ed54234f73fa20b99ec8da643be99d3350fed29e11532fb5cfcedfddec471804

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
Size

512KB
MD5

702a27e40a259877b90c92cb15742892
SHA1

474de8b01e95cdbb55e9aec9b2c0a8d6d3b228ff
SHA256

ed54234f73fa20b99ec8da643be99d3350fed29e11532fb5cfcedfddec471804
SHA512

c69b4cb8b9c135e930bd73678a09221ec162c2a00ae4e26f05cfbc4b89e5c733b333a4e5a7fa220cc3483ee04666d47ccb0d3fab3faa8210734fa8f2133f704f
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj61:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm52

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lxdvwpvflv.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lxdvwpvflv.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	lxdvwpvflv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lxdvwpvflv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lxdvwpvflv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lxdvwpvflv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lxdvwpvflv.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lxdvwpvflv.exe

Executes dropped EXE 5 IoCs

pid	Process
2540	lxdvwpvflv.exe
2608	fozmdyzmurzyrjd.exe
2556	rpguysnr.exe
2404	jemqinizjwdan.exe
2928	rpguysnr.exe

Loads dropped DLL 5 IoCs

pid	Process
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2540	lxdvwpvflv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lxdvwpvflv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lxdvwpvflv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lxdvwpvflv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	lxdvwpvflv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lxdvwpvflv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	lxdvwpvflv.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tavhtxzo = "lxdvwpvflv.exe"	fozmdyzmurzyrjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kwhkyizv = "fozmdyzmurzyrjd.exe"	fozmdyzmurzyrjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jemqinizjwdan.exe"	fozmdyzmurzyrjd.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	rpguysnr.exe
File opened (read-only)	\??\y:	rpguysnr.exe
File opened (read-only)	\??\x:	lxdvwpvflv.exe
File opened (read-only)	\??\e:	rpguysnr.exe
File opened (read-only)	\??\t:	rpguysnr.exe
File opened (read-only)	\??\n:	lxdvwpvflv.exe
File opened (read-only)	\??\g:	rpguysnr.exe
File opened (read-only)	\??\a:	rpguysnr.exe
File opened (read-only)	\??\z:	rpguysnr.exe
File opened (read-only)	\??\q:	rpguysnr.exe
File opened (read-only)	\??\y:	rpguysnr.exe
File opened (read-only)	\??\i:	rpguysnr.exe
File opened (read-only)	\??\u:	rpguysnr.exe
File opened (read-only)	\??\r:	lxdvwpvflv.exe
File opened (read-only)	\??\u:	lxdvwpvflv.exe
File opened (read-only)	\??\j:	rpguysnr.exe
File opened (read-only)	\??\a:	lxdvwpvflv.exe
File opened (read-only)	\??\v:	lxdvwpvflv.exe
File opened (read-only)	\??\y:	lxdvwpvflv.exe
File opened (read-only)	\??\i:	rpguysnr.exe
File opened (read-only)	\??\u:	rpguysnr.exe
File opened (read-only)	\??\v:	rpguysnr.exe
File opened (read-only)	\??\x:	rpguysnr.exe
File opened (read-only)	\??\n:	rpguysnr.exe
File opened (read-only)	\??\h:	lxdvwpvflv.exe
File opened (read-only)	\??\k:	lxdvwpvflv.exe
File opened (read-only)	\??\p:	rpguysnr.exe
File opened (read-only)	\??\t:	lxdvwpvflv.exe
File opened (read-only)	\??\j:	rpguysnr.exe
File opened (read-only)	\??\o:	rpguysnr.exe
File opened (read-only)	\??\b:	rpguysnr.exe
File opened (read-only)	\??\m:	rpguysnr.exe
File opened (read-only)	\??\o:	rpguysnr.exe
File opened (read-only)	\??\i:	lxdvwpvflv.exe
File opened (read-only)	\??\o:	lxdvwpvflv.exe
File opened (read-only)	\??\z:	rpguysnr.exe
File opened (read-only)	\??\k:	rpguysnr.exe
File opened (read-only)	\??\q:	lxdvwpvflv.exe
File opened (read-only)	\??\q:	rpguysnr.exe
File opened (read-only)	\??\w:	rpguysnr.exe
File opened (read-only)	\??\b:	rpguysnr.exe
File opened (read-only)	\??\r:	rpguysnr.exe
File opened (read-only)	\??\e:	lxdvwpvflv.exe
File opened (read-only)	\??\g:	lxdvwpvflv.exe
File opened (read-only)	\??\s:	lxdvwpvflv.exe
File opened (read-only)	\??\n:	rpguysnr.exe
File opened (read-only)	\??\t:	rpguysnr.exe
File opened (read-only)	\??\e:	rpguysnr.exe
File opened (read-only)	\??\p:	rpguysnr.exe
File opened (read-only)	\??\r:	rpguysnr.exe
File opened (read-only)	\??\w:	lxdvwpvflv.exe
File opened (read-only)	\??\a:	rpguysnr.exe
File opened (read-only)	\??\z:	lxdvwpvflv.exe
File opened (read-only)	\??\h:	rpguysnr.exe
File opened (read-only)	\??\g:	rpguysnr.exe
File opened (read-only)	\??\v:	rpguysnr.exe
File opened (read-only)	\??\x:	rpguysnr.exe
File opened (read-only)	\??\l:	lxdvwpvflv.exe
File opened (read-only)	\??\m:	lxdvwpvflv.exe
File opened (read-only)	\??\s:	rpguysnr.exe
File opened (read-only)	\??\l:	rpguysnr.exe
File opened (read-only)	\??\p:	lxdvwpvflv.exe
File opened (read-only)	\??\s:	rpguysnr.exe
File opened (read-only)	\??\w:	rpguysnr.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	lxdvwpvflv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	lxdvwpvflv.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2872-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x002f000000014c2d-5.dat	autoit_exe
behavioral1/files/0x000c000000012707-17.dat	autoit_exe
behavioral1/files/0x00080000000153ee-27.dat	autoit_exe
behavioral1/files/0x0007000000015662-34.dat	autoit_exe
behavioral1/files/0x0006000000016c38-71.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\lxdvwpvflv.exe	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fozmdyzmurzyrjd.exe	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\jemqinizjwdan.exe	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\jemqinizjwdan.exe	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lxdvwpvflv.exe
File created	C:\Windows\SysWOW64\lxdvwpvflv.exe	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fozmdyzmurzyrjd.exe	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rpguysnr.exe	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rpguysnr.exe	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rpguysnr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rpguysnr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	rpguysnr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rpguysnr.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rpguysnr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	rpguysnr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	rpguysnr.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rpguysnr.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rpguysnr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rpguysnr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	rpguysnr.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rpguysnr.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rpguysnr.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rpguysnr.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2D0B9C2D82596D4477D077202CD87D8265DF"	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	lxdvwpvflv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFF82482D82699131D7297D9CBCE7E14158406743633FD79A"	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	lxdvwpvflv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	lxdvwpvflv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2408	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2540	lxdvwpvflv.exe
2540	lxdvwpvflv.exe
2540	lxdvwpvflv.exe
2540	lxdvwpvflv.exe
2540	lxdvwpvflv.exe
2556	rpguysnr.exe
2556	rpguysnr.exe
2556	rpguysnr.exe
2556	rpguysnr.exe
2608	fozmdyzmurzyrjd.exe
2608	fozmdyzmurzyrjd.exe
2608	fozmdyzmurzyrjd.exe
2608	fozmdyzmurzyrjd.exe
2608	fozmdyzmurzyrjd.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2928	rpguysnr.exe
2928	rpguysnr.exe
2928	rpguysnr.exe
2928	rpguysnr.exe
2608	fozmdyzmurzyrjd.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2608	fozmdyzmurzyrjd.exe
2608	fozmdyzmurzyrjd.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2608	fozmdyzmurzyrjd.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2608	fozmdyzmurzyrjd.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2608	fozmdyzmurzyrjd.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2608	fozmdyzmurzyrjd.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2608	fozmdyzmurzyrjd.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2608	fozmdyzmurzyrjd.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2608	fozmdyzmurzyrjd.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2608	fozmdyzmurzyrjd.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2608	fozmdyzmurzyrjd.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2540	lxdvwpvflv.exe
2540	lxdvwpvflv.exe
2540	lxdvwpvflv.exe
2608	fozmdyzmurzyrjd.exe
2608	fozmdyzmurzyrjd.exe
2556	rpguysnr.exe
2556	rpguysnr.exe
2556	rpguysnr.exe
2608	fozmdyzmurzyrjd.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2928	rpguysnr.exe
2928	rpguysnr.exe
2928	rpguysnr.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
2540	lxdvwpvflv.exe
2540	lxdvwpvflv.exe
2540	lxdvwpvflv.exe
2608	fozmdyzmurzyrjd.exe
2608	fozmdyzmurzyrjd.exe
2556	rpguysnr.exe
2556	rpguysnr.exe
2556	rpguysnr.exe
2608	fozmdyzmurzyrjd.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2404	jemqinizjwdan.exe
2928	rpguysnr.exe
2928	rpguysnr.exe
2928	rpguysnr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2408	WINWORD.EXE
2408	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2540	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2540	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2540	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2540	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2608	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2608	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2608	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2608	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2556	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	30
PID 2872 wrote to memory of 2556	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	30
PID 2872 wrote to memory of 2556	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	30
PID 2872 wrote to memory of 2556	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	30
PID 2872 wrote to memory of 2404	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	31
PID 2872 wrote to memory of 2404	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	31
PID 2872 wrote to memory of 2404	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	31
PID 2872 wrote to memory of 2404	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	31
PID 2540 wrote to memory of 2928	2540	lxdvwpvflv.exe	32
PID 2540 wrote to memory of 2928	2540	lxdvwpvflv.exe	32
PID 2540 wrote to memory of 2928	2540	lxdvwpvflv.exe	32
PID 2540 wrote to memory of 2928	2540	lxdvwpvflv.exe	32
PID 2872 wrote to memory of 2408	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	33
PID 2872 wrote to memory of 2408	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	33
PID 2872 wrote to memory of 2408	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	33
PID 2872 wrote to memory of 2408	2872	702a27e40a259877b90c92cb15742892_JaffaCakes118.exe	33
PID 2408 wrote to memory of 2288	2408	WINWORD.EXE	36
PID 2408 wrote to memory of 2288	2408	WINWORD.EXE	36
PID 2408 wrote to memory of 2288	2408	WINWORD.EXE	36
PID 2408 wrote to memory of 2288	2408	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\702a27e40a259877b90c92cb15742892_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\702a27e40a259877b90c92cb15742892_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\lxdvwpvflv.exe
  lxdvwpvflv.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\rpguysnr.exe
    C:\Windows\system32\rpguysnr.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2928
- C:\Windows\SysWOW64\fozmdyzmurzyrjd.exe
  fozmdyzmurzyrjd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2608
- C:\Windows\SysWOW64\rpguysnr.exe
  rpguysnr.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2556
- C:\Windows\SysWOW64\jemqinizjwdan.exe
  jemqinizjwdan.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2404
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
c39b5a502f8cb04f775f81e37f31f1f9

SHA1
df7d4a5eccf3fe8e20f3e0d0909afbec74641de7

SHA256
baa33a8dbbc368a5e930d0872791eabdd2bed854864a73ac69c418f3555a8a49

SHA512
25af9de9d5eeb90776fbdbe03254c42ff48ad846bdc35c4f343d0ceaf129638174aaa700c621bbb0890a0d11c8d5d2a42bbb71996a2abd9a79ab3a0efec0c5bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
f93ffb46d22e53e87d0d72f75909459a

SHA1
101e2aed742d47a2040f6bc6931f2e30c0607dc4

SHA256
394968ba5d45b442c8146d4949e0f1662bfbbabfadea6b23d86f32bbf5124fdf

SHA512
632377343014669d5987f3085987570e32264c30a2769944d8b7415bf51083217c477a9f626ff9729430fdc02f4c1a04396b0ecdafe1b69e33b24566eb8fc79e

Download Submit
C:\Windows\SysWOW64\fozmdyzmurzyrjd.exe

Filesize
512KB

MD5
fa78820637270d90ece0e2d5c19fe08e

SHA1
a6ba8561924d70f185815522f7e1d8f3e2e9eef0

SHA256
4ecc09ede67edc5495bc65205ca1035722f5b2ffd73dc1c2e890ebb1f231bca8

SHA512
9a49e6b24e452bd76c90216cc16797bb1a70d66531eef9eefbeb8d1064306c6562c3cf2b355fb9ed8af603c54dc3ff1c8f97c89d097d02875eff50f0c485c070

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\jemqinizjwdan.exe

Filesize
512KB

MD5
8706133132fdf8cdc8f798b25223bd78

SHA1
0d0a3c3e2142a4c9bd549743e3b688fa309f26d0

SHA256
dd0bf12b86d740a5aed9c374ed4ef2eee514c0c3241ff36b784aaa93340df186

SHA512
5c28cf46a251802d09237a56ff63f9c9af85763de1a9c7353eef329f74309cce6c11fc2559554e4e1f763aec86f144b9931d1ecb1767fc2c00e01c5ae9963f36

Download Submit
\Windows\SysWOW64\lxdvwpvflv.exe

Filesize
512KB

MD5
6fcaccf4c28f9254ac84029c7431efa9

SHA1
70d8ddce44bb6dee38f442783bf1f40549384187

SHA256
68f2988cfaf0fe91679336cba90374693a6ecfae3976f3f92949843a4eb11d80

SHA512
ad80bc2f235a22cfaeb541b5df7dd549b46d42c8535d983d0d58a1b2e0fa6385bdbd0f1af5ff78712ee3f1a6ac2e15dcc2da70edf868551d7162f33bd2bbc76c

Download Submit
\Windows\SysWOW64\rpguysnr.exe

Filesize
512KB

MD5
27f4d76f2f42c97974a2ca2afa3aa9dc

SHA1
91b01f1b68f407dd42a8bea53e624fd22f33a7ad

SHA256
e729fef6f779a9f08d0798e26d3dbab01a78174ec18d20ee78ae1e81581d9372

SHA512
d81103f28a705f7580d0560eafa6ef0d4082f36ec7e4cac7236db3c0cbe0325a6aefc126a6ecd6d3d939e40f7a54915ebe66c73b92283f03e4e22649cae1071d

Download Submit
memory/2408-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2408-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2872-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download