Malware Analysis Report

2025-03-14 22:35

Sample ID 240406-2cyjfade42
Target e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118
SHA256 a70a6d9f76777ac324da5c4859ca1bf0d807840f8b8e239a0c3c8d1769c2a336
Tags
persistence spyware stealer evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a70a6d9f76777ac324da5c4859ca1bf0d807840f8b8e239a0c3c8d1769c2a336

Threat Level: Known bad

The file e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer evasion trojan

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Windows security bypass

Disables RegEdit via registry modification

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Windows security modification

Enumerates connected drives

Modifies WinLogon

Adds Run key to start application

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:26

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:26

Reported

2024-04-06 22:29

Platform

win7-20231129-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\urkurbnvqd.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\hfupcinu.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\itvticge = "urkurbnvqd.exe" C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cmtfgwyk = "sgcubesukauqedl.exe" C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tbeuserfyepnb.exe" C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hfupcinu.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\hfupcinu.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hfupcinu.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\tbeuserfyepnb.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\tbeuserfyepnb.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\urkurbnvqd.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\urkurbnvqd.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sgcubesukauqedl.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\sgcubesukauqedl.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hfupcinu.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hfupcinu.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hfupcinu.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hfupcinu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78168B1FF1D22DCD279D0D48A7E9116" C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FFFC485C826D9042D75B7E97BD92E640594266476330D7ED" C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC67C14E6DAC4B8BA7FE3EC9734BB" C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\hfupcinu.exe N/A
N/A N/A C:\Windows\SysWOW64\hfupcinu.exe N/A
N/A N/A C:\Windows\SysWOW64\hfupcinu.exe N/A
N/A N/A C:\Windows\SysWOW64\hfupcinu.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\sgcubesukauqedl.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\tbeuserfyepnb.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\urkurbnvqd.exe
PID 1712 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\urkurbnvqd.exe
PID 1712 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\urkurbnvqd.exe
PID 1712 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\urkurbnvqd.exe
PID 1712 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\sgcubesukauqedl.exe
PID 1712 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\sgcubesukauqedl.exe
PID 1712 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\sgcubesukauqedl.exe
PID 1712 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\sgcubesukauqedl.exe
PID 1712 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\hfupcinu.exe
PID 1712 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\hfupcinu.exe
PID 1712 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\hfupcinu.exe
PID 1712 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\hfupcinu.exe
PID 1712 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\tbeuserfyepnb.exe
PID 1712 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\tbeuserfyepnb.exe
PID 1712 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\tbeuserfyepnb.exe
PID 1712 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\tbeuserfyepnb.exe
PID 1712 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1712 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1712 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1712 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2632 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2632 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2632 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2632 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe"

C:\Windows\SysWOW64\urkurbnvqd.exe

urkurbnvqd.exe

C:\Windows\SysWOW64\sgcubesukauqedl.exe

sgcubesukauqedl.exe

C:\Windows\SysWOW64\hfupcinu.exe

hfupcinu.exe

C:\Windows\SysWOW64\tbeuserfyepnb.exe

tbeuserfyepnb.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1712-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\sgcubesukauqedl.exe

MD5 2037aa4faee0e26448e0f9ec4f2e73fc
SHA1 4791048964e0f89e30cbda925c68251127a73232
SHA256 cfec499aecc97a6ddd674ce90b6f693fa846e122e8d1e33e0856c06fb5d014be
SHA512 32dc5cec2dfb1946c11cd7934916e43c4228f0967e20d8eaf911ccd0acdffbf8ac660f589af7027d83352f337e770802f2b6a2be6ea22cc9705f37f335205b6e

\Windows\SysWOW64\urkurbnvqd.exe

MD5 abb75b71c6f6feb0962f804c0476d5cb
SHA1 0c687178fb9b64e5311156e453586eb7e1312e30
SHA256 1d30942cbd753fdeb8d31e5b03eb6f0f3c1fca74e4a939b2c415c365596c12d7
SHA512 8c43251d01926d793ae2a8e5aedbe21eb474dd1ca9b5ba41929b05949c0a1e3c017a44389716660105e15b43f067bb09a9c5d249fa325a2711a96f94e5dfd576

C:\Windows\SysWOW64\tbeuserfyepnb.exe

MD5 a75bb6618ff2e8cb444c898334e224f4
SHA1 945737b45e1a3d118e58e9fd8a63f6e46cc96f71
SHA256 e19a042c6b29f0177d8d804a094fec6328fa28c715c45ccb8addf9db3d86d904
SHA512 382fc8d506ce15805ac50d6b59c66082e0342c8bf3f91d303c7449fd6f3ee2f28904146cbfb7a236612a7d5d5b476cce5048298be57075faf791d4863d713931

\Windows\SysWOW64\hfupcinu.exe

MD5 d28893aaec9ce8e931e9bc52cd9323a8
SHA1 a8e21ce58863e5b59fb2667342b8bbe696f3b23b
SHA256 f926d8327154d685625b9a634e74f7730762f272a82c301218fe6ab42800c8dd
SHA512 b3f379a6937d37acaad29787085077355acc1ab4c7eceafa0124edab388547dee83a6af24488d607be531b2939c4e10c11357cd46250a189f43e5c5f4ca26f4d

memory/2632-41-0x000000002FCD1000-0x000000002FCD2000-memory.dmp

memory/2632-42-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2632-43-0x000000007155D000-0x0000000071568000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

memory/2632-76-0x000000007155D000-0x0000000071568000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 adbd12b89fb48364f8f24212ef466191
SHA1 16a8369d3549b0f71cb929a0631b56deca8a1a89
SHA256 629a8b003cf7eceefe431c5721d8eaf42a63dce5c30ed433e7b6510d85cd6c72
SHA512 f6a973da1c4cea8ec2596c6b590a81d3ac39e8c31fa71ed6a50eeea94fe75ae8b8da14485d7e2af7763e80611de9ab46c93bc6e1b6a29d59772215bd71fd321f

memory/2632-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:26

Reported

2024-04-06 22:29

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\pirdiyqumy.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\pirdiyqumy.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\pirdiyqumy.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\pirdiyqumy.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\pirdiyqumy.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\offqdfph = "pirdiyqumy.exe" C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfbgofga = "uhjzqgomhqcknho.exe" C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qmefcwbzlcurg.exe" C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\utdrtoxo.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\pirdiyqumy.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\pirdiyqumy.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\uhjzqgomhqcknho.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\qmefcwbzlcurg.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\pirdiyqumy.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification C:\Windows\SysWOW64\uhjzqgomhqcknho.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\utdrtoxo.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\utdrtoxo.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qmefcwbzlcurg.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File created C:\Windows\SysWOW64\pirdiyqumy.exe C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\utdrtoxo.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\utdrtoxo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\utdrtoxo.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B02E4795389952CABADD339DD7C9" C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C60C15E0DAC7B8CB7CE2EDE034C8" C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C089D5283206A3577A077272DDB7D8365AB" C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFFABCF967F293840E3B4686ED39E3B0FE038A43120332E1BF42E808A5" C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FF8A485C85689142D6207D97BCE7E147594466426245D7EA" C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7876BB3FE1D22D9D20FD0A88B799162" C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\pirdiyqumy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\pirdiyqumy.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\pirdiyqumy.exe N/A
N/A N/A C:\Windows\SysWOW64\pirdiyqumy.exe N/A
N/A N/A C:\Windows\SysWOW64\pirdiyqumy.exe N/A
N/A N/A C:\Windows\SysWOW64\pirdiyqumy.exe N/A
N/A N/A C:\Windows\SysWOW64\pirdiyqumy.exe N/A
N/A N/A C:\Windows\SysWOW64\pirdiyqumy.exe N/A
N/A N/A C:\Windows\SysWOW64\pirdiyqumy.exe N/A
N/A N/A C:\Windows\SysWOW64\pirdiyqumy.exe N/A
N/A N/A C:\Windows\SysWOW64\pirdiyqumy.exe N/A
N/A N/A C:\Windows\SysWOW64\pirdiyqumy.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A
N/A N/A C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
N/A N/A C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
N/A N/A C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
N/A N/A C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
N/A N/A C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
N/A N/A C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
N/A N/A C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
N/A N/A C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
N/A N/A C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
N/A N/A C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
N/A N/A C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
N/A N/A C:\Windows\SysWOW64\uhjzqgomhqcknho.exe N/A
N/A N/A C:\Windows\SysWOW64\qmefcwbzlcurg.exe N/A
N/A N/A C:\Windows\SysWOW64\qmefcwbzlcurg.exe N/A
N/A N/A C:\Windows\SysWOW64\qmefcwbzlcurg.exe N/A
N/A N/A C:\Windows\SysWOW64\qmefcwbzlcurg.exe N/A
N/A N/A C:\Windows\SysWOW64\qmefcwbzlcurg.exe N/A
N/A N/A C:\Windows\SysWOW64\qmefcwbzlcurg.exe N/A
N/A N/A C:\Windows\SysWOW64\qmefcwbzlcurg.exe N/A
N/A N/A C:\Windows\SysWOW64\qmefcwbzlcurg.exe N/A
N/A N/A C:\Windows\SysWOW64\qmefcwbzlcurg.exe N/A
N/A N/A C:\Windows\SysWOW64\qmefcwbzlcurg.exe N/A
N/A N/A C:\Windows\SysWOW64\qmefcwbzlcurg.exe N/A
N/A N/A C:\Windows\SysWOW64\qmefcwbzlcurg.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A
N/A N/A C:\Windows\SysWOW64\utdrtoxo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5084 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\pirdiyqumy.exe
PID 5084 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\pirdiyqumy.exe
PID 5084 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\pirdiyqumy.exe
PID 5084 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\uhjzqgomhqcknho.exe
PID 5084 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\uhjzqgomhqcknho.exe
PID 5084 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\uhjzqgomhqcknho.exe
PID 5084 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\utdrtoxo.exe
PID 5084 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\utdrtoxo.exe
PID 5084 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\utdrtoxo.exe
PID 5084 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\qmefcwbzlcurg.exe
PID 5084 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\qmefcwbzlcurg.exe
PID 5084 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Windows\SysWOW64\qmefcwbzlcurg.exe
PID 5084 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 5084 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2280 wrote to memory of 3104 N/A C:\Windows\SysWOW64\pirdiyqumy.exe C:\Windows\SysWOW64\utdrtoxo.exe
PID 2280 wrote to memory of 3104 N/A C:\Windows\SysWOW64\pirdiyqumy.exe C:\Windows\SysWOW64\utdrtoxo.exe
PID 2280 wrote to memory of 3104 N/A C:\Windows\SysWOW64\pirdiyqumy.exe C:\Windows\SysWOW64\utdrtoxo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e36d42338aba76bf3c4eed4a648568d3_JaffaCakes118.exe"

C:\Windows\SysWOW64\pirdiyqumy.exe

pirdiyqumy.exe

C:\Windows\SysWOW64\uhjzqgomhqcknho.exe

uhjzqgomhqcknho.exe

C:\Windows\SysWOW64\utdrtoxo.exe

utdrtoxo.exe

C:\Windows\SysWOW64\qmefcwbzlcurg.exe

qmefcwbzlcurg.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\utdrtoxo.exe

C:\Windows\system32\utdrtoxo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/5084-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\uhjzqgomhqcknho.exe

MD5 5d98a71ff8334c8ccb3da310010a83d5
SHA1 d6dbdca15c2ce77a1d3f84b047afc550c71faaba
SHA256 6b2d33ec5b8dc8752f51d74c4092bf52491825b71137f94a2b07fb3da54fb997
SHA512 050090cb3daad4dfbf8aea3e76a5fd7e939872e5eca4de6f8f142f9d95ceb7dae774d44f762dde4417fff1a1123a1372ba3dc4bf01b82f319f515787439c4485

C:\Windows\SysWOW64\pirdiyqumy.exe

MD5 152b9732f6e23fd9ba55ec51af2da5a0
SHA1 f788b3a89d705fa76b2433c36fa728bbf34fb290
SHA256 74218480309cf1373b123c9ee9ee3e25011b9ba01860139d6644d6885ca6003e
SHA512 f5d3d0fc256ee9da37ed92b5f6e2659603cef7e18870d4a7ab01d8d9950ad801d62e05535a2b3862e44660819ff7070f401494bd5f243b6490201e177ca58b79

C:\Windows\SysWOW64\utdrtoxo.exe

MD5 f665276644c388e35cebf5e157a38ccd
SHA1 d9050c6fe1962aeb20f35a1bba1114d802a609dc
SHA256 81bafa47b2c279be1a1a435e324d600716d0afbd17e880851d3fc7fc1a764b52
SHA512 7b24d654c969f9f3137b1895f7bdb5ce39f3804ac27a9ef7ca1fac54ca0241b373274fd23e09c0c13cc930ad667d7f2a6586808c584f315ed843b8af337a0598

C:\Windows\SysWOW64\qmefcwbzlcurg.exe

MD5 3949296ab1af75da0d0b5e3bc9f4ff35
SHA1 e853320fd108ddeee2180504df3228f7ed8260d0
SHA256 0c34147e64b364089a13678616908e925fd52c9148fd53429c3ff1a88de254fe
SHA512 07d1366c8bd9bca4629099db0e733db68eb5599126600b202040d08f26fa04939aef2f16bdb4bf63798c3095d5d62acc0ea584d56562c15635c0aa1e30e67239

memory/3788-35-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

memory/3788-36-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-37-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

memory/3788-39-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

memory/3788-40-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-38-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-42-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-43-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

memory/3788-41-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

memory/3788-44-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-45-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-46-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-49-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-50-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-51-0x00007FFA50F20000-0x00007FFA50F30000-memory.dmp

memory/3788-52-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-53-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-54-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-55-0x00007FFA50F20000-0x00007FFA50F30000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 361ba5cdfe246f4303b0a1638e0daf43
SHA1 eced7199b1af3c8e92209a68cb9a925ff3f369a3
SHA256 507143acb38e64408d03a0dd98e16bd34ca557294c466ae8ec9c7c763eb3a2a5
SHA512 81b9d124396d138717aea4dc71cec59426a3b65b47eaa0d13523adf030c5e3df9fa670ed48f7634d0301812d4b546dd43bc5bf863b58112570a2ab049bc7ab54

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 e27ac1a60cf2a4b28eaa3d36bf11f009
SHA1 335c0403b1828a9d777506e7d8bbd8c4980f6d7c
SHA256 ba4e8a2595bf0f9ea4d1048cdb25b3311c0bb4160a173a1b777cc12215c6c835
SHA512 ca42ea774ecd6c8833f955e302ccedcab38510d50eb2c9a6895caab7e640ab497255ef3c698a85d60726fe58958e05b2004cc2950b923c50787d02a795387b08

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 1bd7c6b2f9da1c39502633ff1bc9ed63
SHA1 50a1023584afbefbb92b038a708c52523d9819ec
SHA256 c7fcc04333c94e26887912b0f8b2ec56ee63599e9d1527312d1f1ac8189821fe
SHA512 a62e09258e3cf28dfc7e11339ec2a25d8983b4ca0cc04afaca5a787d198107c153b2181cb161cfb9326900ef8e8f404a90fad9787eebd5b3e88fc5f230d3be8b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 15726bc124affa5f70e05acda17383b4
SHA1 62bcabbfdd4979d0e97881121dbf71c59a12de01
SHA256 8525418370642ef687d2d4fb1119af90ee84fcdacc35643e282d6e87b0877bee
SHA512 9d21baf85ed4a90974c8074143457e269dd848e6dffc25fb20261130670fd08ce5ae49bd75c90c68493ae933d8149d61ba572362e8a793944fe8dd0e4e8fca9e

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 121d546c509c07cd35590e6e100afdcb
SHA1 98f2c3fce9bae888934fd5afb49cfdd2d3ab6572
SHA256 3f838933c38da4d1a59479b08a02f95687b49d68054a16c8e65089e351db0cd9
SHA512 81558bca87c658ca3467f4e1d0fb4bd5add64751e1742c9c16d432531950e5937752cefb64fda7600873e3ab48157c8ee404f70e694978386be37a33d38743a6

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 e5050e8aac987835529d96cf467ecec1
SHA1 d19e95cff43fb7772c8e8770f15780ff7051686c
SHA256 20f905f19df0eb729856a9e55d790d8adfda21c0d0ca2bc3e7ddc8ccac9ed667
SHA512 694496c0bbba91402742d0a92527c0676738b1243e9407a019597f1327817c7c79730704f09193d78ba72f5feae2f65449e5b6067883eaefd34c0d1a2c846c0a

memory/3788-111-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-112-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-113-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-138-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

memory/3788-139-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

memory/3788-141-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

memory/3788-140-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

memory/3788-142-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-143-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

memory/3788-144-0x00007FFA93010000-0x00007FFA93205000-memory.dmp