Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 15:29
Static task
static1
Behavioral task
behavioral1
Sample
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe
-
Size
512KB
-
MD5
6efbd040de315fa09810caf92722ba6c
-
SHA1
007eab42ac0aee941486b8bf78b57c3385e1174b
-
SHA256
40e8d566afd8269708d7dcd017cacb6150ad77bdcc98c9d41f112c5adeed1bb8
-
SHA512
b462a4e51941aa7826046c9927c2276a88360d1e58c2bb51e4dd0cda4b79567201272a2f4c21b531ff519dbd9c996caf863e5b6c1bc984cfa789982f808640ec
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5p
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ftreqhpfep.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ftreqhpfep.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ftreqhpfep.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ftreqhpfep.exe -
Processes:
ftreqhpfep.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ftreqhpfep.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ftreqhpfep.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ftreqhpfep.exe -
Executes dropped EXE 5 IoCs
Processes:
ftreqhpfep.exeoqdxadvjiapbnqr.exeqlizuhzz.exedexrapzpbvoij.exeqlizuhzz.exepid process 2796 ftreqhpfep.exe 3044 oqdxadvjiapbnqr.exe 2668 qlizuhzz.exe 2776 dexrapzpbvoij.exe 2548 qlizuhzz.exe -
Loads dropped DLL 5 IoCs
Processes:
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exeftreqhpfep.exepid process 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2796 ftreqhpfep.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ftreqhpfep.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ftreqhpfep.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
oqdxadvjiapbnqr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\glmibftd = "ftreqhpfep.exe" oqdxadvjiapbnqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ivzuwhov = "oqdxadvjiapbnqr.exe" oqdxadvjiapbnqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dexrapzpbvoij.exe" oqdxadvjiapbnqr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
qlizuhzz.exeqlizuhzz.exeftreqhpfep.exedescription ioc process File opened (read-only) \??\i: qlizuhzz.exe File opened (read-only) \??\s: qlizuhzz.exe File opened (read-only) \??\w: qlizuhzz.exe File opened (read-only) \??\m: ftreqhpfep.exe File opened (read-only) \??\j: qlizuhzz.exe File opened (read-only) \??\y: qlizuhzz.exe File opened (read-only) \??\b: qlizuhzz.exe File opened (read-only) \??\e: qlizuhzz.exe File opened (read-only) \??\o: qlizuhzz.exe File opened (read-only) \??\k: qlizuhzz.exe File opened (read-only) \??\s: qlizuhzz.exe File opened (read-only) \??\l: qlizuhzz.exe File opened (read-only) \??\o: ftreqhpfep.exe File opened (read-only) \??\e: qlizuhzz.exe File opened (read-only) \??\l: qlizuhzz.exe File opened (read-only) \??\r: qlizuhzz.exe File opened (read-only) \??\k: qlizuhzz.exe File opened (read-only) \??\v: qlizuhzz.exe File opened (read-only) \??\g: ftreqhpfep.exe File opened (read-only) \??\z: qlizuhzz.exe File opened (read-only) \??\h: ftreqhpfep.exe File opened (read-only) \??\w: ftreqhpfep.exe File opened (read-only) \??\t: qlizuhzz.exe File opened (read-only) \??\g: qlizuhzz.exe File opened (read-only) \??\u: qlizuhzz.exe File opened (read-only) \??\b: qlizuhzz.exe File opened (read-only) \??\o: qlizuhzz.exe File opened (read-only) \??\g: qlizuhzz.exe File opened (read-only) \??\v: qlizuhzz.exe File opened (read-only) \??\x: qlizuhzz.exe File opened (read-only) \??\j: qlizuhzz.exe File opened (read-only) \??\p: qlizuhzz.exe File opened (read-only) \??\i: ftreqhpfep.exe File opened (read-only) \??\a: qlizuhzz.exe File opened (read-only) \??\n: qlizuhzz.exe File opened (read-only) \??\z: qlizuhzz.exe File opened (read-only) \??\t: ftreqhpfep.exe File opened (read-only) \??\x: qlizuhzz.exe File opened (read-only) \??\n: qlizuhzz.exe File opened (read-only) \??\p: qlizuhzz.exe File opened (read-only) \??\p: ftreqhpfep.exe File opened (read-only) \??\q: ftreqhpfep.exe File opened (read-only) \??\s: ftreqhpfep.exe File opened (read-only) \??\y: ftreqhpfep.exe File opened (read-only) \??\q: qlizuhzz.exe File opened (read-only) \??\h: qlizuhzz.exe File opened (read-only) \??\j: ftreqhpfep.exe File opened (read-only) \??\l: ftreqhpfep.exe File opened (read-only) \??\u: qlizuhzz.exe File opened (read-only) \??\h: qlizuhzz.exe File opened (read-only) \??\m: qlizuhzz.exe File opened (read-only) \??\q: qlizuhzz.exe File opened (read-only) \??\n: ftreqhpfep.exe File opened (read-only) \??\m: qlizuhzz.exe File opened (read-only) \??\y: qlizuhzz.exe File opened (read-only) \??\e: ftreqhpfep.exe File opened (read-only) \??\k: ftreqhpfep.exe File opened (read-only) \??\a: ftreqhpfep.exe File opened (read-only) \??\b: ftreqhpfep.exe File opened (read-only) \??\w: qlizuhzz.exe File opened (read-only) \??\t: qlizuhzz.exe File opened (read-only) \??\x: ftreqhpfep.exe File opened (read-only) \??\a: qlizuhzz.exe File opened (read-only) \??\i: qlizuhzz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ftreqhpfep.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ftreqhpfep.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2988-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\oqdxadvjiapbnqr.exe autoit_exe \Windows\SysWOW64\ftreqhpfep.exe autoit_exe \Windows\SysWOW64\qlizuhzz.exe autoit_exe \Windows\SysWOW64\dexrapzpbvoij.exe autoit_exe C:\Users\Admin\Documents\CompleteFind.doc.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
ftreqhpfep.exe6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ftreqhpfep.exe File created C:\Windows\SysWOW64\oqdxadvjiapbnqr.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File created C:\Windows\SysWOW64\qlizuhzz.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dexrapzpbvoij.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qlizuhzz.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File created C:\Windows\SysWOW64\dexrapzpbvoij.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File created C:\Windows\SysWOW64\ftreqhpfep.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ftreqhpfep.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\oqdxadvjiapbnqr.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
qlizuhzz.exeqlizuhzz.exedescription ioc process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qlizuhzz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qlizuhzz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qlizuhzz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qlizuhzz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qlizuhzz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qlizuhzz.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qlizuhzz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qlizuhzz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal qlizuhzz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal qlizuhzz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qlizuhzz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qlizuhzz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal qlizuhzz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal qlizuhzz.exe -
Drops file in Windows directory 5 IoCs
Processes:
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEftreqhpfep.exe6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ftreqhpfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ftreqhpfep.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D7C9D5283236D4676A777262CD87DF465D9" 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ftreqhpfep.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ftreqhpfep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C70C1491DBBEB9BA7C95ED9137CF" 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2756 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exeftreqhpfep.exeqlizuhzz.exeoqdxadvjiapbnqr.exedexrapzpbvoij.exeqlizuhzz.exepid process 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2796 ftreqhpfep.exe 2796 ftreqhpfep.exe 2796 ftreqhpfep.exe 2796 ftreqhpfep.exe 2796 ftreqhpfep.exe 2668 qlizuhzz.exe 2668 qlizuhzz.exe 2668 qlizuhzz.exe 2668 qlizuhzz.exe 3044 oqdxadvjiapbnqr.exe 3044 oqdxadvjiapbnqr.exe 3044 oqdxadvjiapbnqr.exe 3044 oqdxadvjiapbnqr.exe 3044 oqdxadvjiapbnqr.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 2548 qlizuhzz.exe 2548 qlizuhzz.exe 2548 qlizuhzz.exe 2548 qlizuhzz.exe 3044 oqdxadvjiapbnqr.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 3044 oqdxadvjiapbnqr.exe 3044 oqdxadvjiapbnqr.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 3044 oqdxadvjiapbnqr.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 3044 oqdxadvjiapbnqr.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 3044 oqdxadvjiapbnqr.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 3044 oqdxadvjiapbnqr.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 3044 oqdxadvjiapbnqr.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 3044 oqdxadvjiapbnqr.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 3044 oqdxadvjiapbnqr.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 3044 oqdxadvjiapbnqr.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 3044 oqdxadvjiapbnqr.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exeftreqhpfep.exeoqdxadvjiapbnqr.exeqlizuhzz.exedexrapzpbvoij.exeqlizuhzz.exepid process 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2796 ftreqhpfep.exe 2796 ftreqhpfep.exe 2796 ftreqhpfep.exe 3044 oqdxadvjiapbnqr.exe 3044 oqdxadvjiapbnqr.exe 3044 oqdxadvjiapbnqr.exe 2668 qlizuhzz.exe 2668 qlizuhzz.exe 2668 qlizuhzz.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 2548 qlizuhzz.exe 2548 qlizuhzz.exe 2548 qlizuhzz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exeftreqhpfep.exeoqdxadvjiapbnqr.exeqlizuhzz.exedexrapzpbvoij.exeqlizuhzz.exepid process 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 2796 ftreqhpfep.exe 2796 ftreqhpfep.exe 2796 ftreqhpfep.exe 3044 oqdxadvjiapbnqr.exe 3044 oqdxadvjiapbnqr.exe 3044 oqdxadvjiapbnqr.exe 2668 qlizuhzz.exe 2668 qlizuhzz.exe 2668 qlizuhzz.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 2776 dexrapzpbvoij.exe 2548 qlizuhzz.exe 2548 qlizuhzz.exe 2548 qlizuhzz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2756 WINWORD.EXE 2756 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exeftreqhpfep.exeWINWORD.EXEdescription pid process target process PID 2988 wrote to memory of 2796 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe ftreqhpfep.exe PID 2988 wrote to memory of 2796 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe ftreqhpfep.exe PID 2988 wrote to memory of 2796 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe ftreqhpfep.exe PID 2988 wrote to memory of 2796 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe ftreqhpfep.exe PID 2988 wrote to memory of 3044 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe oqdxadvjiapbnqr.exe PID 2988 wrote to memory of 3044 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe oqdxadvjiapbnqr.exe PID 2988 wrote to memory of 3044 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe oqdxadvjiapbnqr.exe PID 2988 wrote to memory of 3044 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe oqdxadvjiapbnqr.exe PID 2988 wrote to memory of 2668 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe qlizuhzz.exe PID 2988 wrote to memory of 2668 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe qlizuhzz.exe PID 2988 wrote to memory of 2668 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe qlizuhzz.exe PID 2988 wrote to memory of 2668 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe qlizuhzz.exe PID 2988 wrote to memory of 2776 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe dexrapzpbvoij.exe PID 2988 wrote to memory of 2776 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe dexrapzpbvoij.exe PID 2988 wrote to memory of 2776 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe dexrapzpbvoij.exe PID 2988 wrote to memory of 2776 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe dexrapzpbvoij.exe PID 2796 wrote to memory of 2548 2796 ftreqhpfep.exe qlizuhzz.exe PID 2796 wrote to memory of 2548 2796 ftreqhpfep.exe qlizuhzz.exe PID 2796 wrote to memory of 2548 2796 ftreqhpfep.exe qlizuhzz.exe PID 2796 wrote to memory of 2548 2796 ftreqhpfep.exe qlizuhzz.exe PID 2988 wrote to memory of 2756 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe WINWORD.EXE PID 2988 wrote to memory of 2756 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe WINWORD.EXE PID 2988 wrote to memory of 2756 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe WINWORD.EXE PID 2988 wrote to memory of 2756 2988 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe WINWORD.EXE PID 2756 wrote to memory of 584 2756 WINWORD.EXE splwow64.exe PID 2756 wrote to memory of 584 2756 WINWORD.EXE splwow64.exe PID 2756 wrote to memory of 584 2756 WINWORD.EXE splwow64.exe PID 2756 wrote to memory of 584 2756 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\ftreqhpfep.exeftreqhpfep.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\qlizuhzz.exeC:\Windows\system32\qlizuhzz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2548 -
C:\Windows\SysWOW64\oqdxadvjiapbnqr.exeoqdxadvjiapbnqr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3044 -
C:\Windows\SysWOW64\qlizuhzz.exeqlizuhzz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2668 -
C:\Windows\SysWOW64\dexrapzpbvoij.exedexrapzpbvoij.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2776 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:584
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD57829759a6b33e8e5f340bc1c33e9185b
SHA1e2ca4bd79147afb93728a22bf9942106fb32d5df
SHA256d9126b4bd28a83105833eda9ecd8b0074dcabce290cdccfdb3227b1b7f62eed5
SHA512310692661637a07f63ebe5c435d90a357974efbbeac76a49dc4f3255444ee4a783d1c95bab60bc57321f7a4369485dc9abfaf80a4a4dd15b60d94a38f170ff7a
-
C:\Users\Admin\Documents\CompleteFind.doc.exeFilesize
512KB
MD54523f03bb852f13b0b1a4e05b8534b8c
SHA1cb7cabb6c14fc5c7ab5fa2257f14aced106f0d6d
SHA25690e8afae202265c73f094be06e19f5c0fe2aeab35e212782d4c7dfdb74ab3a73
SHA5125bc170592f68373a2ae7d642df892d39e8279a64c49394836cdf349ae2b68bccd4e1140c21ec4287f7336d41bc509e3ac28d7a17dd404ac900250dbdbf929baf
-
C:\Windows\SysWOW64\oqdxadvjiapbnqr.exeFilesize
512KB
MD501d37b213c4d933a70d1da8bb0d4ff23
SHA18ef3366a7ee35844830af7529c0ed3c6488f98dd
SHA256254499db5f7ec0b70562088b9bc9631e2b9552151faffa51ddd447dbec15172e
SHA51222810fa0b2e879b92a40f51cef0dc936d5ad3afb4725fd2af2ebe901d3df9d1c7c79ae2c2cba0e5d46c043e87b85e2ab5ad94ce612b55ef89d3faccece968ef0
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\dexrapzpbvoij.exeFilesize
512KB
MD5d290dc3bc45356ec34ccca46546c42dc
SHA11b79c71078ee4104d0bd33f2d5aa13e5b52abdf9
SHA256dfd3487df1a80619dd930fcdc4b8053956d690714b223794f71b006803c644ba
SHA512b07179325887d51420aa28dbf466f79029eba81d633a100e3fdc4079ae9c0b90421c55f6757afd882f25707237d81dcc95a2fa8a662f21bff995fb137b0d5e0d
-
\Windows\SysWOW64\ftreqhpfep.exeFilesize
512KB
MD595a50fb50319ba0cb4040a8d447d2970
SHA1f622015dcdfe78d678070d005da54cfa90f8c867
SHA256d3905f673c5a1f5a04b89533d9951159fb69e2e3188cf3722ab23f7d8ad0dc00
SHA51203b0015927b8b736dc98d88b037fb096e1760655c9c9e0fb2377f68a118d88cbbd8ff5c31312d718cf6f7671991efcdae35e1c11b1d3451fd388d7d7ba514d65
-
\Windows\SysWOW64\qlizuhzz.exeFilesize
512KB
MD569ef16e4c7af522a03d6cdbcbb3e07a9
SHA11c0d1f6b60cbe371cc3c95f3ea23ecb53b462793
SHA25673d2dc81f8f8f148707890dd6ab443a705e4ead66d50bf82b49ea931dfde20d5
SHA512bdcf2a6f024a9c569e48992608977c400b371a85e243dae15f0cbb73feeb67dc632fef4b65d2b552dc09e540ffd05a65fa1cc701caf35855cb7c7615e37b3d2f
-
memory/2756-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2756-107-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2988-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB