Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 18:33
Static task
static1
Behavioral task
behavioral1
Sample
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe
-
Size
512KB
-
MD5
6f73e343387eeedc27f087584c17d4af
-
SHA1
46d842363f7000691c5764fcc538f843d373262e
-
SHA256
4bd934558dd6db79cbfa70506f1ed70184dddc9ff7d7fe6a176ec7d466285307
-
SHA512
bc5f4d2c2c7980202eecdc0eab3e7ac39191bacc117968c9461395f308298193dca224ec40a41bc7b9452231ece65d69c9fa9cb62ec30d10a822cf9fc5988542
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm52
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
jabcyybezz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jabcyybezz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
jabcyybezz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jabcyybezz.exe -
Processes:
jabcyybezz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jabcyybezz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jabcyybezz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jabcyybezz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jabcyybezz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jabcyybezz.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
jabcyybezz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jabcyybezz.exe -
Executes dropped EXE 5 IoCs
Processes:
jabcyybezz.exezghslicptnznvag.exejdbzsmgg.exebyszhrxlqvwmz.exejdbzsmgg.exepid process 2736 jabcyybezz.exe 2796 zghslicptnznvag.exe 2600 jdbzsmgg.exe 1252 byszhrxlqvwmz.exe 2208 jdbzsmgg.exe -
Loads dropped DLL 5 IoCs
Processes:
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exejabcyybezz.exepid process 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 2736 jabcyybezz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
jabcyybezz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jabcyybezz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jabcyybezz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jabcyybezz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jabcyybezz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jabcyybezz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jabcyybezz.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
zghslicptnznvag.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rwaudkzv = "jabcyybezz.exe" zghslicptnznvag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zckvnufy = "zghslicptnznvag.exe" zghslicptnznvag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "byszhrxlqvwmz.exe" zghslicptnznvag.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
jdbzsmgg.exejabcyybezz.exejdbzsmgg.exedescription ioc process File opened (read-only) \??\p: jdbzsmgg.exe File opened (read-only) \??\t: jdbzsmgg.exe File opened (read-only) \??\h: jabcyybezz.exe File opened (read-only) \??\j: jabcyybezz.exe File opened (read-only) \??\h: jdbzsmgg.exe File opened (read-only) \??\v: jdbzsmgg.exe File opened (read-only) \??\a: jdbzsmgg.exe File opened (read-only) \??\e: jdbzsmgg.exe File opened (read-only) \??\g: jabcyybezz.exe File opened (read-only) \??\o: jabcyybezz.exe File opened (read-only) \??\i: jdbzsmgg.exe File opened (read-only) \??\k: jdbzsmgg.exe File opened (read-only) \??\s: jdbzsmgg.exe File opened (read-only) \??\l: jdbzsmgg.exe File opened (read-only) \??\q: jdbzsmgg.exe File opened (read-only) \??\z: jdbzsmgg.exe File opened (read-only) \??\x: jabcyybezz.exe File opened (read-only) \??\y: jabcyybezz.exe File opened (read-only) \??\a: jdbzsmgg.exe File opened (read-only) \??\w: jdbzsmgg.exe File opened (read-only) \??\j: jdbzsmgg.exe File opened (read-only) \??\r: jabcyybezz.exe File opened (read-only) \??\s: jabcyybezz.exe File opened (read-only) \??\j: jdbzsmgg.exe File opened (read-only) \??\p: jdbzsmgg.exe File opened (read-only) \??\b: jdbzsmgg.exe File opened (read-only) \??\h: jdbzsmgg.exe File opened (read-only) \??\u: jdbzsmgg.exe File opened (read-only) \??\p: jabcyybezz.exe File opened (read-only) \??\u: jabcyybezz.exe File opened (read-only) \??\b: jdbzsmgg.exe File opened (read-only) \??\e: jdbzsmgg.exe File opened (read-only) \??\g: jdbzsmgg.exe File opened (read-only) \??\k: jabcyybezz.exe File opened (read-only) \??\l: jabcyybezz.exe File opened (read-only) \??\z: jabcyybezz.exe File opened (read-only) \??\n: jdbzsmgg.exe File opened (read-only) \??\q: jdbzsmgg.exe File opened (read-only) \??\r: jdbzsmgg.exe File opened (read-only) \??\t: jdbzsmgg.exe File opened (read-only) \??\z: jdbzsmgg.exe File opened (read-only) \??\r: jdbzsmgg.exe File opened (read-only) \??\y: jdbzsmgg.exe File opened (read-only) \??\n: jabcyybezz.exe File opened (read-only) \??\x: jdbzsmgg.exe File opened (read-only) \??\u: jdbzsmgg.exe File opened (read-only) \??\k: jdbzsmgg.exe File opened (read-only) \??\m: jdbzsmgg.exe File opened (read-only) \??\s: jdbzsmgg.exe File opened (read-only) \??\b: jabcyybezz.exe File opened (read-only) \??\t: jabcyybezz.exe File opened (read-only) \??\q: jabcyybezz.exe File opened (read-only) \??\i: jdbzsmgg.exe File opened (read-only) \??\n: jdbzsmgg.exe File opened (read-only) \??\y: jdbzsmgg.exe File opened (read-only) \??\o: jdbzsmgg.exe File opened (read-only) \??\w: jdbzsmgg.exe File opened (read-only) \??\i: jabcyybezz.exe File opened (read-only) \??\g: jdbzsmgg.exe File opened (read-only) \??\a: jabcyybezz.exe File opened (read-only) \??\e: jabcyybezz.exe File opened (read-only) \??\l: jdbzsmgg.exe File opened (read-only) \??\w: jabcyybezz.exe File opened (read-only) \??\o: jdbzsmgg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
jabcyybezz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jabcyybezz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jabcyybezz.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1924-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\jdbzsmgg.exe autoit_exe \Windows\SysWOW64\jabcyybezz.exe autoit_exe \Windows\SysWOW64\zghslicptnznvag.exe autoit_exe C:\Windows\SysWOW64\byszhrxlqvwmz.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Downloads\SendShow.doc.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exejabcyybezz.exedescription ioc process File opened for modification C:\Windows\SysWOW64\jabcyybezz.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zghslicptnznvag.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File created C:\Windows\SysWOW64\byszhrxlqvwmz.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jabcyybezz.exe File created C:\Windows\SysWOW64\jabcyybezz.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File created C:\Windows\SysWOW64\zghslicptnznvag.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File created C:\Windows\SysWOW64\jdbzsmgg.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jdbzsmgg.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\byszhrxlqvwmz.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
jdbzsmgg.exejdbzsmgg.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jdbzsmgg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jdbzsmgg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal jdbzsmgg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jdbzsmgg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jdbzsmgg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jdbzsmgg.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jdbzsmgg.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jdbzsmgg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal jdbzsmgg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jdbzsmgg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal jdbzsmgg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jdbzsmgg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal jdbzsmgg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jdbzsmgg.exe -
Drops file in Windows directory 5 IoCs
Processes:
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
jabcyybezz.exeWINWORD.EXE6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" jabcyybezz.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" jabcyybezz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc jabcyybezz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf jabcyybezz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302C799C5283256D3577A070242CDB7C8465AA" 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" jabcyybezz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" jabcyybezz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2540 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exezghslicptnznvag.exejabcyybezz.exebyszhrxlqvwmz.exejdbzsmgg.exejdbzsmgg.exepid process 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 2796 zghslicptnznvag.exe 2796 zghslicptnznvag.exe 2796 zghslicptnznvag.exe 2796 zghslicptnznvag.exe 2796 zghslicptnznvag.exe 2736 jabcyybezz.exe 2736 jabcyybezz.exe 2736 jabcyybezz.exe 2736 jabcyybezz.exe 2736 jabcyybezz.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 2600 jdbzsmgg.exe 2600 jdbzsmgg.exe 2600 jdbzsmgg.exe 2600 jdbzsmgg.exe 2208 jdbzsmgg.exe 2208 jdbzsmgg.exe 2208 jdbzsmgg.exe 2208 jdbzsmgg.exe 2796 zghslicptnznvag.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 2796 zghslicptnznvag.exe 2796 zghslicptnznvag.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 2796 zghslicptnznvag.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 2796 zghslicptnznvag.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 2796 zghslicptnznvag.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 2796 zghslicptnznvag.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 2796 zghslicptnznvag.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 2796 zghslicptnznvag.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 2796 zghslicptnznvag.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 2796 zghslicptnznvag.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 2796 zghslicptnznvag.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exezghslicptnznvag.exejabcyybezz.exebyszhrxlqvwmz.exejdbzsmgg.exejdbzsmgg.exepid process 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 2796 zghslicptnznvag.exe 2796 zghslicptnznvag.exe 2796 zghslicptnznvag.exe 2736 jabcyybezz.exe 2736 jabcyybezz.exe 2736 jabcyybezz.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 2600 jdbzsmgg.exe 2600 jdbzsmgg.exe 2600 jdbzsmgg.exe 2208 jdbzsmgg.exe 2208 jdbzsmgg.exe 2208 jdbzsmgg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exezghslicptnznvag.exejabcyybezz.exebyszhrxlqvwmz.exejdbzsmgg.exejdbzsmgg.exepid process 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 2796 zghslicptnznvag.exe 2796 zghslicptnznvag.exe 2796 zghslicptnznvag.exe 2736 jabcyybezz.exe 2736 jabcyybezz.exe 2736 jabcyybezz.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 1252 byszhrxlqvwmz.exe 2600 jdbzsmgg.exe 2600 jdbzsmgg.exe 2600 jdbzsmgg.exe 2208 jdbzsmgg.exe 2208 jdbzsmgg.exe 2208 jdbzsmgg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2540 WINWORD.EXE 2540 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exejabcyybezz.exeWINWORD.EXEdescription pid process target process PID 1924 wrote to memory of 2736 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe jabcyybezz.exe PID 1924 wrote to memory of 2736 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe jabcyybezz.exe PID 1924 wrote to memory of 2736 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe jabcyybezz.exe PID 1924 wrote to memory of 2736 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe jabcyybezz.exe PID 1924 wrote to memory of 2796 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe zghslicptnznvag.exe PID 1924 wrote to memory of 2796 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe zghslicptnznvag.exe PID 1924 wrote to memory of 2796 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe zghslicptnznvag.exe PID 1924 wrote to memory of 2796 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe zghslicptnznvag.exe PID 1924 wrote to memory of 2600 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe jdbzsmgg.exe PID 1924 wrote to memory of 2600 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe jdbzsmgg.exe PID 1924 wrote to memory of 2600 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe jdbzsmgg.exe PID 1924 wrote to memory of 2600 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe jdbzsmgg.exe PID 1924 wrote to memory of 1252 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe byszhrxlqvwmz.exe PID 1924 wrote to memory of 1252 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe byszhrxlqvwmz.exe PID 1924 wrote to memory of 1252 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe byszhrxlqvwmz.exe PID 1924 wrote to memory of 1252 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe byszhrxlqvwmz.exe PID 2736 wrote to memory of 2208 2736 jabcyybezz.exe jdbzsmgg.exe PID 2736 wrote to memory of 2208 2736 jabcyybezz.exe jdbzsmgg.exe PID 2736 wrote to memory of 2208 2736 jabcyybezz.exe jdbzsmgg.exe PID 2736 wrote to memory of 2208 2736 jabcyybezz.exe jdbzsmgg.exe PID 1924 wrote to memory of 2540 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe WINWORD.EXE PID 1924 wrote to memory of 2540 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe WINWORD.EXE PID 1924 wrote to memory of 2540 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe WINWORD.EXE PID 1924 wrote to memory of 2540 1924 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe WINWORD.EXE PID 2540 wrote to memory of 2020 2540 WINWORD.EXE splwow64.exe PID 2540 wrote to memory of 2020 2540 WINWORD.EXE splwow64.exe PID 2540 wrote to memory of 2020 2540 WINWORD.EXE splwow64.exe PID 2540 wrote to memory of 2020 2540 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\jabcyybezz.exejabcyybezz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\jdbzsmgg.exeC:\Windows\system32\jdbzsmgg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2208 -
C:\Windows\SysWOW64\zghslicptnznvag.exezghslicptnznvag.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796 -
C:\Windows\SysWOW64\jdbzsmgg.exejdbzsmgg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600 -
C:\Windows\SysWOW64\byszhrxlqvwmz.exebyszhrxlqvwmz.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1252 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2020
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5066d64b79348c509a651935154cade5b
SHA16ff0086a2df50e648e7dda4030eba678eb2e9045
SHA2567525072b43ab3ca545551cb517bfa1db0df72f03d9a1236778fe31a391de1c7c
SHA51276908ec171e93dbe4fb3a277f7fc3974e8263eedf8d5d0652005c9d1057f3698f5ffea166eb766eb1c43d8a4f2ce485161790ff44ed81708a17b17f6289bdc2c
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5dc167958ed5281f6c06f4138a4eb9fbe
SHA13c5a3d7021225539292054404b1a9a770010be73
SHA2565d388530df0beaf69a464b72818f232918d4a10697101666e788e851d4007e5e
SHA512678d2eaa4193ed54ff22a676c0f1176edf745e46d6a0321609ccbe73dd69a209d47da30afb020d97b52898844b721f525542649eb807425441cf6d0667f33cc0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD53bfbf2cb2fbbf0b01a1a58b2dc8e2cc1
SHA10610e03a472353036b4a5999c6e186ef3225cabd
SHA256b9664dd15be4faba48bf2f544773bd64fa5d6f8685690de7bc26724ecd2589b0
SHA51230b32b90ffd9a4c6436c90158a049cc41bd8f346bcfb322082c23407e30a8b0ce9ea9cbb91c565f2479c793b6a744974163afc6c9d740a0612ca8e57768da7e3
-
C:\Users\Admin\Downloads\SendShow.doc.exeFilesize
512KB
MD584bac35f0b62ac7c50c7563c4a5154b8
SHA11d7acee9bf344f8b1d5fdf1fce9dd4890d79d55f
SHA2564c127629dc3edf15d23db316fcd898a9479fe3cace33e0c5ac96e6e582236444
SHA5125c5c186bb7a15f518872066a05c287e2195147f7ed4ebb510e380a36ca835848026ca1ad9c8f05f4d070577641e86e5066387b3900da0bcc42c3af69c7c572e9
-
C:\Windows\SysWOW64\byszhrxlqvwmz.exeFilesize
512KB
MD569c2c51f8cfeac1b55ebf6e896a72ea7
SHA1899ff8ce08a4a3389f19ab70fe1ee28bb87e3b8f
SHA256bcde0f70eee835f68a94079c14d80c15cbd004d72c05aa0a975fb56412576abc
SHA5120df5c24c8f44e9c27789e43f30499c591cfca106ce8b9cb7e60175af5b97a2f168d7d1c782c56a1dedad35b248a9b983d9ffb4ab27605e9b8d7bd4734ec59144
-
C:\Windows\SysWOW64\jdbzsmgg.exeFilesize
512KB
MD5a82425ddf5aebe757d17f5be9bc8c673
SHA1489e8eddf72f974bc09be2a1e05ccda6f8471144
SHA2562057e222190ce4f1a9ef7963dfa9ebab8c2e019b9a15e63097e5b6f52c729baa
SHA512c8af8bd19c7744aafd3c674a5e22b693e806b5cb54cfe0facc45015b8d913792476894e58c7f70869cae143880ae19e69692b3e5fc6be0073351b81282f4c9b4
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\jabcyybezz.exeFilesize
512KB
MD537d774fc9d6627616e462c8064b70117
SHA15ef3a9c34fa19c12d35aa1b6c5877bc463585bbf
SHA2563838c90fc06f6cbaaa52ea6e77f6720393cb5d6a53fd536960d65c9d2d218709
SHA5128ae825181c38f6a9096b99519958127e01617c6800e4e31cf06ad28dcbe6dbd9b7ed59202b82e7fe6209f2653751d43ab9b5f83f293bceccdb35c6f3ff155db0
-
\Windows\SysWOW64\zghslicptnznvag.exeFilesize
512KB
MD5c31e673c2988cedc91c588ef5b7f239b
SHA19dbec2188949441e1e5db55c18bee70fd5aa263b
SHA256e56678303c5aca3742f2a74bb93e2c3eebf3fa71d3527deaa2d554a4a9390ac8
SHA5121a4b7975c8df8740b6550b8856792cb1ee919e479ba02ec0fb14232429eed39fcb62ab8e31cc2c90a661e74163aa28a3eb80e66c67bb2e2e5d59740f8bea96da
-
memory/1924-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2540-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2540-110-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB