Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 04:08
Static task
static1
Behavioral task
behavioral1
Sample
69af959794532432a508040c0b496ccb_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
69af959794532432a508040c0b496ccb_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
69af959794532432a508040c0b496ccb_JaffaCakes118.exe
-
Size
512KB
-
MD5
69af959794532432a508040c0b496ccb
-
SHA1
032f20c3b0225859ab53f23b59087f858a6f066e
-
SHA256
b667fa0a0ee06d7237e16ef8ca43c6e4b6704ff2e32262be8c63a25ca61cfe67
-
SHA512
964454aabc120f66172a4f5be7d44c048233be9558e31fb606a049bf46ac1583c469e39a067623c94c33c77befc444f5429bcafaf1c6fa0e15fb0fca3428c4df
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ophulhqcko.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ophulhqcko.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ophulhqcko.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ophulhqcko.exe -
Processes:
ophulhqcko.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ophulhqcko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ophulhqcko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ophulhqcko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ophulhqcko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ophulhqcko.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ophulhqcko.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ophulhqcko.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
Processes:
ophulhqcko.exezhonfddyylqhkhp.exebsizjsmk.exevgriubffjpqbq.exebsizjsmk.exepid process 2884 ophulhqcko.exe 2580 zhonfddyylqhkhp.exe 2636 bsizjsmk.exe 2592 vgriubffjpqbq.exe 2556 bsizjsmk.exe -
Loads dropped DLL 5 IoCs
Processes:
69af959794532432a508040c0b496ccb_JaffaCakes118.exeophulhqcko.exepid process 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2884 ophulhqcko.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ophulhqcko.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ophulhqcko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ophulhqcko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ophulhqcko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ophulhqcko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ophulhqcko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ophulhqcko.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
zhonfddyylqhkhp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cxajzasy = "ophulhqcko.exe" zhonfddyylqhkhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\taaoskby = "zhonfddyylqhkhp.exe" zhonfddyylqhkhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vgriubffjpqbq.exe" zhonfddyylqhkhp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bsizjsmk.exeophulhqcko.exebsizjsmk.exedescription ioc process File opened (read-only) \??\n: bsizjsmk.exe File opened (read-only) \??\o: bsizjsmk.exe File opened (read-only) \??\s: bsizjsmk.exe File opened (read-only) \??\p: ophulhqcko.exe File opened (read-only) \??\l: bsizjsmk.exe File opened (read-only) \??\m: bsizjsmk.exe File opened (read-only) \??\x: bsizjsmk.exe File opened (read-only) \??\l: ophulhqcko.exe File opened (read-only) \??\s: ophulhqcko.exe File opened (read-only) \??\v: bsizjsmk.exe File opened (read-only) \??\v: ophulhqcko.exe File opened (read-only) \??\a: bsizjsmk.exe File opened (read-only) \??\r: bsizjsmk.exe File opened (read-only) \??\h: bsizjsmk.exe File opened (read-only) \??\z: bsizjsmk.exe File opened (read-only) \??\a: ophulhqcko.exe File opened (read-only) \??\k: ophulhqcko.exe File opened (read-only) \??\o: ophulhqcko.exe File opened (read-only) \??\k: bsizjsmk.exe File opened (read-only) \??\m: ophulhqcko.exe File opened (read-only) \??\u: ophulhqcko.exe File opened (read-only) \??\g: bsizjsmk.exe File opened (read-only) \??\h: bsizjsmk.exe File opened (read-only) \??\i: bsizjsmk.exe File opened (read-only) \??\y: bsizjsmk.exe File opened (read-only) \??\t: ophulhqcko.exe File opened (read-only) \??\p: bsizjsmk.exe File opened (read-only) \??\z: bsizjsmk.exe File opened (read-only) \??\g: bsizjsmk.exe File opened (read-only) \??\j: bsizjsmk.exe File opened (read-only) \??\q: bsizjsmk.exe File opened (read-only) \??\e: ophulhqcko.exe File opened (read-only) \??\q: ophulhqcko.exe File opened (read-only) \??\q: bsizjsmk.exe File opened (read-only) \??\t: bsizjsmk.exe File opened (read-only) \??\j: ophulhqcko.exe File opened (read-only) \??\k: bsizjsmk.exe File opened (read-only) \??\r: bsizjsmk.exe File opened (read-only) \??\u: bsizjsmk.exe File opened (read-only) \??\w: bsizjsmk.exe File opened (read-only) \??\i: bsizjsmk.exe File opened (read-only) \??\m: bsizjsmk.exe File opened (read-only) \??\o: bsizjsmk.exe File opened (read-only) \??\e: bsizjsmk.exe File opened (read-only) \??\p: bsizjsmk.exe File opened (read-only) \??\w: bsizjsmk.exe File opened (read-only) \??\b: bsizjsmk.exe File opened (read-only) \??\t: bsizjsmk.exe File opened (read-only) \??\u: bsizjsmk.exe File opened (read-only) \??\l: bsizjsmk.exe File opened (read-only) \??\a: bsizjsmk.exe File opened (read-only) \??\b: ophulhqcko.exe File opened (read-only) \??\w: ophulhqcko.exe File opened (read-only) \??\z: ophulhqcko.exe File opened (read-only) \??\s: bsizjsmk.exe File opened (read-only) \??\v: bsizjsmk.exe File opened (read-only) \??\x: bsizjsmk.exe File opened (read-only) \??\x: ophulhqcko.exe File opened (read-only) \??\j: bsizjsmk.exe File opened (read-only) \??\n: bsizjsmk.exe File opened (read-only) \??\y: bsizjsmk.exe File opened (read-only) \??\h: ophulhqcko.exe File opened (read-only) \??\n: ophulhqcko.exe File opened (read-only) \??\r: ophulhqcko.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ophulhqcko.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ophulhqcko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ophulhqcko.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2220-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\zhonfddyylqhkhp.exe autoit_exe \Windows\SysWOW64\ophulhqcko.exe autoit_exe \Windows\SysWOW64\bsizjsmk.exe autoit_exe C:\Windows\SysWOW64\vgriubffjpqbq.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
69af959794532432a508040c0b496ccb_JaffaCakes118.exeophulhqcko.exedescription ioc process File created C:\Windows\SysWOW64\ophulhqcko.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ophulhqcko.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bsizjsmk.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File created C:\Windows\SysWOW64\vgriubffjpqbq.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File created C:\Windows\SysWOW64\zhonfddyylqhkhp.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zhonfddyylqhkhp.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File created C:\Windows\SysWOW64\bsizjsmk.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vgriubffjpqbq.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ophulhqcko.exe -
Drops file in Program Files directory 15 IoCs
Processes:
bsizjsmk.exebsizjsmk.exedescription ioc process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bsizjsmk.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bsizjsmk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bsizjsmk.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bsizjsmk.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bsizjsmk.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bsizjsmk.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bsizjsmk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal bsizjsmk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bsizjsmk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal bsizjsmk.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bsizjsmk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bsizjsmk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal bsizjsmk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bsizjsmk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal bsizjsmk.exe -
Drops file in Windows directory 4 IoCs
Processes:
WINWORD.EXE69af959794532432a508040c0b496ccb_JaffaCakes118.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEophulhqcko.exe69af959794532432a508040c0b496ccb_JaffaCakes118.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ophulhqcko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFFFB4F5D8518903DD75A7D93BD92E141584766466345D6EC" 69af959794532432a508040c0b496ccb_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFABCF962F197830F3B45869F3E98B3FD02F842690348E1C542E809D1" 69af959794532432a508040c0b496ccb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ophulhqcko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ophulhqcko.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ophulhqcko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2612 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
69af959794532432a508040c0b496ccb_JaffaCakes118.exeophulhqcko.exezhonfddyylqhkhp.exebsizjsmk.exevgriubffjpqbq.exebsizjsmk.exepid process 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2884 ophulhqcko.exe 2884 ophulhqcko.exe 2884 ophulhqcko.exe 2884 ophulhqcko.exe 2884 ophulhqcko.exe 2580 zhonfddyylqhkhp.exe 2580 zhonfddyylqhkhp.exe 2580 zhonfddyylqhkhp.exe 2580 zhonfddyylqhkhp.exe 2580 zhonfddyylqhkhp.exe 2636 bsizjsmk.exe 2636 bsizjsmk.exe 2636 bsizjsmk.exe 2636 bsizjsmk.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2556 bsizjsmk.exe 2556 bsizjsmk.exe 2556 bsizjsmk.exe 2556 bsizjsmk.exe 2580 zhonfddyylqhkhp.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2580 zhonfddyylqhkhp.exe 2580 zhonfddyylqhkhp.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2580 zhonfddyylqhkhp.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2580 zhonfddyylqhkhp.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2580 zhonfddyylqhkhp.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2580 zhonfddyylqhkhp.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2580 zhonfddyylqhkhp.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2580 zhonfddyylqhkhp.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2580 zhonfddyylqhkhp.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2580 zhonfddyylqhkhp.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2580 zhonfddyylqhkhp.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 1956 explorer.exe Token: SeShutdownPrivilege 1956 explorer.exe Token: SeShutdownPrivilege 1956 explorer.exe Token: SeShutdownPrivilege 1956 explorer.exe Token: SeShutdownPrivilege 1956 explorer.exe Token: SeShutdownPrivilege 1956 explorer.exe Token: SeShutdownPrivilege 1956 explorer.exe Token: SeShutdownPrivilege 1956 explorer.exe Token: SeShutdownPrivilege 1956 explorer.exe Token: SeShutdownPrivilege 1956 explorer.exe Token: SeShutdownPrivilege 1956 explorer.exe Token: SeShutdownPrivilege 1956 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
69af959794532432a508040c0b496ccb_JaffaCakes118.exeophulhqcko.exezhonfddyylqhkhp.exebsizjsmk.exevgriubffjpqbq.exebsizjsmk.exeexplorer.exepid process 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2884 ophulhqcko.exe 2884 ophulhqcko.exe 2884 ophulhqcko.exe 2580 zhonfddyylqhkhp.exe 2580 zhonfddyylqhkhp.exe 2580 zhonfddyylqhkhp.exe 2636 bsizjsmk.exe 2636 bsizjsmk.exe 2636 bsizjsmk.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2556 bsizjsmk.exe 2556 bsizjsmk.exe 2556 bsizjsmk.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe -
Suspicious use of SendNotifyMessage 37 IoCs
Processes:
69af959794532432a508040c0b496ccb_JaffaCakes118.exeophulhqcko.exezhonfddyylqhkhp.exebsizjsmk.exevgriubffjpqbq.exebsizjsmk.exeexplorer.exepid process 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 2884 ophulhqcko.exe 2884 ophulhqcko.exe 2884 ophulhqcko.exe 2580 zhonfddyylqhkhp.exe 2580 zhonfddyylqhkhp.exe 2580 zhonfddyylqhkhp.exe 2636 bsizjsmk.exe 2636 bsizjsmk.exe 2636 bsizjsmk.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2592 vgriubffjpqbq.exe 2556 bsizjsmk.exe 2556 bsizjsmk.exe 2556 bsizjsmk.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2612 WINWORD.EXE 2612 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
69af959794532432a508040c0b496ccb_JaffaCakes118.exeophulhqcko.exedescription pid process target process PID 2220 wrote to memory of 2884 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe ophulhqcko.exe PID 2220 wrote to memory of 2884 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe ophulhqcko.exe PID 2220 wrote to memory of 2884 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe ophulhqcko.exe PID 2220 wrote to memory of 2884 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe ophulhqcko.exe PID 2220 wrote to memory of 2580 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe zhonfddyylqhkhp.exe PID 2220 wrote to memory of 2580 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe zhonfddyylqhkhp.exe PID 2220 wrote to memory of 2580 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe zhonfddyylqhkhp.exe PID 2220 wrote to memory of 2580 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe zhonfddyylqhkhp.exe PID 2220 wrote to memory of 2636 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe bsizjsmk.exe PID 2220 wrote to memory of 2636 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe bsizjsmk.exe PID 2220 wrote to memory of 2636 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe bsizjsmk.exe PID 2220 wrote to memory of 2636 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe bsizjsmk.exe PID 2220 wrote to memory of 2592 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe vgriubffjpqbq.exe PID 2220 wrote to memory of 2592 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe vgriubffjpqbq.exe PID 2220 wrote to memory of 2592 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe vgriubffjpqbq.exe PID 2220 wrote to memory of 2592 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe vgriubffjpqbq.exe PID 2884 wrote to memory of 2556 2884 ophulhqcko.exe bsizjsmk.exe PID 2884 wrote to memory of 2556 2884 ophulhqcko.exe bsizjsmk.exe PID 2884 wrote to memory of 2556 2884 ophulhqcko.exe bsizjsmk.exe PID 2884 wrote to memory of 2556 2884 ophulhqcko.exe bsizjsmk.exe PID 2220 wrote to memory of 2612 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe WINWORD.EXE PID 2220 wrote to memory of 2612 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe WINWORD.EXE PID 2220 wrote to memory of 2612 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe WINWORD.EXE PID 2220 wrote to memory of 2612 2220 69af959794532432a508040c0b496ccb_JaffaCakes118.exe WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\69af959794532432a508040c0b496ccb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\69af959794532432a508040c0b496ccb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ophulhqcko.exeophulhqcko.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bsizjsmk.exeC:\Windows\system32\bsizjsmk.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\zhonfddyylqhkhp.exezhonfddyylqhkhp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\bsizjsmk.exebsizjsmk.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\vgriubffjpqbq.exevgriubffjpqbq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
8Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
512KB
MD57d270f55e05b67c3ea83fdb6f801b279
SHA1d26ed773782fe035951f07451cc17fca9134c581
SHA256441177777b2ad0e9c86db75907080100adf014b4c86f096e54135ccb9811a118
SHA512360d7eb9b45d26766c97957b982cea124f688bbb9b550e7eabdf5d68da8699c4225d7a2bea888b4125e7ed2c68c20bddc3136db702af132748e732f7218a710b
-
C:\Windows\SysWOW64\vgriubffjpqbq.exeFilesize
512KB
MD5aba4f5d8a5661ee0e50b64f9231b012b
SHA1d8e0dda5d2ab014c5d8e7a1564d52fb2fda8d209
SHA256eadd41da1072cbb1cb3c8fd7a8eafb4b5287b521cc41c3c3b9abeb6f262839ed
SHA5129446224cb19795e7dfc1584d4673e819ffe5424f062a46d190f0ba18cdf9ae29cb4a5799cd47103f93ef67836822c7cfe2773247d46b6670c58728327c4cdd5b
-
C:\Windows\SysWOW64\zhonfddyylqhkhp.exeFilesize
512KB
MD5800ebe68353ec8035bf2f7103998f097
SHA15a8efea59200f20b56ae4fe1988c36625ec08e75
SHA25668707313c4d126da9c189eb7489d0eecbae0a4e71eeaccbc8fd3fa9232d1e27b
SHA512baea7844600838a09d2f8646251eada04fc51623a48f1e94acb7c6d91c8a8847e3adca146c9db932e4bdbfe851bc5e6a3cd9e99a981d5f8011e0b79ebd46f119
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\bsizjsmk.exeFilesize
512KB
MD5c8516fc1d4e4e4f9e29206c5d56a9645
SHA1e04f1732b844b4c66640d9dc56108b2bb41b8451
SHA25664182a52591f4e4a62bf21016c5db46a2a289d616d6d6344ec715443904f4872
SHA512a1bc4d4e7611092a11712d5192ef9169351b5121f8203b96fb88705622d3360f18d701033dc71e4bf5b53e9ea4194a324f64c4c84681a8cdfc77aa2cb582894a
-
\Windows\SysWOW64\ophulhqcko.exeFilesize
512KB
MD5b7257b9810be8b6fe69b1c6122e2a9df
SHA1dd0f4bf1edc2dea52c8119c133bd8766e00e3416
SHA2565fb91883d6c7fa5380ea52ec8e1d037261e25b09f7472a722b83bd28521418c3
SHA5121ce8d07db4c78240ffc9797b30dcaba1bf534742ab1079a7f0f4f473e65928fb8bddf9e4ed25bcc7e3728b7598995c993cfb965a1640abb9b88467823d329e60
-
memory/1956-76-0x0000000002A00000-0x0000000002A10000-memory.dmpFilesize
64KB
-
memory/2220-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2612-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB