Malware Analysis Report

2025-08-05 19:16

Sample ID 240526-ee8qvsef69
Target 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118
SHA256 06507fdc6deba0ca9301fbe30ce8d9c450215a1cac9e4f0817e1fdc47000be06
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06507fdc6deba0ca9301fbe30ce8d9c450215a1cac9e4f0817e1fdc47000be06

Threat Level: Known bad

The file 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Modifies Installed Components in the registry

Loads dropped DLL

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 03:52

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 03:52

Reported

2024-05-26 03:54

Platform

win7-20240508-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fvpigpjr = "yykvwtqmpm.exe" C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tjmnnmvz = "ldugrbbpleokuvb.exe" C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bmpcqrdsbrrff.exe" C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\p: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jqgqpltb.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\jqgqpltb.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bmpcqrdsbrrff.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bmpcqrdsbrrff.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File created C:\Windows\SysWOW64\ldugrbbpleokuvb.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ldugrbbpleokuvb.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\jqgqpltb.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\yykvwtqmpm.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\yykvwtqmpm.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\ExitRequest.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Program Files\CompareHide.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Program Files\ExitRequest.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\ExitRequest.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created \??\c:\Program Files\CompareHide.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Program Files\CompareHide.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Program Files\ExitRequest.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\CompareHide.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\CompareHide.nal C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created \??\c:\Program Files\ExitRequest.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\CompareHide.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\CompareHide.nal C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\ExitRequest.nal C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\ExitRequest.nal C:\Windows\SysWOW64\jqgqpltb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C67B1594DAB5B8CA7CE9ECE337BC" C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\yykvwtqmpm.exe
PID 2916 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\yykvwtqmpm.exe
PID 2916 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\yykvwtqmpm.exe
PID 2916 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\yykvwtqmpm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\ldugrbbpleokuvb.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\ldugrbbpleokuvb.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\ldugrbbpleokuvb.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\ldugrbbpleokuvb.exe
PID 2916 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\jqgqpltb.exe
PID 2916 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\jqgqpltb.exe
PID 2916 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\jqgqpltb.exe
PID 2916 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\jqgqpltb.exe
PID 2916 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\bmpcqrdsbrrff.exe
PID 2916 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\bmpcqrdsbrrff.exe
PID 2916 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\bmpcqrdsbrrff.exe
PID 2916 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\bmpcqrdsbrrff.exe
PID 2696 wrote to memory of 2840 N/A C:\Windows\SysWOW64\yykvwtqmpm.exe C:\Windows\SysWOW64\jqgqpltb.exe
PID 2696 wrote to memory of 2840 N/A C:\Windows\SysWOW64\yykvwtqmpm.exe C:\Windows\SysWOW64\jqgqpltb.exe
PID 2696 wrote to memory of 2840 N/A C:\Windows\SysWOW64\yykvwtqmpm.exe C:\Windows\SysWOW64\jqgqpltb.exe
PID 2696 wrote to memory of 2840 N/A C:\Windows\SysWOW64\yykvwtqmpm.exe C:\Windows\SysWOW64\jqgqpltb.exe
PID 2916 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2916 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2916 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2916 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2684 wrote to memory of 2304 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2684 wrote to memory of 2304 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2684 wrote to memory of 2304 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2684 wrote to memory of 2304 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe"

C:\Windows\SysWOW64\yykvwtqmpm.exe

yykvwtqmpm.exe

C:\Windows\SysWOW64\ldugrbbpleokuvb.exe

ldugrbbpleokuvb.exe

C:\Windows\SysWOW64\jqgqpltb.exe

jqgqpltb.exe

C:\Windows\SysWOW64\bmpcqrdsbrrff.exe

bmpcqrdsbrrff.exe

C:\Windows\SysWOW64\jqgqpltb.exe

C:\Windows\system32\jqgqpltb.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2916-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ldugrbbpleokuvb.exe

MD5 933724af37659b994e491c64fcb85008
SHA1 9122cc856f535a74cfb17758f50214746c4c5e78
SHA256 bc76f39c538afaf76b2bd60c62bdab26ceaca25a2ce923a23e893e199e2bc73e
SHA512 058ffcb3de3cbe087cc6ef5197e46cb7e2c326742effd22f0ef4f7fa04975623257c2f0a4b027d788a20b70ddcf8aa4369687a6f8b19c1fff649ace4019afc42

\Windows\SysWOW64\yykvwtqmpm.exe

MD5 aab838709981285a4f60afc3efc5e027
SHA1 2e372f0d83ff6f344a891350bfb76f2c3b4c470a
SHA256 14b4b50e762007a45746477f6ee7f5e071981540fc42f411d7dfe3c8452b4aab
SHA512 dfe320a4c04c0f52159b2d2f3119a596dd549e65cb0d7020075672050a010ad54a688fefc1bea9e02f02d37c54cf7108e34ad913adc66083d2d89a09f36d8e49

\Windows\SysWOW64\jqgqpltb.exe

MD5 c60b6ca198c9d1ca5bc9be50dfbcb26f
SHA1 347277b9fbaefd6607ac05d51c3fb14fa7754ab2
SHA256 4313895a0ca72bb0f8e6eed5ee4e41adf749d130224b1b587af3ee7ffe1fb09b
SHA512 40d2c93b590fad40a434015ca22453be628201cc505c1d10e7c41e2ae661a1668115beac4c019e0a3d22095488b6059e62a579d8e6b5303d8380062d6d8a63b8

\Windows\SysWOW64\bmpcqrdsbrrff.exe

MD5 76e9b082ec3b54765811c4bd8e041fe4
SHA1 13e05990a1e67dc41115aa54390288ffe9146fd5
SHA256 a8f60c4494039569cb9e1b9dd9ca4158a72d8208223a8310472e80ce6f901dea
SHA512 4898172b2a61a68a350a520f507528530445f528746e5ad5e7737cf9912c4580f0c7723015d30befa50b90fd83555caa176da1fe2a3323309354bbe0a940cf24

C:\Program Files\CompareHide.doc.exe

MD5 37c30d46194ff7c0f5deb026b4c3350f
SHA1 f6f22bc3409ad12941b9614afac7ec8fd9509b28
SHA256 9fff469c201bb4565a8fa72bc15ab71133ff06d83f673bee6c9af87ca9d8e128
SHA512 77aea98d543717cd52851d87cf2646fdb15c0cc05e5b5e01e6ed70667f748da8a555169e66af411901d2062182daffeb399ca4cbef1cc616d5f9c8fee39b8f4e

C:\Program Files\ExitRequest.doc.exe

MD5 43935bf0c1876f53c29f52191dc52c50
SHA1 2d626979dfba245093fb6032f4e72ca0be53eb06
SHA256 ad262a9e6cd9b7f17ea90dd26c812603bf8b99cd803a6f23c8b7c502958c3570
SHA512 d757081a845af82695466a08b6504aaf36fe5604defdc2e97230db51cc49d33ef700fd541f9b74c8531f110d40bbd57457a9bc27d495c033db1122299ce8bae5

memory/2684-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 b831a0d16c9c0b1700967e6727756a24
SHA1 7b698f7ffb91210ee3c52dd809f54355fa9d4bf3
SHA256 92067afeef70ee667d711e41fabe6c0e8ff5a10d042768e4dd9893cd623f13d1
SHA512 7ec6993e6cb2ca1afe203eb51149de8fa0e623dab7896931e1949bc1c0aea64894bdb319af8d731e4f355552f280d870d6513b23cb69ccc55ccfaa13d0a23b5d

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 f77cdeebd708c029af0eb847a87497fd
SHA1 2629306063b7f9cb290cace36687d863d024da96
SHA256 f022a70bfc17d0a69a60cd8cc6a040fe1e916ea23d9b094f02da42cbf1ba138f
SHA512 37242958bc76ecf46ee8491bc65cd8e6b58073ddb6e3b95fea687e4ce886fbc99c877b9be821520e0d8e8a4781c22d8538c3aa640f2129c25e4682cc2c070487

memory/1684-92-0x0000000003D50000-0x0000000003D60000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 03:52

Reported

2024-05-26 03:54

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fvpigpjr = "yykvwtqmpm.exe" C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tjmnnmvz = "ldugrbbpleokuvb.exe" C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bmpcqrdsbrrff.exe" C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jqgqpltb.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created C:\Windows\SysWOW64\yykvwtqmpm.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\jqgqpltb.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bmpcqrdsbrrff.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
File opened for modification C:\Windows\SysWOW64\bmpcqrdsbrrff.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Windows\SysWOW64\yykvwtqmpm.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ldugrbbpleokuvb.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ldugrbbpleokuvb.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\jqgqpltb.exe C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\jqgqpltb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jqgqpltb.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B02B479038E352CEBAA533EAD7C4" C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352D089C2282596D4477D477272CAC7C8E64AF" C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F768B3FF1F21D1D20ED1D58A089013" C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C67B1594DAB5B8CA7CE9ECE337BC" C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FAB0FE13F1E7840B3B4386993E91B0FA02F143670332E2CB45E608A8" C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FF8A4F5B85129040D65A7D91BCEEE130584566456341D7E9" C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\yykvwtqmpm.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\yykvwtqmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\bmpcqrdsbrrff.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\ldugrbbpleokuvb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A
N/A N/A C:\Windows\SysWOW64\jqgqpltb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\yykvwtqmpm.exe
PID 4364 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\yykvwtqmpm.exe
PID 4364 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\yykvwtqmpm.exe
PID 4364 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\ldugrbbpleokuvb.exe
PID 4364 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\ldugrbbpleokuvb.exe
PID 4364 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\ldugrbbpleokuvb.exe
PID 4364 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\jqgqpltb.exe
PID 4364 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\jqgqpltb.exe
PID 4364 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\jqgqpltb.exe
PID 4364 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\bmpcqrdsbrrff.exe
PID 4364 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\bmpcqrdsbrrff.exe
PID 4364 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Windows\SysWOW64\bmpcqrdsbrrff.exe
PID 4364 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4364 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3112 wrote to memory of 512 N/A C:\Windows\SysWOW64\yykvwtqmpm.exe C:\Windows\SysWOW64\jqgqpltb.exe
PID 3112 wrote to memory of 512 N/A C:\Windows\SysWOW64\yykvwtqmpm.exe C:\Windows\SysWOW64\jqgqpltb.exe
PID 3112 wrote to memory of 512 N/A C:\Windows\SysWOW64\yykvwtqmpm.exe C:\Windows\SysWOW64\jqgqpltb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe"

C:\Windows\SysWOW64\yykvwtqmpm.exe

yykvwtqmpm.exe

C:\Windows\SysWOW64\ldugrbbpleokuvb.exe

ldugrbbpleokuvb.exe

C:\Windows\SysWOW64\jqgqpltb.exe

jqgqpltb.exe

C:\Windows\SysWOW64\bmpcqrdsbrrff.exe

bmpcqrdsbrrff.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\jqgqpltb.exe

C:\Windows\system32\jqgqpltb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/4364-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\jqgqpltb.exe

MD5 d37144681e2a19438df8c652cbbe947c
SHA1 2ad4a734128ba3e1169ec49fd4a284a99f6e8749
SHA256 27ed26cf5c90b6af7a70ec354d5e8f1f7803539de840f0eed4ed55c1815a10d5
SHA512 a9b1b082bdabf8776681555bce871dadca92bb6189f886839bf947ef5c4fd0573dc8e2935dd7d8954dca0d444f5e1ba5cf3574aa4b735cdb0b5dbd97c3c9fffb

C:\Windows\SysWOW64\yykvwtqmpm.exe

MD5 d22fc3ca4dc30072f6a71964de50eb52
SHA1 f02a0b32a06d538b666bada68f06ade52be0e113
SHA256 ccd7b7d1ecc8e10359c117afb0c2a05946b63f7f259ebdd71bbebb337d59bb5f
SHA512 458b444ba73dd989e5ac5f37c82bd75a540651c6479cabb436b94824315930e5ca6ff850081e94f3bda5518c2d511ce447d9fb71e3c45d56e115cb646578bc21

C:\Windows\SysWOW64\ldugrbbpleokuvb.exe

MD5 08ce64b84e7a14ec64538022c69a15e9
SHA1 8527e38dfe50e47b07126102d335f0ab1df79d32
SHA256 69cd6895b508c89724e478d7e9d00dcba718904bed2eda98d729af5087207d53
SHA512 de5f77dd9887fdd4fef5b2cbab6de5c03ac0e555b0ff9306167cfe18a9cebba48f37a63aa62a01cf3f180110572d0a7a66aed4938718dfb543599de2d2dfe4ce

C:\Windows\SysWOW64\bmpcqrdsbrrff.exe

MD5 c66a8668b2878bab87d6a486278bf152
SHA1 5570faf50186a7165d55c68f3518f3c511b6c52c
SHA256 db74cfcf5a03e92d5cae98818de250f458b512944e6cf8388d627b3de0bd7d27
SHA512 3783a4932dd627c17a15e0ea68de5f8b0049760619178d7f3c7a8c6dc87a9de654fb9e34d426f9e87f1a1e680af4078fb52fe838fda5af0a034905600fe40d6b

memory/4128-35-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

memory/4128-37-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

memory/4128-36-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

memory/4128-38-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

memory/4128-39-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

memory/4128-40-0x00007FFCE46E0000-0x00007FFCE46F0000-memory.dmp

memory/4128-43-0x00007FFCE46E0000-0x00007FFCE46F0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 408ff72ac77dfbd94124373f0a45a68e
SHA1 3d2ca24fe5531456ace256f7fbedd6dc6f553646
SHA256 035fe50fb10220afc92b62741669d0936114689bda12e37d0deee3cf7fc44fba
SHA512 df506c72f762d2a0a024ac9a98f1eaa074d286041a4b743717d3c489f47f7d0ddc7a8e08bdd7f45f515a9283a3bd7fb629beb11f00a05f78a4f17d34a428cd7b

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 10969d7354fce7263db313bcf54b4ad0
SHA1 d47587ab6a32d8a31ab8c25609ce33cf750daaa3
SHA256 a747bb5f5badf7b6292f59cb902d9ca36ef2ae63cf939d041ca986048ac70450
SHA512 e9885643022370354a906a19aa1678d57054ac57f6eee30219616215121b57852fd397619c00b989d2ba13c07f936a1ca896ad02ce9a87010def5cc7e76745c7

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 b3a6d019a3bb19709076075f7105097e
SHA1 e384ccadf0b6ed4bfc462d3089e5633ebd5c2d92
SHA256 67a8a023af9a997c99b3a82e1c65909763cf4ab9922ff1395030d8643b2b1312
SHA512 e08c9c1be25a5ab81c2982aa6dcfa7c8feb1d5dc28eaf289b674fb240ced604d0dfc4f8ad7293feaec88d4b221071be32312eccad9aa9cc69a5c5500e9fce346

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 de2251bb13e571b8b952dc6bee2e51a4
SHA1 1d20e0442c80318ea00055d08071d6133900b08d
SHA256 8a23d6945b6f270e7b7813528f47703dbff08ce827c0b18b9b40a69fae24685a
SHA512 86167023aef83f7c2b5ff63613b99f062f2018da5e6fe1652994afd7f9255d90f52a9acc48c15a2ca7f0fdda402b62c0668669a2ca405361982dbf402b3e44ce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 5d5329b95c2b5efef31d9c63575fb01d
SHA1 9263c08c225d28198fe5bb44c97708ed4ce86ddf
SHA256 7c94fd7faf3533886ae6f19ef90e18b0f1d10933fb97b051cf658425d48a5043
SHA512 84392818a1aee077e796a748e6f2e8c275332424c966ff39af4e0f120e6f71e60e1ae8ddaa65aa423d0db7806cb9ac9030a5102706f5d38ece0a22eb777ee746

C:\Users\Admin\AppData\Local\Temp\TCD89B8.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 7c5e261a9f83b66732b4675c4b34dd9e
SHA1 6a50598c9fbcb2135453552e96526ac636acdfa5
SHA256 700943b30172f8b677efa8464e87ab2948b74b8b02790e235914607b4a4f72f2
SHA512 c4e89bf0ac4c3949c4ba6a54d1c41b4a8248d26a99b8ad5082116d6bc21c4b8282426118084e19fbd3b4e4743a29ba4ac324615fb0007c802728b3304d5962ae

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 f9712f60773d430a9b7d155206e77bae
SHA1 dd24bd6619a77d44a6a69c373f58c38e0a8973e3
SHA256 b54835647d0e60d96dfc95c11588c75d922652b6201eb7e396c5f2c14c51a76f
SHA512 d4c33bc861093bc510562e9bac8120b9e6cd4039ac5441c6052154c0d0f69e839e01f14d00b4e612a1c33ee0fa3f4aa4668a43f95bbcebf1bdae26be603d22a6

memory/4128-593-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

memory/4128-596-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

memory/4128-595-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

memory/4128-594-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp