Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe
-
Size
512KB
-
MD5
03c0939221cc821ef6e2c3aba337b6b3
-
SHA1
8aa2dcf1b9fa074a4768b1e8f4cf8549cd23d574
-
SHA256
9c633bf015525e859c9eda2f617c57e186621a1aaf8425bc8b3957699fe3dcff
-
SHA512
199ef1ce49d1e1a7d2763d767d8463c0625bf402e70c53f9210259605c887edc943813c408d260c0d71dfeaaabc0c98ed253dfab7e8ac31788e85880073dbc5b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ovodflglrl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ovodflglrl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ovodflglrl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ovodflglrl.exe -
Processes:
ovodflglrl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ovodflglrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ovodflglrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ovodflglrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ovodflglrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ovodflglrl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ovodflglrl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ovodflglrl.exe -
Executes dropped EXE 5 IoCs
Processes:
ovodflglrl.exealbxugrxsnbghqo.exeebaqzlou.exehifpbxqflhrcc.exeebaqzlou.exepid process 2516 ovodflglrl.exe 2624 albxugrxsnbghqo.exe 2652 ebaqzlou.exe 1932 hifpbxqflhrcc.exe 2196 ebaqzlou.exe -
Loads dropped DLL 5 IoCs
Processes:
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exeovodflglrl.exepid process 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2516 ovodflglrl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ovodflglrl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ovodflglrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ovodflglrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ovodflglrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ovodflglrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ovodflglrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ovodflglrl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
albxugrxsnbghqo.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pcaxndhc = "ovodflglrl.exe" albxugrxsnbghqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxxbmlgm = "albxugrxsnbghqo.exe" albxugrxsnbghqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hifpbxqflhrcc.exe" albxugrxsnbghqo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ovodflglrl.exeebaqzlou.exeebaqzlou.exedescription ioc process File opened (read-only) \??\s: ovodflglrl.exe File opened (read-only) \??\e: ebaqzlou.exe File opened (read-only) \??\b: ebaqzlou.exe File opened (read-only) \??\t: ebaqzlou.exe File opened (read-only) \??\j: ebaqzlou.exe File opened (read-only) \??\p: ebaqzlou.exe File opened (read-only) \??\l: ovodflglrl.exe File opened (read-only) \??\h: ebaqzlou.exe File opened (read-only) \??\e: ebaqzlou.exe File opened (read-only) \??\b: ovodflglrl.exe File opened (read-only) \??\m: ovodflglrl.exe File opened (read-only) \??\z: ovodflglrl.exe File opened (read-only) \??\n: ebaqzlou.exe File opened (read-only) \??\p: ovodflglrl.exe File opened (read-only) \??\j: ebaqzlou.exe File opened (read-only) \??\y: ebaqzlou.exe File opened (read-only) \??\x: ovodflglrl.exe File opened (read-only) \??\a: ebaqzlou.exe File opened (read-only) \??\s: ebaqzlou.exe File opened (read-only) \??\p: ebaqzlou.exe File opened (read-only) \??\q: ebaqzlou.exe File opened (read-only) \??\v: ebaqzlou.exe File opened (read-only) \??\h: ovodflglrl.exe File opened (read-only) \??\n: ovodflglrl.exe File opened (read-only) \??\o: ovodflglrl.exe File opened (read-only) \??\g: ebaqzlou.exe File opened (read-only) \??\i: ebaqzlou.exe File opened (read-only) \??\u: ebaqzlou.exe File opened (read-only) \??\y: ebaqzlou.exe File opened (read-only) \??\n: ebaqzlou.exe File opened (read-only) \??\t: ebaqzlou.exe File opened (read-only) \??\w: ebaqzlou.exe File opened (read-only) \??\x: ebaqzlou.exe File opened (read-only) \??\i: ovodflglrl.exe File opened (read-only) \??\j: ovodflglrl.exe File opened (read-only) \??\t: ovodflglrl.exe File opened (read-only) \??\k: ebaqzlou.exe File opened (read-only) \??\h: ebaqzlou.exe File opened (read-only) \??\e: ovodflglrl.exe File opened (read-only) \??\m: ebaqzlou.exe File opened (read-only) \??\m: ebaqzlou.exe File opened (read-only) \??\q: ebaqzlou.exe File opened (read-only) \??\v: ebaqzlou.exe File opened (read-only) \??\v: ovodflglrl.exe File opened (read-only) \??\w: ebaqzlou.exe File opened (read-only) \??\x: ebaqzlou.exe File opened (read-only) \??\l: ebaqzlou.exe File opened (read-only) \??\r: ebaqzlou.exe File opened (read-only) \??\r: ovodflglrl.exe File opened (read-only) \??\w: ovodflglrl.exe File opened (read-only) \??\u: ebaqzlou.exe File opened (read-only) \??\o: ebaqzlou.exe File opened (read-only) \??\r: ebaqzlou.exe File opened (read-only) \??\s: ebaqzlou.exe File opened (read-only) \??\i: ebaqzlou.exe File opened (read-only) \??\g: ovodflglrl.exe File opened (read-only) \??\u: ovodflglrl.exe File opened (read-only) \??\y: ovodflglrl.exe File opened (read-only) \??\a: ebaqzlou.exe File opened (read-only) \??\o: ebaqzlou.exe File opened (read-only) \??\k: ebaqzlou.exe File opened (read-only) \??\a: ovodflglrl.exe File opened (read-only) \??\k: ovodflglrl.exe File opened (read-only) \??\b: ebaqzlou.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ovodflglrl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ovodflglrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ovodflglrl.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2380-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\ebaqzlou.exe autoit_exe \Windows\SysWOW64\ovodflglrl.exe autoit_exe C:\Windows\SysWOW64\albxugrxsnbghqo.exe autoit_exe C:\Windows\SysWOW64\hifpbxqflhrcc.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe C:\Users\Admin\Documents\ConfirmCheckpoint.doc.exe autoit_exe \??\c:\Users\Admin\Downloads\SetCompare.doc.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exeovodflglrl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\hifpbxqflhrcc.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File created C:\Windows\SysWOW64\ovodflglrl.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ovodflglrl.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\albxugrxsnbghqo.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File created C:\Windows\SysWOW64\hifpbxqflhrcc.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ovodflglrl.exe File created C:\Windows\SysWOW64\albxugrxsnbghqo.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File created C:\Windows\SysWOW64\ebaqzlou.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ebaqzlou.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ebaqzlou.exeebaqzlou.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ebaqzlou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ebaqzlou.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ebaqzlou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ebaqzlou.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ebaqzlou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ebaqzlou.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ebaqzlou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ebaqzlou.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ebaqzlou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ebaqzlou.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ebaqzlou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ebaqzlou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ebaqzlou.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ebaqzlou.exe -
Drops file in Windows directory 5 IoCs
Processes:
WINWORD.EXE03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
ovodflglrl.exeWINWORD.EXE03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ovodflglrl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B12847EF38E352C4BAA5329AD4B8" 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ovodflglrl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ovodflglrl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ovodflglrl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ovodflglrl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C7791493DAC0B8C97CE8EDE034BD" 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2852 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exealbxugrxsnbghqo.exeovodflglrl.exehifpbxqflhrcc.exeebaqzlou.exeebaqzlou.exepid process 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2624 albxugrxsnbghqo.exe 2624 albxugrxsnbghqo.exe 2624 albxugrxsnbghqo.exe 2624 albxugrxsnbghqo.exe 2624 albxugrxsnbghqo.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2516 ovodflglrl.exe 2516 ovodflglrl.exe 2516 ovodflglrl.exe 2516 ovodflglrl.exe 2516 ovodflglrl.exe 2624 albxugrxsnbghqo.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 2652 ebaqzlou.exe 2652 ebaqzlou.exe 2652 ebaqzlou.exe 2652 ebaqzlou.exe 2196 ebaqzlou.exe 2196 ebaqzlou.exe 2196 ebaqzlou.exe 2196 ebaqzlou.exe 2624 albxugrxsnbghqo.exe 2624 albxugrxsnbghqo.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 2624 albxugrxsnbghqo.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 2624 albxugrxsnbghqo.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 2624 albxugrxsnbghqo.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 2624 albxugrxsnbghqo.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 2624 albxugrxsnbghqo.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 2624 albxugrxsnbghqo.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 2624 albxugrxsnbghqo.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 2624 albxugrxsnbghqo.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 2624 albxugrxsnbghqo.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exeovodflglrl.exealbxugrxsnbghqo.exehifpbxqflhrcc.exeebaqzlou.exeebaqzlou.exepid process 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2516 ovodflglrl.exe 2624 albxugrxsnbghqo.exe 2624 albxugrxsnbghqo.exe 2624 albxugrxsnbghqo.exe 2516 ovodflglrl.exe 2516 ovodflglrl.exe 1932 hifpbxqflhrcc.exe 2652 ebaqzlou.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 2652 ebaqzlou.exe 2652 ebaqzlou.exe 2196 ebaqzlou.exe 2196 ebaqzlou.exe 2196 ebaqzlou.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exeovodflglrl.exealbxugrxsnbghqo.exehifpbxqflhrcc.exeebaqzlou.exeebaqzlou.exepid process 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2516 ovodflglrl.exe 2624 albxugrxsnbghqo.exe 2624 albxugrxsnbghqo.exe 2624 albxugrxsnbghqo.exe 2516 ovodflglrl.exe 2516 ovodflglrl.exe 1932 hifpbxqflhrcc.exe 2652 ebaqzlou.exe 1932 hifpbxqflhrcc.exe 1932 hifpbxqflhrcc.exe 2652 ebaqzlou.exe 2652 ebaqzlou.exe 2196 ebaqzlou.exe 2196 ebaqzlou.exe 2196 ebaqzlou.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2852 WINWORD.EXE 2852 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exealbxugrxsnbghqo.exeovodflglrl.exeWINWORD.EXEdescription pid process target process PID 2380 wrote to memory of 2516 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe ovodflglrl.exe PID 2380 wrote to memory of 2516 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe ovodflglrl.exe PID 2380 wrote to memory of 2516 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe ovodflglrl.exe PID 2380 wrote to memory of 2516 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe ovodflglrl.exe PID 2380 wrote to memory of 2624 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe albxugrxsnbghqo.exe PID 2380 wrote to memory of 2624 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe albxugrxsnbghqo.exe PID 2380 wrote to memory of 2624 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe albxugrxsnbghqo.exe PID 2380 wrote to memory of 2624 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe albxugrxsnbghqo.exe PID 2624 wrote to memory of 2644 2624 albxugrxsnbghqo.exe cmd.exe PID 2624 wrote to memory of 2644 2624 albxugrxsnbghqo.exe cmd.exe PID 2624 wrote to memory of 2644 2624 albxugrxsnbghqo.exe cmd.exe PID 2624 wrote to memory of 2644 2624 albxugrxsnbghqo.exe cmd.exe PID 2380 wrote to memory of 2652 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe ebaqzlou.exe PID 2380 wrote to memory of 2652 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe ebaqzlou.exe PID 2380 wrote to memory of 2652 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe ebaqzlou.exe PID 2380 wrote to memory of 2652 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe ebaqzlou.exe PID 2380 wrote to memory of 1932 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe hifpbxqflhrcc.exe PID 2380 wrote to memory of 1932 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe hifpbxqflhrcc.exe PID 2380 wrote to memory of 1932 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe hifpbxqflhrcc.exe PID 2380 wrote to memory of 1932 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe hifpbxqflhrcc.exe PID 2516 wrote to memory of 2196 2516 ovodflglrl.exe ebaqzlou.exe PID 2516 wrote to memory of 2196 2516 ovodflglrl.exe ebaqzlou.exe PID 2516 wrote to memory of 2196 2516 ovodflglrl.exe ebaqzlou.exe PID 2516 wrote to memory of 2196 2516 ovodflglrl.exe ebaqzlou.exe PID 2380 wrote to memory of 2852 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe WINWORD.EXE PID 2380 wrote to memory of 2852 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe WINWORD.EXE PID 2380 wrote to memory of 2852 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe WINWORD.EXE PID 2380 wrote to memory of 2852 2380 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe WINWORD.EXE PID 2852 wrote to memory of 2384 2852 WINWORD.EXE splwow64.exe PID 2852 wrote to memory of 2384 2852 WINWORD.EXE splwow64.exe PID 2852 wrote to memory of 2384 2852 WINWORD.EXE splwow64.exe PID 2852 wrote to memory of 2384 2852 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ovodflglrl.exeovodflglrl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ebaqzlou.exeC:\Windows\system32\ebaqzlou.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\albxugrxsnbghqo.exealbxugrxsnbghqo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c hifpbxqflhrcc.exe3⤵
-
C:\Windows\SysWOW64\ebaqzlou.exeebaqzlou.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\hifpbxqflhrcc.exehifpbxqflhrcc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
7Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
512KB
MD53e9a917cb2b67307181264ffc21e3469
SHA1cc4048138f4d5d5a20cd07fa131e18c0b3287573
SHA2563b10deefb0e9e863f4f03e241bcd17f9870233821716c863b953aac7451989c7
SHA512d5cf2df10ae18a854a661445ecb5dec57802c8f129aeb0035c8bebc5e1dea9697481f3fb185b968ad0eff08e098563a059c12679745d533c80d9be8af6fc4206
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5fec38c4dafa238586ab8aa16994d892a
SHA141577d3446a9ac823fa44c08912eda416f9edf2c
SHA256071586b9857dce0eda62c5130acb5e5933b9b58d790143f1c272f78198884e56
SHA51272f58805877a356358343a48a780a66d55e6813e075c91f1d37765d348254d702622262f888e44c78534ae6e598cd2eeb49dfa1324952bd49faf2a484eceffa3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5d6670a55e5ce9b4b42806df4fd429c09
SHA1e6eec4fd241cd604d122066423fa2482c663bbe5
SHA256cb4cddab1012326dc0c1dc2076f3e5b7e1f29d85f49c8bcc99a17aab1fbe056d
SHA5125bb90d19cddf04a02a783f8024a99450018758610701fdebf8f6fca3b3c1e6dc90f5cf44a9047c962b14406f7cbddb216b0c5374803d582de3a9d566b943d246
-
C:\Users\Admin\Documents\ConfirmCheckpoint.doc.exeFilesize
512KB
MD53ee8a9d26375902a78e247a4e6a66d2e
SHA1f807850f79faac6eb07fb20d93b68d73a6fb628a
SHA256c2e5fa9b4b1f234d8701bda33da4d716bb9eeacd552f64360dc40034557910ca
SHA512a257265b7f0b3bc4d5e856163f178280b469053dbcfcee4fa45aad68914bd91137eaea0e0b44f2b01c80798e6eb4a825916f1d1f1e98a802260a504d34670dd8
-
C:\Windows\SysWOW64\albxugrxsnbghqo.exeFilesize
512KB
MD55acaea5acb7ea3a6b27593a3dbc3ed45
SHA179422215d0aae6e6806e491344242976a7d4c00e
SHA2562c19cedf691b80a2c52abbe33ac11f7dba508f1a4cb088a5ea6f68fa10e5a587
SHA5127d1ba21de21869831070624d584371da7eb1087a4600cede3dbb30df6e771abfb4627dcec4fdc132b4480e24da81d5083284fc369ad0b907d930a2a9f0cce9f1
-
C:\Windows\SysWOW64\ebaqzlou.exeFilesize
512KB
MD555f0b1dddc90aaaa20c55ef81308b555
SHA17ce0eab345b6688a3d80559ab9b8d8f88f1102bb
SHA256f548ff11a6e0b1dd9d6bdc16c1217ed4fe28744f40bbd3700751370c0bd58cb6
SHA51286c68207179b346839ba7a9fd130aa67247a6cbcb5016feb0e1a538fafcfdf0f1e722ee2c5a39de9fe0a5be37907973ff7445ee71447d43c623b8f61efd9bb16
-
C:\Windows\SysWOW64\hifpbxqflhrcc.exeFilesize
512KB
MD56ef8e66b6f3d00db5dc2ed394c5723e9
SHA1905b27a4292ca48e2f900f7f7a0b03c7b9ab2a8a
SHA256702890c3825f7bb760ec19c8900d5c512b1ed91b0fdadb5d0d78e56c84e0d072
SHA512b27ef3713fe8d374b0e37d4c2917a08cf47d59d0f4cc07ac930e097d85251210f3e79d09f2136b751618a4faf69055e4dfc2939fdb0fc373a0097c00240fdafe
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Users\Admin\Downloads\SetCompare.doc.exeFilesize
512KB
MD5ec9480cc145468daece0be12d7d6a613
SHA1c1d181ea7064a16644fe5399146b38cab6d83b12
SHA2560d8a8e1ced38e9a35d44a865befa1e934549084b9cf0bd0780e53de3e7d77671
SHA512bb0388e56351921a1a044cbec0812950e07d444d8c646052373b6ad584394a2fbf7d1a9c5c9b1542f167820dd43422dc7fbf98e6513fe9ca04640d82e7cb1479
-
\Windows\SysWOW64\ovodflglrl.exeFilesize
512KB
MD56c77a5c0f11bd763091ab66cd7b00139
SHA18b0aa9a9726e1921d6a520cac991a69389a5b5e3
SHA256cde88d101ba5105948ec844275d59f0b286f38922e5a1038eba1e343e3a0a146
SHA512414ca68c8d4cc4a73722b9ca11e11bc242c555956981a958818ab659105ecf424f1ecff65f724c9a2863fa3e4f6b32f7b322cdc2da04f5a4b9dc9ce56832a724
-
memory/2380-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2852-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2852-108-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB