Malware Analysis Report

2025-01-06 09:26

Sample ID 240601-fz8r2abg94
Target 897651f00b452110fcf814a3e3a3f89d_JaffaCakes118
SHA256 0cd8b9e2128e5c3e83015b46ae2db7824621ec5440d0fd98a9e0503a578b8bb5
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0cd8b9e2128e5c3e83015b46ae2db7824621ec5440d0fd98a9e0503a578b8bb5

Threat Level: Known bad

The file 897651f00b452110fcf814a3e3a3f89d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Windows security modification

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:19

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:19

Reported

2024-06-01 05:22

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\yafyqzioqy.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\yafyqzioqy.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\yafyqzioqy.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\yafyqzioqy.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\yafyqzioqy.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nthmugfd = "kpmjuixihsqxamf.exe" C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "okefagtantksp.exe" C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttnwrsjw = "yafyqzioqy.exe" C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\z: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\grbdhhnw.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\yafyqzioqy.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\kpmjuixihsqxamf.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\okefagtantksp.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\yafyqzioqy.exe N/A
File created C:\Windows\SysWOW64\yafyqzioqy.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\yafyqzioqy.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kpmjuixihsqxamf.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\grbdhhnw.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\grbdhhnw.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\okefagtantksp.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\grbdhhnw.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\grbdhhnw.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\grbdhhnw.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\grbdhhnw.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\grbdhhnw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B0284797399F53BDBAA1329BD4BE" C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\yafyqzioqy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\grbdhhnw.exe N/A
N/A N/A C:\Windows\SysWOW64\grbdhhnw.exe N/A
N/A N/A C:\Windows\SysWOW64\grbdhhnw.exe N/A
N/A N/A C:\Windows\SysWOW64\grbdhhnw.exe N/A
N/A N/A C:\Windows\SysWOW64\yafyqzioqy.exe N/A
N/A N/A C:\Windows\SysWOW64\yafyqzioqy.exe N/A
N/A N/A C:\Windows\SysWOW64\yafyqzioqy.exe N/A
N/A N/A C:\Windows\SysWOW64\yafyqzioqy.exe N/A
N/A N/A C:\Windows\SysWOW64\yafyqzioqy.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\grbdhhnw.exe N/A
N/A N/A C:\Windows\SysWOW64\grbdhhnw.exe N/A
N/A N/A C:\Windows\SysWOW64\grbdhhnw.exe N/A
N/A N/A C:\Windows\SysWOW64\grbdhhnw.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\okefagtantksp.exe N/A
N/A N/A C:\Windows\SysWOW64\kpmjuixihsqxamf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\yafyqzioqy.exe
PID 1612 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\yafyqzioqy.exe
PID 1612 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\yafyqzioqy.exe
PID 1612 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\yafyqzioqy.exe
PID 1612 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\kpmjuixihsqxamf.exe
PID 1612 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\kpmjuixihsqxamf.exe
PID 1612 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\kpmjuixihsqxamf.exe
PID 1612 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\kpmjuixihsqxamf.exe
PID 1612 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\grbdhhnw.exe
PID 1612 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\grbdhhnw.exe
PID 1612 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\grbdhhnw.exe
PID 1612 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\grbdhhnw.exe
PID 1612 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\okefagtantksp.exe
PID 1612 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\okefagtantksp.exe
PID 1612 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\okefagtantksp.exe
PID 1612 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\okefagtantksp.exe
PID 2940 wrote to memory of 2560 N/A C:\Windows\SysWOW64\yafyqzioqy.exe C:\Windows\SysWOW64\grbdhhnw.exe
PID 2940 wrote to memory of 2560 N/A C:\Windows\SysWOW64\yafyqzioqy.exe C:\Windows\SysWOW64\grbdhhnw.exe
PID 2940 wrote to memory of 2560 N/A C:\Windows\SysWOW64\yafyqzioqy.exe C:\Windows\SysWOW64\grbdhhnw.exe
PID 2940 wrote to memory of 2560 N/A C:\Windows\SysWOW64\yafyqzioqy.exe C:\Windows\SysWOW64\grbdhhnw.exe
PID 1612 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1612 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1612 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1612 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2436 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2436 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2436 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2436 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe"

C:\Windows\SysWOW64\yafyqzioqy.exe

yafyqzioqy.exe

C:\Windows\SysWOW64\kpmjuixihsqxamf.exe

kpmjuixihsqxamf.exe

C:\Windows\SysWOW64\grbdhhnw.exe

grbdhhnw.exe

C:\Windows\SysWOW64\okefagtantksp.exe

okefagtantksp.exe

C:\Windows\SysWOW64\grbdhhnw.exe

C:\Windows\system32\grbdhhnw.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

memory/2436-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\SysWOW64\grbdhhnw.exe

MD5 efac614f5aaaf2e872194ec626174b49
SHA1 9f2666d0f8f2f49381c60bf48916fe038a889b50
SHA256 ebafff3b4f309c23decd9bdeac157d842451e385cb2b80b091fd70ff09214e1c
SHA512 9c6614042ff27d47417130b849998c35e64704c4522021c82546d07f8a908a50a2c067d6a5a2f43d3d13a1a374177da2a9602bb88f61c9c15faf9dd20467ff6f

C:\Windows\SysWOW64\okefagtantksp.exe

MD5 eeafeb3527168c69eb0443f9e159efb8
SHA1 46dcfc5506f9803a29f9add886ef8171ede57f67
SHA256 0d8336411a9284c987e792d73286e05a333ad3cf7300d8fdfd190960e669cf6c
SHA512 c35adde9473e81fe64e6a6825c2ae574a5187f133cbde14f2c63d194f0180a71e4cef55c9245e3850413eda1aa210aeaec91b275d7d573779ccb8c3b318e51ed

C:\Windows\SysWOW64\kpmjuixihsqxamf.exe

MD5 b63cab7de84900bcd532d8c1c43d5f12
SHA1 8616fbe34c5d561b9e1557d255a147a13c5d3dc7
SHA256 a2fb07e73b6872b38e234c2b16e821f6e091011569cecfac9aa847aa38544cb0
SHA512 d6c44bdb6001113465e477727217fef4bc94d09abdc3f905fd29e87d4abd46483423624282e03d0a8ff66bcf920c7d33632a68347be43db308ec6436abd58c67

C:\Windows\SysWOW64\yafyqzioqy.exe

MD5 a04947dc1a82bfcfc4858304f2e47cb3
SHA1 1b92c5e28b1cea8c1e294f59407dba5d9400a031
SHA256 471fb864040314b1098ef7920412a8da89af245020b2114d37ea640f6d02ffc2
SHA512 392a163ee594920847d9eaefb7c6bb639f7bad8dd3e9ce8acb01faf0fa55cd985213d9705c9767fcc0136845df67784b55b4bbf6ebe35c739f0a4294e66a13e3

memory/1612-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 4f37fb8648b934d683ffee432ff8fd06
SHA1 dbf5d3b705c6bf65ffe6d46c93c291bd91433164
SHA256 066e7dedc74873d299ad4302f7e8b697dfaf5d552c5f07b8608c0564772a9753
SHA512 8c3b00048fc543f8b52c151669ca88637521d1086886a7a7493a20990972dfab7b1cb3dfcf12c09d8ad202537859f9ce99b59ae1bcf5ee460d40496281ae0011

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 85ba5d084bd3938e534780d93256cba6
SHA1 da9152032da8fb43c244b22ce0dd51fb4eaaaf4a
SHA256 243279d0216d3bc6a9750dd51f523606e4bdeec7a632e0516a373d769ceb07b2
SHA512 5fa82603a9da7a922cf2422adaf185c806918532b6a12e63c0fa08bff188fef36a192c5facf801f3e2813b9ff0f3b7890b5b059d3023ea4c1b351b6a9e5196bf

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 d9fb3444a910b21aeb072ae2c7ac5fda
SHA1 6ea018e7f2b33d15753f589b07d61ca92c2f04dd
SHA256 f459f7f86d6f1f6c21b7ca9ed9a291bee2ee2a944daf0ae2dd7880f27375aa94
SHA512 a5cffe2dc607d15d52376aa181e346c1d74e89f0d63facb57e364b95a8334c3a32279ce0582eb1ad62ff8ed06adc0c43191a8ef288e9c0753a39cf4275870af7

memory/2436-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:19

Reported

2024-06-01 05:22

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\vtytgayjah.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\vtytgayjah.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\vtytgayjah.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\vtytgayjah.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\vtytgayjah.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rwtxezyh = "vtytgayjah.exe" C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pnzdogff = "wlsdrtjucjtsfrc.exe" C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "czpvdpfxwxoor.exe" C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qtccmmcn.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\vtytgayjah.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\qtccmmcn.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qtccmmcn.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\czpvdpfxwxoor.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\czpvdpfxwxoor.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vtytgayjah.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\vtytgayjah.exe N/A
File opened for modification C:\Windows\SysWOW64\vtytgayjah.exe C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qtccmmcn.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qtccmmcn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qtccmmcn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368B2FF1B22D0D20CD1A48B099162" C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC67F1491DABFB8CB7CE3EDE334CF" C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452D7C9D2082206A4476D1772F2CAD7D8F64A8" C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB02E4794399A53BABAA632EFD7C8" C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFC8D4F5B8268913CD65C7D93BCE5E635583067316331D6ED" C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9FAB8FE11F1E2840B3A4586EA3E94B08C02FE4213023AE1C8459B08A9" C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\vtytgayjah.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\vtytgayjah.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\vtytgayjah.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\vtytgayjah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\vtytgayjah.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\vtytgayjah.exe N/A
N/A N/A C:\Windows\SysWOW64\vtytgayjah.exe N/A
N/A N/A C:\Windows\SysWOW64\vtytgayjah.exe N/A
N/A N/A C:\Windows\SysWOW64\vtytgayjah.exe N/A
N/A N/A C:\Windows\SysWOW64\vtytgayjah.exe N/A
N/A N/A C:\Windows\SysWOW64\vtytgayjah.exe N/A
N/A N/A C:\Windows\SysWOW64\vtytgayjah.exe N/A
N/A N/A C:\Windows\SysWOW64\vtytgayjah.exe N/A
N/A N/A C:\Windows\SysWOW64\vtytgayjah.exe N/A
N/A N/A C:\Windows\SysWOW64\vtytgayjah.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\qtccmmcn.exe N/A
N/A N/A C:\Windows\SysWOW64\qtccmmcn.exe N/A
N/A N/A C:\Windows\SysWOW64\qtccmmcn.exe N/A
N/A N/A C:\Windows\SysWOW64\qtccmmcn.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\qtccmmcn.exe N/A
N/A N/A C:\Windows\SysWOW64\qtccmmcn.exe N/A
N/A N/A C:\Windows\SysWOW64\qtccmmcn.exe N/A
N/A N/A C:\Windows\SysWOW64\qtccmmcn.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A
N/A N/A C:\Windows\SysWOW64\czpvdpfxwxoor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\vtytgayjah.exe
PID 4660 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\vtytgayjah.exe
PID 4660 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\vtytgayjah.exe
PID 4660 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe
PID 4660 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe
PID 4660 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe
PID 4660 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\qtccmmcn.exe
PID 4660 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\qtccmmcn.exe
PID 4660 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\qtccmmcn.exe
PID 4660 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\czpvdpfxwxoor.exe
PID 4660 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\czpvdpfxwxoor.exe
PID 4660 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Windows\SysWOW64\czpvdpfxwxoor.exe
PID 4604 wrote to memory of 4504 N/A C:\Windows\SysWOW64\vtytgayjah.exe C:\Windows\SysWOW64\qtccmmcn.exe
PID 4604 wrote to memory of 4504 N/A C:\Windows\SysWOW64\vtytgayjah.exe C:\Windows\SysWOW64\qtccmmcn.exe
PID 4604 wrote to memory of 4504 N/A C:\Windows\SysWOW64\vtytgayjah.exe C:\Windows\SysWOW64\qtccmmcn.exe
PID 4660 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4660 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\897651f00b452110fcf814a3e3a3f89d_JaffaCakes118.exe"

C:\Windows\SysWOW64\vtytgayjah.exe

vtytgayjah.exe

C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe

wlsdrtjucjtsfrc.exe

C:\Windows\SysWOW64\qtccmmcn.exe

qtccmmcn.exe

C:\Windows\SysWOW64\czpvdpfxwxoor.exe

czpvdpfxwxoor.exe

C:\Windows\SysWOW64\qtccmmcn.exe

C:\Windows\system32\qtccmmcn.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4228 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/4660-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\wlsdrtjucjtsfrc.exe

MD5 693dca155f7bfffdfddfbc80073b2186
SHA1 e7173131dd4226e4d7b5ff647b0537d6620481cb
SHA256 f0e95c014e870d88cda1366bf3610bf2d36a8b235cfa3509edfc1358bb8c84e3
SHA512 25e495d5e89a9c2dd5ec67dcdd5bd28854abf85ba687da046c48f4a17af8703bed10646fe9edbb03fa49244cd456470d3fedf4d54bf98790756516daadf623ab

C:\Windows\SysWOW64\vtytgayjah.exe

MD5 444db92034dee630f1b0f100d1d4f103
SHA1 6da44e7df3478b22bbe77e5f2b60ecc5e9e8df8a
SHA256 f86483b2cfacd13c58bd7bd7a6175feabec2e17da7d4676b69f467746448cfe5
SHA512 e2486406918f784d360155c1d9ce44b41651e014b113135b8865359c86ba652a828d21996cee27a53975385b03fc91b7349e2d9ae2d843fa867dab07d7639fab

C:\Windows\SysWOW64\qtccmmcn.exe

MD5 e85fb2379d6948208796600da0ad0560
SHA1 ec18101f4a9501d1efbfa64f5b19243f74389230
SHA256 fd03b2d33d11fcd37b322b50265ec33c314cefd70e3b92441b2c8ff207921ba4
SHA512 e4cf359e524b5aed392fede195164aff8b1810224c2f9c3b1c1444a0af8b77a855d861bfd3b5ae2973860065984b352737e535017692063c521bc0e3b9f28cae

C:\Windows\SysWOW64\czpvdpfxwxoor.exe

MD5 a985e2bf59a7dd549ef0f3245a2cad40
SHA1 f0cef5b86b8af6694749cd0cb7097014ba6e0615
SHA256 acf8cbf384526f8d3b4a9b1f6f8d33b8f2f13cfde2d73a55e489e6d35db6e037
SHA512 84e93f23cd14a21951146ffb1148c6bc765121eeea8b0e2ad444564d1ba136cf29ef39b1b16d0992030b2143e18d6bfa63a72e6bd28b58e1577aa67aecc9a6ff

memory/1292-39-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/1292-40-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/1292-41-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/1292-38-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/1292-37-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/1292-42-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmp

memory/1292-43-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmp

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 fc11350f4d65de75a175371893d3df9d
SHA1 aa4f1220f5dd86dd62e3314558e0fe9791c9b28d
SHA256 6f8598e9d429915cb96da3d9ba1299314301a0c9a387a4488c7d964ce6254e9d
SHA512 7434cfcce8cd3300e366f11dbbe40ae8bfa1f42029dbee9343beafca9c6761ee64ae3cc242eac3686af929fa19ab2effc549a51c9f0e7fc460ef672fbbf0f508

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 390a441729632e57cbc8e16a5af622d5
SHA1 7537d80aae5e6e26f970f69f624c3e1a6e20c13f
SHA256 e3da8d172a55053776ceb7c9c2fd28d1bb4a5d7a59fb71e097a2c930aff23237
SHA512 9f538c0dd2cbb2bbf5a0f66532e37d55bd0656c79321b4da44759150e36f54d8e32758bfa7282e081c78e989223733798aa0be542d3036effbf17732a6df98f1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 2ae9a5355e0859c905acb9d72fd0fa1f
SHA1 f8605dbc6826c96f9c770c19d6f73a25cd9e1c03
SHA256 4444942c5c5face007e6a8ef7088c6a64bbf2755e784dcf4433153adf20c9bdf
SHA512 e068cea31c4de594adfd9ab739040be0f85544a8153c36382ea83dfbe7ceb3a8d96ce23408bf782cf39146bf08c1388ef918f1cffe418a9b6d67a298ac401178

memory/1292-112-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/1292-114-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/1292-115-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/1292-113-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp