762ba6421a898f1929e1a2ebfdcb3bd6872e0e6ce1f2ecd698b176542e6677c9

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
Size

512KB
MD5

ab62eae5f5ab1247553f9e43c703b05a
SHA1

bf3c54fe6ee69d0a854e27ab1a9fb195edebfdfe
SHA256

762ba6421a898f1929e1a2ebfdcb3bd6872e0e6ce1f2ecd698b176542e6677c9
SHA512

6a32b7057e2e2e82506680d249bae0a675006598671cfef8e613e18d621c24810b07d5e6bf64bc9d4d0af32f33632be9dec887d1f61effe3edbed456b4ab3664
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5g

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cpnaibpudi.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cpnaibpudi.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	cpnaibpudi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	cpnaibpudi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	cpnaibpudi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	cpnaibpudi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	cpnaibpudi.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cpnaibpudi.exe

Executes dropped EXE 5 IoCs

pid	Process
3056	cpnaibpudi.exe
2132	rmlsqoxmjmptacf.exe
2680	piujclyl.exe
2636	mlzstnahcltyx.exe
2088	piujclyl.exe

Loads dropped DLL 5 IoCs

pid	Process
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
3056	cpnaibpudi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	cpnaibpudi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	cpnaibpudi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	cpnaibpudi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	cpnaibpudi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	cpnaibpudi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	cpnaibpudi.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vblznlcn = "cpnaibpudi.exe"	rmlsqoxmjmptacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bwrekxmj = "rmlsqoxmjmptacf.exe"	rmlsqoxmjmptacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mlzstnahcltyx.exe"	rmlsqoxmjmptacf.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\x:	piujclyl.exe
File opened (read-only)	\??\k:	piujclyl.exe
File opened (read-only)	\??\b:	piujclyl.exe
File opened (read-only)	\??\e:	piujclyl.exe
File opened (read-only)	\??\w:	piujclyl.exe
File opened (read-only)	\??\y:	piujclyl.exe
File opened (read-only)	\??\e:	cpnaibpudi.exe
File opened (read-only)	\??\g:	cpnaibpudi.exe
File opened (read-only)	\??\r:	piujclyl.exe
File opened (read-only)	\??\i:	piujclyl.exe
File opened (read-only)	\??\n:	piujclyl.exe
File opened (read-only)	\??\m:	cpnaibpudi.exe
File opened (read-only)	\??\y:	cpnaibpudi.exe
File opened (read-only)	\??\t:	piujclyl.exe
File opened (read-only)	\??\x:	piujclyl.exe
File opened (read-only)	\??\n:	piujclyl.exe
File opened (read-only)	\??\p:	piujclyl.exe
File opened (read-only)	\??\s:	piujclyl.exe
File opened (read-only)	\??\i:	cpnaibpudi.exe
File opened (read-only)	\??\s:	piujclyl.exe
File opened (read-only)	\??\z:	piujclyl.exe
File opened (read-only)	\??\v:	piujclyl.exe
File opened (read-only)	\??\j:	piujclyl.exe
File opened (read-only)	\??\o:	piujclyl.exe
File opened (read-only)	\??\p:	piujclyl.exe
File opened (read-only)	\??\b:	cpnaibpudi.exe
File opened (read-only)	\??\r:	cpnaibpudi.exe
File opened (read-only)	\??\x:	cpnaibpudi.exe
File opened (read-only)	\??\r:	piujclyl.exe
File opened (read-only)	\??\a:	cpnaibpudi.exe
File opened (read-only)	\??\h:	cpnaibpudi.exe
File opened (read-only)	\??\u:	cpnaibpudi.exe
File opened (read-only)	\??\i:	piujclyl.exe
File opened (read-only)	\??\h:	piujclyl.exe
File opened (read-only)	\??\j:	piujclyl.exe
File opened (read-only)	\??\k:	piujclyl.exe
File opened (read-only)	\??\o:	piujclyl.exe
File opened (read-only)	\??\m:	piujclyl.exe
File opened (read-only)	\??\u:	piujclyl.exe
File opened (read-only)	\??\w:	piujclyl.exe
File opened (read-only)	\??\z:	cpnaibpudi.exe
File opened (read-only)	\??\z:	piujclyl.exe
File opened (read-only)	\??\l:	cpnaibpudi.exe
File opened (read-only)	\??\o:	cpnaibpudi.exe
File opened (read-only)	\??\p:	cpnaibpudi.exe
File opened (read-only)	\??\b:	piujclyl.exe
File opened (read-only)	\??\e:	piujclyl.exe
File opened (read-only)	\??\g:	piujclyl.exe
File opened (read-only)	\??\m:	piujclyl.exe
File opened (read-only)	\??\y:	piujclyl.exe
File opened (read-only)	\??\k:	cpnaibpudi.exe
File opened (read-only)	\??\n:	cpnaibpudi.exe
File opened (read-only)	\??\q:	cpnaibpudi.exe
File opened (read-only)	\??\l:	piujclyl.exe
File opened (read-only)	\??\a:	piujclyl.exe
File opened (read-only)	\??\t:	cpnaibpudi.exe
File opened (read-only)	\??\v:	cpnaibpudi.exe
File opened (read-only)	\??\g:	piujclyl.exe
File opened (read-only)	\??\l:	piujclyl.exe
File opened (read-only)	\??\q:	piujclyl.exe
File opened (read-only)	\??\s:	cpnaibpudi.exe
File opened (read-only)	\??\u:	piujclyl.exe
File opened (read-only)	\??\a:	piujclyl.exe
File opened (read-only)	\??\h:	piujclyl.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	cpnaibpudi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	cpnaibpudi.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2188-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0036000000015f05-5.dat	autoit_exe
behavioral1/files/0x000a0000000122ec-17.dat	autoit_exe
behavioral1/files/0x000c000000016103-32.dat	autoit_exe
behavioral1/files/0x0008000000016255-34.dat	autoit_exe
behavioral1/files/0x00050000000186f1-75.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cpnaibpudi.exe	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\piujclyl.exe	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mlzstnahcltyx.exe	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	cpnaibpudi.exe
File opened for modification	C:\Windows\SysWOW64\cpnaibpudi.exe	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rmlsqoxmjmptacf.exe	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rmlsqoxmjmptacf.exe	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\piujclyl.exe	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mlzstnahcltyx.exe	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\PushMount.nal	piujclyl.exe
File created	\??\c:\Program Files\PushMount.doc.exe	piujclyl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	piujclyl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	piujclyl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	piujclyl.exe
File opened for modification	\??\c:\Program Files\PushMount.doc.exe	piujclyl.exe
File opened for modification	C:\Program Files\PushMount.nal	piujclyl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	piujclyl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	piujclyl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	piujclyl.exe
File opened for modification	C:\Program Files\PushMount.doc.exe	piujclyl.exe
File opened for modification	\??\c:\Program Files\PushMount.doc.exe	piujclyl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	piujclyl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	piujclyl.exe
File opened for modification	C:\Program Files\PushMount.doc.exe	piujclyl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	piujclyl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	piujclyl.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	piujclyl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	piujclyl.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	piujclyl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	piujclyl.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D789C2783276A3576D277262DDB7DF364AB"	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFAB9F961F2E3840E3B3781EC39E3B0FC02F94268023DE1CF429C08D3"	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	cpnaibpudi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	cpnaibpudi.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB158449239E853CDBAA5339CD7CA"	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F76BB7FE6822A9D27ED0A28A7A9164"	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	cpnaibpudi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	cpnaibpudi.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFF8B4F2A8212903CD7297D94BDE5E131594B66436237D69C"	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2628	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2132	rmlsqoxmjmptacf.exe
2132	rmlsqoxmjmptacf.exe
2132	rmlsqoxmjmptacf.exe
2132	rmlsqoxmjmptacf.exe
3056	cpnaibpudi.exe
3056	cpnaibpudi.exe
3056	cpnaibpudi.exe
3056	cpnaibpudi.exe
3056	cpnaibpudi.exe
2132	rmlsqoxmjmptacf.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2680	piujclyl.exe
2680	piujclyl.exe
2680	piujclyl.exe
2680	piujclyl.exe
2088	piujclyl.exe
2088	piujclyl.exe
2088	piujclyl.exe
2088	piujclyl.exe
2132	rmlsqoxmjmptacf.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2132	rmlsqoxmjmptacf.exe
2132	rmlsqoxmjmptacf.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2132	rmlsqoxmjmptacf.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2132	rmlsqoxmjmptacf.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2132	rmlsqoxmjmptacf.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2132	rmlsqoxmjmptacf.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2132	rmlsqoxmjmptacf.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2132	rmlsqoxmjmptacf.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2132	rmlsqoxmjmptacf.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2132	rmlsqoxmjmptacf.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2132	rmlsqoxmjmptacf.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2132	rmlsqoxmjmptacf.exe
2132	rmlsqoxmjmptacf.exe
2132	rmlsqoxmjmptacf.exe
3056	cpnaibpudi.exe
3056	cpnaibpudi.exe
3056	cpnaibpudi.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2680	piujclyl.exe
2680	piujclyl.exe
2680	piujclyl.exe
2088	piujclyl.exe
2088	piujclyl.exe
2088	piujclyl.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
2132	rmlsqoxmjmptacf.exe
2132	rmlsqoxmjmptacf.exe
2132	rmlsqoxmjmptacf.exe
3056	cpnaibpudi.exe
3056	cpnaibpudi.exe
3056	cpnaibpudi.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2636	mlzstnahcltyx.exe
2680	piujclyl.exe
2680	piujclyl.exe
2680	piujclyl.exe
2088	piujclyl.exe
2088	piujclyl.exe
2088	piujclyl.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2628	WINWORD.EXE
2628	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 3056	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	28
PID 2188 wrote to memory of 3056	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	28
PID 2188 wrote to memory of 3056	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	28
PID 2188 wrote to memory of 3056	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	28
PID 2188 wrote to memory of 2132	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	29
PID 2188 wrote to memory of 2132	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	29
PID 2188 wrote to memory of 2132	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	29
PID 2188 wrote to memory of 2132	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	29
PID 2188 wrote to memory of 2680	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2680	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2680	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2680	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2636	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2636	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2636	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2636	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	31
PID 3056 wrote to memory of 2088	3056	cpnaibpudi.exe	32
PID 3056 wrote to memory of 2088	3056	cpnaibpudi.exe	32
PID 3056 wrote to memory of 2088	3056	cpnaibpudi.exe	32
PID 3056 wrote to memory of 2088	3056	cpnaibpudi.exe	32
PID 2188 wrote to memory of 2628	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	33
PID 2188 wrote to memory of 2628	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	33
PID 2188 wrote to memory of 2628	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	33
PID 2188 wrote to memory of 2628	2188	ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe	33
PID 2628 wrote to memory of 2812	2628	WINWORD.EXE	37
PID 2628 wrote to memory of 2812	2628	WINWORD.EXE	37
PID 2628 wrote to memory of 2812	2628	WINWORD.EXE	37
PID 2628 wrote to memory of 2812	2628	WINWORD.EXE	37

C:\Users\Admin\AppData\Local\Temp\ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cpnaibpudi.exe
  cpnaibpudi.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\piujclyl.exe
    C:\Windows\system32\piujclyl.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2088
- C:\Windows\SysWOW64\rmlsqoxmjmptacf.exe
  rmlsqoxmjmptacf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2132
- C:\Windows\SysWOW64\piujclyl.exe
  piujclyl.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2680
- C:\Windows\SysWOW64\mlzstnahcltyx.exe
  mlzstnahcltyx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2636
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
0bd0689f44a4e33c87f04633478c571d

SHA1
f6eb7a9826c3e6964a669a42b7a5c07d7bd91411

SHA256
68cc02dd45614a586707f71e0f1f030f65393dd889602fef405ad5837a818790

SHA512
a734e0b8e8ac2a947e7e4809d745e2bda45a3070b70b630374f7d539abf531acc670998af3bc80d07a350f7100ec8e6b484a03bd53473323596842064142e8e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
a9f4d558572c3a841b84915be2b01897

SHA1
ea05563406ea5b2b08d985b1deb187c146020770

SHA256
10ed55ae2df6642e0685d5d1b4a3168dd5a045ac2c598eaf3536e4e51bba3eb4

SHA512
bd87b5e8fedbb1930cec83a73f7ed1adb3332d74d421a29f905941005381d3ad6b0d75f7f9bc7bcee8a687ab1ee92940af76c484edf268d172c9098ca3408fa3

Download Submit
C:\Windows\SysWOW64\piujclyl.exe

Filesize
512KB

MD5
27391b0c1bd8ae76fd67ab43c158aa97

SHA1
d0f38e3682b24aa09c0fe2a60749639000069232

SHA256
7619ca56920c233509b4dfb480a3fd62995292c0741955129343d51d77ca37cb

SHA512
133f721041b8f22f44adb94511a56bc4a1a44df563f34f5e62c88d68e357ad0d138681f82ad28cc1edfe8eb2e14fb6525a0451464ff2a87c62b8e81702ba397f

Download Submit
C:\Windows\SysWOW64\rmlsqoxmjmptacf.exe

Filesize
512KB

MD5
34bde89a1317a2472b460b49e9940e79

SHA1
181e9e27191aac2a77af31db82101b42ea4fd5df

SHA256
ac7b5434370aff720bbba0b809b59d1848188f5409be4ba555961594d35e984d

SHA512
d47fd1058d7124f8c1ecfd02880a35e0b56444780931c6d9dcfa9554d11c30080807b18fd56272d318f48178fc23cf2e95412261410aca7afa64a37f37fb9055

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\cpnaibpudi.exe

Filesize
512KB

MD5
dcccc41e1b55806a27b529fb759d9ee6

SHA1
16d55a23409ccf1861d810426d4b68d1fe156bca

SHA256
e426e6ac4920090516d0d8be4ea71c47d622c4c3fd8620500ea2dfd958153df1

SHA512
94abc80911aee004e11fdb0703441d930147a8ce2180b2ca8b7501d9f49bb96f366eb176e783a5cebc42f3934857916831ab5a2223522247e1e03a3684094b3f

Download Submit
\Windows\SysWOW64\mlzstnahcltyx.exe

Filesize
512KB

MD5
9eebbbe3115e5ce0d43359dd6a9926c9

SHA1
702d3d255aa5847bde10ce8d6274c9778d971691

SHA256
9477eed36f6f39086a8b90db732e50ce4bd6ccf46f7ab3dcd8093e2fc22ca7de

SHA512
8a8b96ec207bd0187a71a28138a06822d2569c8da22caad2ec093640ac6af9110183f30856f5d1b568d853fd21fe72b64b189c9279a7c3648e67e6306560c77f

Download Submit
memory/2188-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2628-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2628-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download