ec364d63bb67392f1a32c2fba9d76e4ca0672b12f0d256ba58b430434c8c7f41

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
Size

512KB
MD5

516521117f2e1bd371e9f15181be2e7d
SHA1

6b0d5e01cca9ae6339b2bd24dee3569457380017
SHA256

ec364d63bb67392f1a32c2fba9d76e4ca0672b12f0d256ba58b430434c8c7f41
SHA512

ec4653a385415596c01ed7db573cc562d2441d9fde4a654938d0434470832ffd10765a29574fb22e39a269501e5242a7103a608a7ce4037b95bd8675fc1e0255
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5y

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	thwsxgxwgg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	thwsxgxwgg.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	thwsxgxwgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	thwsxgxwgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	thwsxgxwgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	thwsxgxwgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	thwsxgxwgg.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	thwsxgxwgg.exe

Executes dropped EXE 5 IoCs

pid	Process
2588	thwsxgxwgg.exe
2736	gpfcnphoxoyyjin.exe
2936	phvsadja.exe
2732	kipniaocusgny.exe
2768	phvsadja.exe

Loads dropped DLL 5 IoCs

pid	Process
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
2588	thwsxgxwgg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	thwsxgxwgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	thwsxgxwgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	thwsxgxwgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	thwsxgxwgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	thwsxgxwgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	thwsxgxwgg.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uxaogpoc = "gpfcnphoxoyyjin.exe"	gpfcnphoxoyyjin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kipniaocusgny.exe"	gpfcnphoxoyyjin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xcaacezu = "thwsxgxwgg.exe"	gpfcnphoxoyyjin.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	phvsadja.exe
File opened (read-only)	\??\s:	phvsadja.exe
File opened (read-only)	\??\v:	phvsadja.exe
File opened (read-only)	\??\s:	thwsxgxwgg.exe
File opened (read-only)	\??\z:	phvsadja.exe
File opened (read-only)	\??\a:	thwsxgxwgg.exe
File opened (read-only)	\??\a:	phvsadja.exe
File opened (read-only)	\??\n:	phvsadja.exe
File opened (read-only)	\??\o:	phvsadja.exe
File opened (read-only)	\??\v:	phvsadja.exe
File opened (read-only)	\??\p:	phvsadja.exe
File opened (read-only)	\??\b:	thwsxgxwgg.exe
File opened (read-only)	\??\y:	thwsxgxwgg.exe
File opened (read-only)	\??\b:	phvsadja.exe
File opened (read-only)	\??\h:	phvsadja.exe
File opened (read-only)	\??\j:	phvsadja.exe
File opened (read-only)	\??\q:	phvsadja.exe
File opened (read-only)	\??\w:	phvsadja.exe
File opened (read-only)	\??\l:	phvsadja.exe
File opened (read-only)	\??\q:	phvsadja.exe
File opened (read-only)	\??\u:	phvsadja.exe
File opened (read-only)	\??\y:	phvsadja.exe
File opened (read-only)	\??\e:	phvsadja.exe
File opened (read-only)	\??\r:	phvsadja.exe
File opened (read-only)	\??\y:	phvsadja.exe
File opened (read-only)	\??\i:	phvsadja.exe
File opened (read-only)	\??\t:	phvsadja.exe
File opened (read-only)	\??\q:	thwsxgxwgg.exe
File opened (read-only)	\??\z:	thwsxgxwgg.exe
File opened (read-only)	\??\i:	phvsadja.exe
File opened (read-only)	\??\x:	phvsadja.exe
File opened (read-only)	\??\e:	thwsxgxwgg.exe
File opened (read-only)	\??\z:	phvsadja.exe
File opened (read-only)	\??\l:	phvsadja.exe
File opened (read-only)	\??\m:	phvsadja.exe
File opened (read-only)	\??\t:	phvsadja.exe
File opened (read-only)	\??\h:	phvsadja.exe
File opened (read-only)	\??\g:	thwsxgxwgg.exe
File opened (read-only)	\??\h:	thwsxgxwgg.exe
File opened (read-only)	\??\u:	thwsxgxwgg.exe
File opened (read-only)	\??\k:	thwsxgxwgg.exe
File opened (read-only)	\??\x:	phvsadja.exe
File opened (read-only)	\??\v:	thwsxgxwgg.exe
File opened (read-only)	\??\o:	thwsxgxwgg.exe
File opened (read-only)	\??\p:	thwsxgxwgg.exe
File opened (read-only)	\??\w:	thwsxgxwgg.exe
File opened (read-only)	\??\x:	thwsxgxwgg.exe
File opened (read-only)	\??\j:	phvsadja.exe
File opened (read-only)	\??\m:	phvsadja.exe
File opened (read-only)	\??\k:	phvsadja.exe
File opened (read-only)	\??\a:	phvsadja.exe
File opened (read-only)	\??\e:	phvsadja.exe
File opened (read-only)	\??\o:	phvsadja.exe
File opened (read-only)	\??\l:	thwsxgxwgg.exe
File opened (read-only)	\??\r:	thwsxgxwgg.exe
File opened (read-only)	\??\t:	thwsxgxwgg.exe
File opened (read-only)	\??\u:	phvsadja.exe
File opened (read-only)	\??\g:	phvsadja.exe
File opened (read-only)	\??\r:	phvsadja.exe
File opened (read-only)	\??\m:	thwsxgxwgg.exe
File opened (read-only)	\??\w:	phvsadja.exe
File opened (read-only)	\??\j:	thwsxgxwgg.exe
File opened (read-only)	\??\p:	phvsadja.exe
File opened (read-only)	\??\k:	phvsadja.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	thwsxgxwgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	thwsxgxwgg.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1996-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0008000000014f71-9.dat	autoit_exe
behavioral1/files/0x000d000000014708-17.dat	autoit_exe
behavioral1/files/0x002f000000014b63-25.dat	autoit_exe
behavioral1/files/0x0007000000015653-40.dat	autoit_exe
behavioral1/files/0x0006000000016572-67.dat	autoit_exe
behavioral1/files/0x000600000001661c-73.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kipniaocusgny.exe	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpfcnphoxoyyjin.exe	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\gpfcnphoxoyyjin.exe	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\phvsadja.exe	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\phvsadja.exe	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kipniaocusgny.exe	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	thwsxgxwgg.exe
File created	C:\Windows\SysWOW64\thwsxgxwgg.exe	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\thwsxgxwgg.exe	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	phvsadja.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	phvsadja.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	phvsadja.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	phvsadja.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	phvsadja.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	phvsadja.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	phvsadja.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	phvsadja.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	phvsadja.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	phvsadja.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	phvsadja.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	phvsadja.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	phvsadja.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	phvsadja.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFF8E4F5B851F9131D75F7DE1BDEEE637584467406330D69D"	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C77915E3DAB4B8BA7FE4ED9134CA"	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	thwsxgxwgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	thwsxgxwgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	thwsxgxwgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	thwsxgxwgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2444	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
2936	phvsadja.exe
2936	phvsadja.exe
2936	phvsadja.exe
2936	phvsadja.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2588	thwsxgxwgg.exe
2588	thwsxgxwgg.exe
2588	thwsxgxwgg.exe
2588	thwsxgxwgg.exe
2588	thwsxgxwgg.exe
2736	gpfcnphoxoyyjin.exe
2736	gpfcnphoxoyyjin.exe
2736	gpfcnphoxoyyjin.exe
2736	gpfcnphoxoyyjin.exe
2736	gpfcnphoxoyyjin.exe
2768	phvsadja.exe
2768	phvsadja.exe
2768	phvsadja.exe
2768	phvsadja.exe
2736	gpfcnphoxoyyjin.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2736	gpfcnphoxoyyjin.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2736	gpfcnphoxoyyjin.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2736	gpfcnphoxoyyjin.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2736	gpfcnphoxoyyjin.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2736	gpfcnphoxoyyjin.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2736	gpfcnphoxoyyjin.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2736	gpfcnphoxoyyjin.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2736	gpfcnphoxoyyjin.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2736	gpfcnphoxoyyjin.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2736	gpfcnphoxoyyjin.exe
2732	kipniaocusgny.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
2936	phvsadja.exe
2936	phvsadja.exe
2936	phvsadja.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2588	thwsxgxwgg.exe
2588	thwsxgxwgg.exe
2588	thwsxgxwgg.exe
2736	gpfcnphoxoyyjin.exe
2736	gpfcnphoxoyyjin.exe
2736	gpfcnphoxoyyjin.exe
2768	phvsadja.exe
2768	phvsadja.exe
2768	phvsadja.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
2936	phvsadja.exe
2936	phvsadja.exe
2936	phvsadja.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2732	kipniaocusgny.exe
2588	thwsxgxwgg.exe
2588	thwsxgxwgg.exe
2588	thwsxgxwgg.exe
2736	gpfcnphoxoyyjin.exe
2736	gpfcnphoxoyyjin.exe
2736	gpfcnphoxoyyjin.exe
2768	phvsadja.exe
2768	phvsadja.exe
2768	phvsadja.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2444	WINWORD.EXE
2444	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2588	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	28
PID 1996 wrote to memory of 2588	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	28
PID 1996 wrote to memory of 2588	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	28
PID 1996 wrote to memory of 2588	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	28
PID 1996 wrote to memory of 2736	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	29
PID 1996 wrote to memory of 2736	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	29
PID 1996 wrote to memory of 2736	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	29
PID 1996 wrote to memory of 2736	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	29
PID 1996 wrote to memory of 2936	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	30
PID 1996 wrote to memory of 2936	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	30
PID 1996 wrote to memory of 2936	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	30
PID 1996 wrote to memory of 2936	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	30
PID 1996 wrote to memory of 2732	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	31
PID 1996 wrote to memory of 2732	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	31
PID 1996 wrote to memory of 2732	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	31
PID 1996 wrote to memory of 2732	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	31
PID 2588 wrote to memory of 2768	2588	thwsxgxwgg.exe	32
PID 2588 wrote to memory of 2768	2588	thwsxgxwgg.exe	32
PID 2588 wrote to memory of 2768	2588	thwsxgxwgg.exe	32
PID 2588 wrote to memory of 2768	2588	thwsxgxwgg.exe	32
PID 1996 wrote to memory of 2444	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	33
PID 1996 wrote to memory of 2444	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	33
PID 1996 wrote to memory of 2444	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	33
PID 1996 wrote to memory of 2444	1996	516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe	33
PID 2444 wrote to memory of 1612	2444	WINWORD.EXE	36
PID 2444 wrote to memory of 1612	2444	WINWORD.EXE	36
PID 2444 wrote to memory of 1612	2444	WINWORD.EXE	36
PID 2444 wrote to memory of 1612	2444	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\516521117f2e1bd371e9f15181be2e7d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\thwsxgxwgg.exe
  thwsxgxwgg.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\phvsadja.exe
    C:\Windows\system32\phvsadja.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2768
- C:\Windows\SysWOW64\gpfcnphoxoyyjin.exe
  gpfcnphoxoyyjin.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2736
- C:\Windows\SysWOW64\phvsadja.exe
  phvsadja.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2936
- C:\Windows\SysWOW64\kipniaocusgny.exe
  kipniaocusgny.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2732
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
d3716f87c49d565616a80883b1784f7b

SHA1
658c3375db5330e580570160f76a5f2124d4fbed

SHA256
c0a5134e23d6e141cd081938a071b0816e8665dbe4a6afb55f3481949d49af45

SHA512
9e00ce860dbb541cf54db02b84d35db9d7d1755f2560a48ad54791fa4272989b6b231ace77fe8bade3d14d1018eaece6c88830e6fdc2a006ff8687625361180d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
740a5ce4c40456c3fc7ae8ddad2136d0

SHA1
35f693bbbca4c4023741d6ffb7e05d3dc0de1111

SHA256
d42abde362e7b9f652f3c692a71a9b8e598a2bf58cf9cc88e30c2def91777bd1

SHA512
15ce9b094f9f054ffee132a5775edfef4676e2b5f3d5a73911da696b3d30dda6bd332ae818f5f67612120d8877ddfe02b2b8ddfe321d219d3989d9d2e0db8030

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
819d6eee899099e95cb534c59396e701

SHA1
4dace26b3faf91ec41407f65e1c9cce342f1ebb9

SHA256
676fec6626f41805967c0a01a49e95c16c47e69f17e85c217a071aa0835a7d8e

SHA512
a281dc6606a7dc778748d444133d654e937085a7223425c79fa6f82573a236ee642da42dae9ab98177d9315e1726728d195ce6b98821759bca07e2e03b6cc958

Download Submit
C:\Windows\SysWOW64\gpfcnphoxoyyjin.exe

Filesize
512KB

MD5
0a9ba441ed53cb8e55bbf06e888d386a

SHA1
ad03c00a55aefa2f17a35e1b08ccc40acd5c4a8b

SHA256
737a66e8dead0929fd9262f67ce568c43f22e1ac0f17c9f9e9aecf1a439e4027

SHA512
1f529206fd345eace743ed494fb5f37e9234588b159a561b21c644b17dee5de73ab7c138b1585736f4d2193c888021013ce8ed46006391e3d94e229076d2ec91

Download Submit
C:\Windows\SysWOW64\kipniaocusgny.exe

Filesize
512KB

MD5
9aacb3277a2a0b7643b1bb20adca9179

SHA1
d6f1240a0686d183cdd795f975dffabbf81eeb46

SHA256
2c0c013d6d53ca3d3f3e294e54c6bfeba8a10aaaff0ca22b7b7d4892fa413496

SHA512
7a6bfe9565d0963dcac298912950b6d554fa39e88d3f20b210c42c621f8feed944831e0319aad92cb28544c2b47a8aceb536cc03d5f916a24931f2f5a2392787

Download Submit
C:\Windows\SysWOW64\phvsadja.exe

Filesize
512KB

MD5
101edaaa1d218cb5161c9bcffead0773

SHA1
5dbe6b2678095b50024a23e759d7bdc6ee812c88

SHA256
64a2a91f355babcf9324a37a6c9405c62befff43cdf6079278e10865e36bdd63

SHA512
90dd148bb96973f70270b47eb27c4a0236cf2d4c753c2fcc3be0bceea874ba532d3dccb45a475228ff54ade11006a2d7b2ca87b1b92cbae4550356d4f4ac1c04

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\thwsxgxwgg.exe

Filesize
512KB

MD5
5ac047e8b70e3cc0622209becfc91a2a

SHA1
e3b0c7a91aac5203c4b05570fece8fdad1d49326

SHA256
e6992840f91d852cf4794c6f7929c58cc05b92c2c807823cbfc1e743b299e8b4

SHA512
2ba66ca593bc23cfbe4882852b450f21b10036be28eaeb72aefb8044e0b4d64232bcca8a6a32f39b098237b774ac81b4ded5de82c73a429945c0f846be6d5930

Download Submit
memory/1996-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2444-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2444-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download