exe tsvifcoh.exe PID 2628 wrote to memory of 2512 2628 ggdeschdqi.exe tsvifcoh.exe PID 2628 wrote to memory of 2512 2628 ggdeschdqi.exe tsvifcoh.exe PID 1560 wrote to memory of 2488 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe WINWORD.EXE PID 1560 wrote to memory of 2488 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe WINWORD.EXE PID 1560 wrote to memory of 2488 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe WINWORD.EXE PID 1560 wrote to memory of 2488 1560 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe WINWORD.EXE PID 2488 wrote to memory of 868 2488 WINWORD.EXE splwow64.exe PID 2488 wrote to memory of 868 2488 WINWORD.EXE splwow64.exe PID 2488 wrote to memory of 868 2488 WINWORD.EXE splwow64.exe PID 2488 wrote to memory of 868 2488 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ggdeschdqi.exeggdeschdqi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tsvifcoh.exeC:\Windows\system32\tsvifcoh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\blsticedxqdrpka.exeblsticedxqdrpka.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\tsvifcoh.exetsvifcoh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\yceipjwosafqf.exeyceipjwosafqf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
7Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
512KB
MD51ed32750bf0b6aca83ca882d541535cc
SHA136627dd96f4441e65c617521c939fa12a13eabd7
SHA256e00552b42cca2225653ce0c2458afa3af5bbae814fdf87df98574c53e4db1908
SHA5122116139c41e6ec9c07c3c7e404d2d33382d68fe3b8deb0124f81d5e5e5627e5a7f6463f48ca1f2e7d373a8f6d7689a23a6e983d9f743fe499ec40be112acd2db
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5d461f036fc45bc9491ebd0517826073b
SHA157dbeb2e980dc0a232bded63ce33fbc036cf676c
SHA25671659b08e192081b5b9f19590aa3142fb88dfcfa0ba4768fa228b5409eb3011e
SHA512a94b4fd5d9c02e7e6019b62dacb53424ee61bfdb7936be46b18b9016a074ed0333abdaafff8c1ad7ac4a7b64979c5535143e1f6ab759e3c7bb97719f793dcdf5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5340a7269ad5007dcacd76bed970d51ef
SHA16613f1e36c54f39afb09218e5fcbf4139c775225
SHA2568f0ba557002b54da72c1a9afdb58f0535c822b0c82937df1a09b1347904d7a85
SHA51252c97ea1dcca31eb85679d9bc87abab5dd4e17e7e4f8fb874e5e922aeb1e12873448b331802f22adeefae90c8d0f31fe2a3b044c99aa34b09e0ec65f041e879b
-
C:\Users\Admin\AppData\Roaming\UnregisterUnlock.doc.exeFilesize
512KB
MD56d39da6f9f9b1e35b2e03b745147febc
SHA1d1153b690468bb395910eeeae2e9fea2ef59f6dd
SHA2563637ea794c83c72d136d035795d7c13470ba63ff72d08e151c1fc148c8eca7b9
SHA51294c29e7b91c5c129ab7f5275a771454641b07510adef868aaa66eaf54652a0f714a9c8c3f43b680ff432de9724c8be0af3724c10f90d5f90466096e68cf9a6cf
-
C:\Windows\SysWOW64\blsticedxqdrpka.exeFilesize
512KB
MD5f1518b202b65134ecac779aa27bfedd2
SHA1b70b2b3be27e84d330269ee1a8090a0bab5ffe2f
SHA256720ff390d4e1d23fd84470c8065e4d95aecd2aac76deaf8e8527656405f8bbf6
SHA5124f6fa237810e980763e6595650870985e230c1f57b083663f1ed9a795c89dd53c91f2526517878c3fd3e537100e62bb3acb9fe3a90363b8d0b9e5b27425465db
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\ggdeschdqi.exeFilesize
512KB
MD5f53a45d7e6faa82b7de615ce46e61cd2
SHA12de7ade3bc7689bb57341d0f58c048aed88de63e
SHA256a3e5a7c998caf94f7773174ad605bf07505be5ce3000abd16f2b21afe35eb0aa
SHA51295e12682185d6974e2dd367d8ad8d7bf52516a583bc9dcad0c498dc30ea34cabc8c82fff6308cb77938d0b7e7a4065eee00279f1431eb43717fae5d32f86d6eb
-
\Windows\SysWOW64\tsvifcoh.exeFilesize
512KB
MD5c6ee3ed32e780cec743262abb5228e7d
SHA1a5d31ac6d55e6f501eaa9d7c89cc9e7cbb437e24
SHA2560d0ddbdfb49c0994b4fcb1c7179c99dcea7acbe7295f71bd50471425cc079801
SHA5123f41974c374068eeaa3a6e3681ab256221ea4b0e9a5b2bc68ba22f8d85c292677a0c1d7d978993a243874936a1202823f6bb2e83b63c490452b3a735a4a28f1e
-
\Windows\SysWOW64\yceipjwosafqf.exeFilesize
512KB
MD5814933fc9680f6bfb70706274286c474
SHA1e88f5fb3ee467c04b01a8711ecd3adeec1586403
SHA25605b208a6a736066cf95b937e7f9fde76b74071d030498702794b3ed0d1c5e3c0
SHA51299373170546676ca1bd83f11348498199db583642b9123af8c7bc8ed5aed3ba7d8de1803c24cc4dec084de92a333924fcc2ffbcfefd81c70bb0765735ec1be78
-
memory/1560-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2488-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2488-107-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB