Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 05:16
Static task
static1
Behavioral task
behavioral1
Sample
6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe
-
Size
512KB
-
MD5
6d716201c7e6ef7e37b8c2ad787b545e
-
SHA1
eac84117fe480aafd5ea040868ec51dbeb4cb457
-
SHA256
3eea2b9e75ec223dc8037a6809e487f77a15fd97a8c0213bfa6545a5a47c26bb
-
SHA512
12c4de2fdf357e7ff184bb2c29907b16e680fb7471f88579c446797551e555c78a743260eedf58ef1a1ff93c0371e79f1c5570ab4b196387a6839bc8bf16ff11
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
aeqoildjqe.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" aeqoildjqe.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
aeqoildjqe.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" aeqoildjqe.exe -
Processes:
aeqoildjqe.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aeqoildjqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aeqoildjqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aeqoildjqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" aeqoildjqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aeqoildjqe.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
aeqoildjqe.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aeqoildjqe.exe -
Executes dropped EXE 5 IoCs
Processes:
aeqoildjqe.exeydimoegvwtlpcoo.exeetfkluzf.exekeglcxcirwqhs.exeetfkluzf.exepid process 2676 aeqoildjqe.exe 2124 ydimoegvwtlpcoo.exe 2720 etfkluzf.exe 2780 keglcxcirwqhs.exe 2660 etfkluzf.exe -
Loads dropped DLL 5 IoCs
Processes:
6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exeaeqoildjqe.exepid process 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2676 aeqoildjqe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
aeqoildjqe.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aeqoildjqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" aeqoildjqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aeqoildjqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aeqoildjqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aeqoildjqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" aeqoildjqe.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ydimoegvwtlpcoo.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrhwdfbz = "aeqoildjqe.exe" ydimoegvwtlpcoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owfyshgj = "ydimoegvwtlpcoo.exe" ydimoegvwtlpcoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "keglcxcirwqhs.exe" ydimoegvwtlpcoo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
etfkluzf.exeaeqoildjqe.exeetfkluzf.exedescription ioc process File opened (read-only) \??\i: etfkluzf.exe File opened (read-only) \??\s: aeqoildjqe.exe File opened (read-only) \??\p: etfkluzf.exe File opened (read-only) \??\j: aeqoildjqe.exe File opened (read-only) \??\m: aeqoildjqe.exe File opened (read-only) \??\w: aeqoildjqe.exe File opened (read-only) \??\k: etfkluzf.exe File opened (read-only) \??\l: etfkluzf.exe File opened (read-only) \??\e: etfkluzf.exe File opened (read-only) \??\m: etfkluzf.exe File opened (read-only) \??\r: aeqoildjqe.exe File opened (read-only) \??\z: aeqoildjqe.exe File opened (read-only) \??\h: etfkluzf.exe File opened (read-only) \??\t: etfkluzf.exe File opened (read-only) \??\g: etfkluzf.exe File opened (read-only) \??\y: aeqoildjqe.exe File opened (read-only) \??\x: etfkluzf.exe File opened (read-only) \??\v: etfkluzf.exe File opened (read-only) \??\w: etfkluzf.exe File opened (read-only) \??\y: etfkluzf.exe File opened (read-only) \??\x: aeqoildjqe.exe File opened (read-only) \??\z: etfkluzf.exe File opened (read-only) \??\e: aeqoildjqe.exe File opened (read-only) \??\u: aeqoildjqe.exe File opened (read-only) \??\a: etfkluzf.exe File opened (read-only) \??\q: etfkluzf.exe File opened (read-only) \??\r: etfkluzf.exe File opened (read-only) \??\t: etfkluzf.exe File opened (read-only) \??\x: etfkluzf.exe File opened (read-only) \??\b: etfkluzf.exe File opened (read-only) \??\b: etfkluzf.exe File opened (read-only) \??\l: etfkluzf.exe File opened (read-only) \??\w: etfkluzf.exe File opened (read-only) \??\a: aeqoildjqe.exe File opened (read-only) \??\k: aeqoildjqe.exe File opened (read-only) \??\s: etfkluzf.exe File opened (read-only) \??\a: etfkluzf.exe File opened (read-only) \??\s: etfkluzf.exe File opened (read-only) \??\y: etfkluzf.exe File opened (read-only) \??\g: aeqoildjqe.exe File opened (read-only) \??\n: aeqoildjqe.exe File opened (read-only) \??\p: etfkluzf.exe File opened (read-only) \??\h: etfkluzf.exe File opened (read-only) \??\o: etfkluzf.exe File opened (read-only) \??\i: aeqoildjqe.exe File opened (read-only) \??\o: aeqoildjqe.exe File opened (read-only) \??\g: etfkluzf.exe File opened (read-only) \??\u: etfkluzf.exe File opened (read-only) \??\v: etfkluzf.exe File opened (read-only) \??\h: aeqoildjqe.exe File opened (read-only) \??\o: etfkluzf.exe File opened (read-only) \??\n: etfkluzf.exe File opened (read-only) \??\r: etfkluzf.exe File opened (read-only) \??\u: etfkluzf.exe File opened (read-only) \??\l: aeqoildjqe.exe File opened (read-only) \??\p: aeqoildjqe.exe File opened (read-only) \??\t: aeqoildjqe.exe File opened (read-only) \??\v: aeqoildjqe.exe File opened (read-only) \??\j: etfkluzf.exe File opened (read-only) \??\q: etfkluzf.exe File opened (read-only) \??\e: etfkluzf.exe File opened (read-only) \??\j: etfkluzf.exe File opened (read-only) \??\q: aeqoildjqe.exe File opened (read-only) \??\i: etfkluzf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
aeqoildjqe.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" aeqoildjqe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" aeqoildjqe.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2576-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\ydimoegvwtlpcoo.exe autoit_exe \Windows\SysWOW64\aeqoildjqe.exe autoit_exe C:\Windows\SysWOW64\etfkluzf.exe autoit_exe C:\Windows\SysWOW64\keglcxcirwqhs.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\AppData\Roaming\ResolveUnregister.doc.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exeaeqoildjqe.exedescription ioc process File created C:\Windows\SysWOW64\aeqoildjqe.exe 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\aeqoildjqe.exe 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ydimoegvwtlpcoo.exe 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe File created C:\Windows\SysWOW64\etfkluzf.exe 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\etfkluzf.exe 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe File created C:\Windows\SysWOW64\keglcxcirwqhs.exe 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\keglcxcirwqhs.exe 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe File created C:\Windows\SysWOW64\ydimoegvwtlpcoo.exe 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll aeqoildjqe.exe -
Drops file in Program Files directory 14 IoCs
Processes:
etfkluzf.exeetfkluzf.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal etfkluzf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe etfkluzf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal etfkluzf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe etfkluzf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe etfkluzf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe etfkluzf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe etfkluzf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal etfkluzf.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe etfkluzf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal etfkluzf.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe etfkluzf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe etfkluzf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe etfkluzf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe etfkluzf.exe -
Drops file in Windows directory 5 IoCs
Processes:
WINWORD.EXE6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEaeqoildjqe.exe6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf aeqoildjqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh aeqoildjqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" aeqoildjqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" aeqoildjqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" aeqoildjqe.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B02E479339E953B9B9D7339FD7B9" 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc aeqoildjqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2396 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exeydimoegvwtlpcoo.exeaeqoildjqe.exekeglcxcirwqhs.exeetfkluzf.exeetfkluzf.exepid process 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2124 ydimoegvwtlpcoo.exe 2124 ydimoegvwtlpcoo.exe 2124 ydimoegvwtlpcoo.exe 2124 ydimoegvwtlpcoo.exe 2124 ydimoegvwtlpcoo.exe 2676 aeqoildjqe.exe 2676 aeqoildjqe.exe 2676 aeqoildjqe.exe 2676 aeqoildjqe.exe 2676 aeqoildjqe.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2124 ydimoegvwtlpcoo.exe 2720 etfkluzf.exe 2720 etfkluzf.exe 2720 etfkluzf.exe 2720 etfkluzf.exe 2660 etfkluzf.exe 2660 etfkluzf.exe 2660 etfkluzf.exe 2660 etfkluzf.exe 2124 ydimoegvwtlpcoo.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2124 ydimoegvwtlpcoo.exe 2124 ydimoegvwtlpcoo.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2124 ydimoegvwtlpcoo.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2124 ydimoegvwtlpcoo.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2124 ydimoegvwtlpcoo.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2124 ydimoegvwtlpcoo.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2124 ydimoegvwtlpcoo.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2124 ydimoegvwtlpcoo.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2124 ydimoegvwtlpcoo.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2124 ydimoegvwtlpcoo.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exeaeqoildjqe.exeydimoegvwtlpcoo.exekeglcxcirwqhs.exeetfkluzf.exeetfkluzf.exepid process 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2676 aeqoildjqe.exe 2676 aeqoildjqe.exe 2124 ydimoegvwtlpcoo.exe 2124 ydimoegvwtlpcoo.exe 2124 ydimoegvwtlpcoo.exe 2676 aeqoildjqe.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2720 etfkluzf.exe 2720 etfkluzf.exe 2720 etfkluzf.exe 2660 etfkluzf.exe 2660 etfkluzf.exe 2660 etfkluzf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exeaeqoildjqe.exeydimoegvwtlpcoo.exekeglcxcirwqhs.exeetfkluzf.exeetfkluzf.exepid process 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe 2676 aeqoildjqe.exe 2676 aeqoildjqe.exe 2124 ydimoegvwtlpcoo.exe 2124 ydimoegvwtlpcoo.exe 2124 ydimoegvwtlpcoo.exe 2676 aeqoildjqe.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2780 keglcxcirwqhs.exe 2720 etfkluzf.exe 2720 etfkluzf.exe 2720 etfkluzf.exe 2660 etfkluzf.exe 2660 etfkluzf.exe 2660 etfkluzf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2396 WINWORD.EXE 2396 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exeydimoegvwtlpcoo.exeaeqoildjqe.exeWINWORD.EXEdescription pid process target process PID 2576 wrote to memory of 2676 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe aeqoildjqe.exe PID 2576 wrote to memory of 2676 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe aeqoildjqe.exe PID 2576 wrote to memory of 2676 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe aeqoildjqe.exe PID 2576 wrote to memory of 2676 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe aeqoildjqe.exe PID 2576 wrote to memory of 2124 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe ydimoegvwtlpcoo.exe PID 2576 wrote to memory of 2124 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe ydimoegvwtlpcoo.exe PID 2576 wrote to memory of 2124 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe ydimoegvwtlpcoo.exe PID 2576 wrote to memory of 2124 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe ydimoegvwtlpcoo.exe PID 2576 wrote to memory of 2720 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe etfkluzf.exe PID 2576 wrote to memory of 2720 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe etfkluzf.exe PID 2576 wrote to memory of 2720 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe etfkluzf.exe PID 2576 wrote to memory of 2720 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe etfkluzf.exe PID 2576 wrote to memory of 2780 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe keglcxcirwqhs.exe PID 2576 wrote to memory of 2780 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe keglcxcirwqhs.exe PID 2576 wrote to memory of 2780 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe keglcxcirwqhs.exe PID 2576 wrote to memory of 2780 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe keglcxcirwqhs.exe PID 2124 wrote to memory of 2500 2124 ydimoegvwtlpcoo.exe cmd.exe PID 2124 wrote to memory of 2500 2124 ydimoegvwtlpcoo.exe cmd.exe PID 2124 wrote to memory of 2500 2124 ydimoegvwtlpcoo.exe cmd.exe PID 2124 wrote to memory of 2500 2124 ydimoegvwtlpcoo.exe cmd.exe PID 2676 wrote to memory of 2660 2676 aeqoildjqe.exe etfkluzf.exe PID 2676 wrote to memory of 2660 2676 aeqoildjqe.exe etfkluzf.exe PID 2676 wrote to memory of 2660 2676 aeqoildjqe.exe etfkluzf.exe PID 2676 wrote to memory of 2660 2676 aeqoildjqe.exe etfkluzf.exe PID 2576 wrote to memory of 2396 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe WINWORD.EXE PID 2576 wrote to memory of 2396 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe WINWORD.EXE PID 2576 wrote to memory of 2396 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe WINWORD.EXE PID 2576 wrote to memory of 2396 2576 6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe WINWORD.EXE PID 2396 wrote to memory of 2404 2396 WINWORD.EXE splwow64.exe PID 2396 wrote to memory of 2404 2396 WINWORD.EXE splwow64.exe PID 2396 wrote to memory of 2404 2396 WINWORD.EXE splwow64.exe PID 2396 wrote to memory of 2404 2396 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\aeqoildjqe.exeaeqoildjqe.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\etfkluzf.exeC:\Windows\system32\etfkluzf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2660 -
C:\Windows\SysWOW64\ydimoegvwtlpcoo.exeydimoegvwtlpcoo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\cmd.execmd.exe /c keglcxcirwqhs.exe3⤵PID:2500
-
C:\Windows\SysWOW64\etfkluzf.exeetfkluzf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2720 -
C:\Windows\SysWOW64\keglcxcirwqhs.exekeglcxcirwqhs.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2780 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2404
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5a3fa4b21f91fbcf3b9c744cd40a3c26e
SHA15697de1fa152f339b7e0bfbf12705461d5b617f1
SHA256f7d15cbf9ad8af24236c9fb24d213f13ef07ca87c1839911352cd3232e727e62
SHA5122079d0bb1e33b3d99defcf52e781622c1e51b2bed61c249933d2e6130ee9dcddcb40e0720abcd8b1eaf6e19f1ac617517f8cfe7b9213f439fbbaa4d9aa14360f
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5fe2adb1ecd7aa5eee7a05e6b8c772d7c
SHA14b7f61b292b2acc53489b488e470bdede2ee4d98
SHA256ddd28b1c407466d356fea2afdc40d12a370752e1468ed2120e3656233af34b79
SHA512b716157fb630fa5301121c89bde56801aee4c597564fe9b0d94fa8354cd7e24e0dc37d3f8e358d877c98e0ffee4a9abfc5a310e93cb7eed4d9827336a0eaa33c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD58b70af9fcb098772e3706626b1fe9093
SHA1cdd6d712c4b7cc25faa4b54d1be45681f0faa188
SHA2560a7d5afc19b0109d156d135a425a45317016e2a2c8ee1864cc79c8bfb5e4d274
SHA5120d1750e37de0e445cf31105687d69d131a493b212f812328f7ca41d1ed3acf99beb83627e6ca2e3125ac8793f5d24c449efbfcf9b8404339e572861b69a5da2c
-
C:\Users\Admin\AppData\Roaming\ResolveUnregister.doc.exeFilesize
512KB
MD59f18e09fa6c00d63bbf441710bfcb3f9
SHA1c2e0bd2af2083dc580c78cf64564f8383d32b7c6
SHA2569fb0cc172069a0132c0804c7225db013b3bc70067229b55bdd82a401cdf82d81
SHA512bec6b894093580a420e8923eeb5d01dd4d37405e0e5cf139330e89f5565fae99509555aa6cdd2d113a175d739551f7a138fac4e3bb92eeab04fceac5f66872f7
-
C:\Windows\SysWOW64\etfkluzf.exeFilesize
512KB
MD50a868a34e4f813ff2864302bbcbe311c
SHA1a0b092d4a1642df716a6b14e64aa384cb572dab5
SHA2560b0719b4172967c2ba683d111aa6b8741295cac8d6d9b0f26e0fd17898566f73
SHA5127089157ad380926e0b1cef76b13265f637cb73f45bf251c36a3ec52496defada89548f27492f37fe696dc9167ce094cfe971a352e3c67e23a40a106154f5b93c
-
C:\Windows\SysWOW64\keglcxcirwqhs.exeFilesize
512KB
MD586867986c31be383a5859dc2f6663ba2
SHA1b87615cb06c7835d79082a5bb87947e464e1f6a5
SHA25679b4fa97f4d40a13d7b1f97d3a2017d015d63afb806c40ce93003c0a107fe19a
SHA51256eac4f2892bf6ff1aff84efc725241b8543758e65c887769f5352c2df8e98b5143c9c495842f6ac0838ed396c4fc20b5b6e8b7da3e0349f0bc68012761af606
-
C:\Windows\SysWOW64\ydimoegvwtlpcoo.exeFilesize
512KB
MD5c1bb3f5c6e03ab59efa314e96330c591
SHA1d3f10eec602a0798d49b9e92663ab54d467efb0c
SHA25694ec7f3cb8ec3050088748075b481fb63b6018f2d3cdc14075fa898958721c3d
SHA5127fa100a332fd54e213637488d0f1356abae8383c99bd3e116ff1dd3f66f858746854befe4f3a4c0cb9fa105292487f6b6def4da608f19d71515307b4f70db683
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\aeqoildjqe.exeFilesize
512KB
MD597260e421b628482336d4cbbefbb4251
SHA1d346795ba2186a0d27b85c9b9899f8e6e80ad5da
SHA2567abcc00c20ceff556fefe64779782892f53228d7949405f38508b42c9e36dca9
SHA5125723b24ae35569fb84f2d3f0b271fd2f347e726c16def106338dfc7b147253061f66e63625b0bbeb55e3eba21a4b3c57f18d06a8b50a706b111cbc9edf98f6ca
-
memory/2396-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2396-101-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2576-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB