2067e8ef3a46dd711c231372b35bc2775b870012777c37544e62d6fc6ef8d115

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
Size

512KB
MD5

b2e1db013678c51310ed9b586acb8699
SHA1

b83b1c31034f829474b073bec1818a5d4afb18cd
SHA256

2067e8ef3a46dd711c231372b35bc2775b870012777c37544e62d6fc6ef8d115
SHA512

f79c3c2c2994638011e71cd55a80f85ef4570d5dccb1b6321779cb0e6f4ad662bae498c85ccdb8136b6aaf8a9ca445cfb9482df6f13f839bf1ee86b94d3968b3
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ksekaagibg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ksekaagibg.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ksekaagibg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ksekaagibg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ksekaagibg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ksekaagibg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ksekaagibg.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ksekaagibg.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2256	ksekaagibg.exe
2676	wewajirzxdaraya.exe
2568	zcantemt.exe
2468	qhytpolixjywi.exe
2484	zcantemt.exe

Loads dropped DLL 5 IoCs

pid	Process
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2256	ksekaagibg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ksekaagibg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ksekaagibg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ksekaagibg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	ksekaagibg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ksekaagibg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ksekaagibg.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reyamlms = "ksekaagibg.exe"	wewajirzxdaraya.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vducyczo = "wewajirzxdaraya.exe"	wewajirzxdaraya.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qhytpolixjywi.exe"	wewajirzxdaraya.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	zcantemt.exe
File opened (read-only)	\??\b:	ksekaagibg.exe
File opened (read-only)	\??\t:	ksekaagibg.exe
File opened (read-only)	\??\k:	zcantemt.exe
File opened (read-only)	\??\w:	ksekaagibg.exe
File opened (read-only)	\??\i:	zcantemt.exe
File opened (read-only)	\??\s:	zcantemt.exe
File opened (read-only)	\??\y:	zcantemt.exe
File opened (read-only)	\??\g:	zcantemt.exe
File opened (read-only)	\??\a:	ksekaagibg.exe
File opened (read-only)	\??\v:	ksekaagibg.exe
File opened (read-only)	\??\y:	zcantemt.exe
File opened (read-only)	\??\h:	ksekaagibg.exe
File opened (read-only)	\??\o:	ksekaagibg.exe
File opened (read-only)	\??\q:	zcantemt.exe
File opened (read-only)	\??\t:	zcantemt.exe
File opened (read-only)	\??\w:	zcantemt.exe
File opened (read-only)	\??\m:	ksekaagibg.exe
File opened (read-only)	\??\s:	ksekaagibg.exe
File opened (read-only)	\??\x:	ksekaagibg.exe
File opened (read-only)	\??\p:	zcantemt.exe
File opened (read-only)	\??\i:	zcantemt.exe
File opened (read-only)	\??\l:	zcantemt.exe
File opened (read-only)	\??\g:	ksekaagibg.exe
File opened (read-only)	\??\e:	zcantemt.exe
File opened (read-only)	\??\x:	zcantemt.exe
File opened (read-only)	\??\o:	zcantemt.exe
File opened (read-only)	\??\z:	zcantemt.exe
File opened (read-only)	\??\g:	zcantemt.exe
File opened (read-only)	\??\z:	ksekaagibg.exe
File opened (read-only)	\??\a:	zcantemt.exe
File opened (read-only)	\??\e:	zcantemt.exe
File opened (read-only)	\??\l:	ksekaagibg.exe
File opened (read-only)	\??\o:	zcantemt.exe
File opened (read-only)	\??\z:	zcantemt.exe
File opened (read-only)	\??\i:	ksekaagibg.exe
File opened (read-only)	\??\j:	ksekaagibg.exe
File opened (read-only)	\??\q:	ksekaagibg.exe
File opened (read-only)	\??\m:	zcantemt.exe
File opened (read-only)	\??\q:	zcantemt.exe
File opened (read-only)	\??\u:	zcantemt.exe
File opened (read-only)	\??\k:	ksekaagibg.exe
File opened (read-only)	\??\u:	ksekaagibg.exe
File opened (read-only)	\??\p:	ksekaagibg.exe
File opened (read-only)	\??\h:	zcantemt.exe
File opened (read-only)	\??\n:	zcantemt.exe
File opened (read-only)	\??\r:	zcantemt.exe
File opened (read-only)	\??\s:	zcantemt.exe
File opened (read-only)	\??\v:	zcantemt.exe
File opened (read-only)	\??\e:	ksekaagibg.exe
File opened (read-only)	\??\j:	zcantemt.exe
File opened (read-only)	\??\m:	zcantemt.exe
File opened (read-only)	\??\p:	zcantemt.exe
File opened (read-only)	\??\t:	zcantemt.exe
File opened (read-only)	\??\b:	zcantemt.exe
File opened (read-only)	\??\a:	zcantemt.exe
File opened (read-only)	\??\j:	zcantemt.exe
File opened (read-only)	\??\r:	ksekaagibg.exe
File opened (read-only)	\??\w:	zcantemt.exe
File opened (read-only)	\??\l:	zcantemt.exe
File opened (read-only)	\??\y:	ksekaagibg.exe
File opened (read-only)	\??\b:	zcantemt.exe
File opened (read-only)	\??\x:	zcantemt.exe
File opened (read-only)	\??\n:	ksekaagibg.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	ksekaagibg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	ksekaagibg.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2412-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0033000000013a3d-5.dat	autoit_exe
behavioral1/files/0x000d00000001231a-17.dat	autoit_exe
behavioral1/files/0x0033000000013a7c-29.dat	autoit_exe
behavioral1/files/0x000f000000013f21-33.dat	autoit_exe
behavioral1/files/0x00060000000155e3-74.dat	autoit_exe
behavioral1/files/0x00060000000153cf-66.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zcantemt.exe	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zcantemt.exe	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	ksekaagibg.exe
File opened for modification	C:\Windows\SysWOW64\ksekaagibg.exe	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wewajirzxdaraya.exe	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\qhytpolixjywi.exe	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\qhytpolixjywi.exe	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ksekaagibg.exe	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wewajirzxdaraya.exe	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zcantemt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	zcantemt.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zcantemt.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zcantemt.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zcantemt.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zcantemt.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zcantemt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	zcantemt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	zcantemt.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zcantemt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zcantemt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zcantemt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zcantemt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	zcantemt.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	ksekaagibg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FF8F4F29826E9047D7287DE0BDE4E6435936664E6242D79D"	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B12947EF39EC52CABAD73298D4BB"	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	ksekaagibg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	ksekaagibg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2464	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2256	ksekaagibg.exe
2256	ksekaagibg.exe
2256	ksekaagibg.exe
2256	ksekaagibg.exe
2256	ksekaagibg.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2568	zcantemt.exe
2568	zcantemt.exe
2568	zcantemt.exe
2568	zcantemt.exe
2676	wewajirzxdaraya.exe
2676	wewajirzxdaraya.exe
2676	wewajirzxdaraya.exe
2676	wewajirzxdaraya.exe
2676	wewajirzxdaraya.exe
2484	zcantemt.exe
2484	zcantemt.exe
2484	zcantemt.exe
2484	zcantemt.exe
2676	wewajirzxdaraya.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2676	wewajirzxdaraya.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2676	wewajirzxdaraya.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2676	wewajirzxdaraya.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2676	wewajirzxdaraya.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2676	wewajirzxdaraya.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2676	wewajirzxdaraya.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2676	wewajirzxdaraya.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2676	wewajirzxdaraya.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2676	wewajirzxdaraya.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2676	wewajirzxdaraya.exe
2468	qhytpolixjywi.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2424	explorer.exe
Token: SeShutdownPrivilege	2424	explorer.exe
Token: SeShutdownPrivilege	2424	explorer.exe
Token: SeShutdownPrivilege	2424	explorer.exe
Token: SeShutdownPrivilege	2424	explorer.exe
Token: SeShutdownPrivilege	2424	explorer.exe
Token: SeShutdownPrivilege	2424	explorer.exe
Token: SeShutdownPrivilege	2424	explorer.exe
Token: SeShutdownPrivilege	2424	explorer.exe
Token: SeShutdownPrivilege	2424	explorer.exe
Token: SeShutdownPrivilege	2424	explorer.exe
Token: SeShutdownPrivilege	2424	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2256	ksekaagibg.exe
2256	ksekaagibg.exe
2256	ksekaagibg.exe
2676	wewajirzxdaraya.exe
2676	wewajirzxdaraya.exe
2676	wewajirzxdaraya.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2568	zcantemt.exe
2568	zcantemt.exe
2568	zcantemt.exe
2484	zcantemt.exe
2484	zcantemt.exe
2484	zcantemt.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
2256	ksekaagibg.exe
2256	ksekaagibg.exe
2256	ksekaagibg.exe
2676	wewajirzxdaraya.exe
2676	wewajirzxdaraya.exe
2676	wewajirzxdaraya.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2468	qhytpolixjywi.exe
2568	zcantemt.exe
2568	zcantemt.exe
2568	zcantemt.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2464	WINWORD.EXE
2464	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2256	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	28
PID 2412 wrote to memory of 2256	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	28
PID 2412 wrote to memory of 2256	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	28
PID 2412 wrote to memory of 2256	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	28
PID 2412 wrote to memory of 2676	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2676	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2676	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2676	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2568	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2568	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2568	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2568	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2468	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	31
PID 2412 wrote to memory of 2468	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	31
PID 2412 wrote to memory of 2468	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	31
PID 2412 wrote to memory of 2468	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	31
PID 2256 wrote to memory of 2484	2256	ksekaagibg.exe	32
PID 2256 wrote to memory of 2484	2256	ksekaagibg.exe	32
PID 2256 wrote to memory of 2484	2256	ksekaagibg.exe	32
PID 2256 wrote to memory of 2484	2256	ksekaagibg.exe	32
PID 2412 wrote to memory of 2464	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	33
PID 2412 wrote to memory of 2464	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	33
PID 2412 wrote to memory of 2464	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	33
PID 2412 wrote to memory of 2464	2412	b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2e1db013678c51310ed9b586acb8699_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\ksekaagibg.exe
  ksekaagibg.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\zcantemt.exe
    C:\Windows\system32\zcantemt.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2484
- C:\Windows\SysWOW64\wewajirzxdaraya.exe
  wewajirzxdaraya.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2676
- C:\Windows\SysWOW64\zcantemt.exe
  zcantemt.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2568
- C:\Windows\SysWOW64\qhytpolixjywi.exe
  qhytpolixjywi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2468
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2464

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
8a8d5c14d579599aab21f1df1fcd571b

SHA1
9678ff64aba7fb39d0968656ff369f8df6b17032

SHA256
f6b8f2b56828e2fa1318c65b069ffd5eed27be193dec43c6e61999604e2d5497

SHA512
75c1d919e4bda8560e4b24a683ad040e8791eef207a511fe987d891860aa1e463c6c5e60a89d4d4f88a83eb7cf86f6c01ff4bafefac1476bd1cf6dbc5bae2dfc

Download Submit
C:\Windows\SysWOW64\wewajirzxdaraya.exe

Filesize
512KB

MD5
4632d5ba9d6600a18984986835017c18

SHA1
8a4b453d9501fed6aab25186c18af0520f5000fd

SHA256
b277dec853f6e5ebbb0658eb8d4692b5995cc603d5533435e121a2f6345335d1

SHA512
74f67f0393466cb0a5b1e844badcdd0cb5c4e3a956f0aea30764bbbe95678556b6d077a27a77d1cb179966e0f4ac61294542f51bb3dcd33e47b4c57b746a1b28

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
9ac4d8d413b3c5d83093beb029570320

SHA1
7685c5e24b2822e997e163f45f89d8e2d8c4e424

SHA256
7e1adad319e13a87f8c148512ceb1755b5643a7a5ab56974695537d7dc5749f2

SHA512
231f55d68839177f0dc7270c4e65bf4b6b93d6f2f08eab01965a962535f6ace721d5181ac97f1667acc393373b7a744aa44b54c60e827976918085c85de613ba

Download Submit
\Windows\SysWOW64\ksekaagibg.exe

Filesize
512KB

MD5
88f9b24a1417034bc16bd279afb4dbc4

SHA1
7335aa7c420984054f6173d6493fad52832df3cb

SHA256
759f44251d8fe15124a00d3c324710c3ccadce6607a2f3078783334d9e06b701

SHA512
8509af5e86a45caabc0ac91cc0e9188295fdefb949c96a3afe82c7b8723fae581cbdc77f3b7edd9df2ccec64afe5f63bc3a2352a7f461477287d6db7ed08b34b

Download Submit
\Windows\SysWOW64\qhytpolixjywi.exe

Filesize
512KB

MD5
86b5693e61a2222fd7fb1f558fcd83e1

SHA1
e4a53706e49718b01e4bd74ff1771e9cea060242

SHA256
934737334895613a0518b6d13711cb1e60d852027c5e3036b262604bdf02376e

SHA512
6088aa21c364f731df647704b5a53629e172a7b9b369b9d0c9e239f241a587adbf8b3a9bed12bc945993778921b3240b3fc534929f7648024f10c26c5127a2ee

Download Submit
\Windows\SysWOW64\zcantemt.exe

Filesize
512KB

MD5
ffee545536932ba6159441a53fe5d72c

SHA1
d47d4bbb310143bccc8a1a5957a5acedae43870e

SHA256
fa39f80ed8c08776d57b88e0d00ffefbb987dfa638ca0f5296c82f2a9113d47c

SHA512
736c13abd7f67b984d4f81b08dcb7963227fb06ce8c2bf2eab30c242a28bd98085f303262e82ffad62834699e33c72672813c9a3d4b6736aa9757ea832231ef8

Download Submit
memory/2412-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2424-81-0x0000000003C70000-0x0000000003C80000-memory.dmp

Filesize
64KB

Download
memory/2464-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download