Malware Analysis Report

2024-11-30 07:02

Sample ID 240601-jdtmrseh79
Target 89c2959febd6444aa33a35847f79c1d3_JaffaCakes118
SHA256 7178948c6c2974cf5c5c82ea7afd6fcc73586f62fc58512b69894c734a035ead
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7178948c6c2974cf5c5c82ea7afd6fcc73586f62fc58512b69894c734a035ead

Threat Level: Known bad

The file 89c2959febd6444aa33a35847f79c1d3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Modifies Installed Components in the registry

Windows security modification

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Modifies WinLogon

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:33

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:33

Reported

2024-06-01 07:36

Platform

win7-20240215-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\nntywlgqxx.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hzfapdml = "ljtogrwyuzqzhzg.exe" C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ndigyujuqqgnm.exe" C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hihfivtt = "nntywlgqxx.exe" C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\iafcashj.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\nntywlgqxx.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\nntywlgqxx.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\iafcashj.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ndigyujuqqgnm.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File created C:\Windows\SysWOW64\nntywlgqxx.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\iafcashj.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ndigyujuqqgnm.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\iafcashj.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF834829856F9031D65B7DE6BC93E633584667406330D799" C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\nntywlgqxx.exe
PID 1664 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\nntywlgqxx.exe
PID 1664 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\nntywlgqxx.exe
PID 1664 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\nntywlgqxx.exe
PID 1664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe
PID 1664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe
PID 1664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe
PID 1664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe
PID 1664 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\iafcashj.exe
PID 1664 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\iafcashj.exe
PID 1664 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\iafcashj.exe
PID 1664 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\iafcashj.exe
PID 1664 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ndigyujuqqgnm.exe
PID 1664 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ndigyujuqqgnm.exe
PID 1664 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ndigyujuqqgnm.exe
PID 1664 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ndigyujuqqgnm.exe
PID 2596 wrote to memory of 2408 N/A C:\Windows\SysWOW64\nntywlgqxx.exe C:\Windows\SysWOW64\iafcashj.exe
PID 2596 wrote to memory of 2408 N/A C:\Windows\SysWOW64\nntywlgqxx.exe C:\Windows\SysWOW64\iafcashj.exe
PID 2596 wrote to memory of 2408 N/A C:\Windows\SysWOW64\nntywlgqxx.exe C:\Windows\SysWOW64\iafcashj.exe
PID 2596 wrote to memory of 2408 N/A C:\Windows\SysWOW64\nntywlgqxx.exe C:\Windows\SysWOW64\iafcashj.exe
PID 1664 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1664 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1664 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1664 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe"

C:\Windows\SysWOW64\nntywlgqxx.exe

nntywlgqxx.exe

C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe

ljtogrwyuzqzhzg.exe

C:\Windows\SysWOW64\iafcashj.exe

iafcashj.exe

C:\Windows\SysWOW64\ndigyujuqqgnm.exe

ndigyujuqqgnm.exe

C:\Windows\SysWOW64\iafcashj.exe

C:\Windows\system32\iafcashj.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

Network

N/A

Files

memory/1664-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe

MD5 29a457f421c35789b652ca683a76ff9a
SHA1 3203e27b5334055c3fd2712ce915dc65520abd00
SHA256 7f9e69990440a23947af35f5c558e7e2e81768fc1fa1026d6c07624fad81ee4f
SHA512 ecc717cb73541bca132823f09e96db86aeea075469f1ea52f6701566ecf3fe20c08e8b0757a121225550230391007231932e854ea4f8341e826d1b597ced9102

\Windows\SysWOW64\nntywlgqxx.exe

MD5 67b01567e3d7966af856c3ce686e613e
SHA1 17529f15e407bbad656e064734d933b9e60d919d
SHA256 5e7eb564c7b6f5177762f0d28ee429db20ef1a17db81f642dc67783709592ed1
SHA512 0827c9b0fd7afea4fe6fa6ae0ab81c11060303514b7e1401c82dadfc61e804e5038cc3147d30836da36967d533c51afb7335037f8b3f27d770064e2605590041

\Windows\SysWOW64\iafcashj.exe

MD5 93eed7e8ff6288ef9ae1d2caaf9eedc9
SHA1 05b8addbd846a12e6eb0e67aff05924b10a06b07
SHA256 7272d7b03d91b9b805ff7a84f0c733b8a7dbf2b4146fa5d821bb7c25fb7dcf92
SHA512 5f4d59272979bbaf9e4a12a69e9002ff1ecd84f071a7b0c54c384867e5c2d8914d35d8b1f38450d0effcf447a7ef4c1ad753baa1ccefb299526596a4ae827646

\Windows\SysWOW64\ndigyujuqqgnm.exe

MD5 8e3574db14269168c150a22c95e97585
SHA1 4d24d472ed7a6f5bda754d4be61d71c7d93be72a
SHA256 926cb9a6f0b408ec82d38995bc5b4418a64a1128e8b479841f98744d6c244713
SHA512 5355b0a7bc31891a1fc89c894211b0878d1367132ed4079b60c8df6e905f05a96418bcf116460a7ec81c5e924c89a7db4c49de63268accd207e768ad2264c08c

memory/2480-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 43a4e4684793d1f3038d734a0cf37e0d
SHA1 12b25983b4510f003e4e092be13557d810124454
SHA256 c558e01c62f7bc702315bf0177082ebea92c0b929e24f77b8ea76cf749cde7ef
SHA512 4a9675d54e06c0184b6f61a59c428a8ed7511f6e1d0654757e979f2b42f840d8a708a5d789daa632fef693c9adb286cbfec7336e60ea7d559106eb4cbec1934f

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 970891c60e74e6b5128828a1a9da09a4
SHA1 8da8edd812e5d2a90d3593045cb267f6517303e3
SHA256 b852075fcb73801115241348de7ae5a304c741fe2f475f399af7730f1117435f
SHA512 745dc2b2914776878326878cb6f752915e4d490adfeb545b6832182d55af77ab4e83edff492b278aeba188dd2898f3fa17417fa7585693bfe38c3997863a0b6d

memory/1796-78-0x0000000003D40000-0x0000000003D50000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:33

Reported

2024-06-01 07:36

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\nntywlgqxx.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\nntywlgqxx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hihfivtt = "nntywlgqxx.exe" C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hzfapdml = "ljtogrwyuzqzhzg.exe" C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ndigyujuqqgnm.exe" C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\m: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\iafcashj.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\nntywlgqxx.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\nntywlgqxx.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\iafcashj.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ndigyujuqqgnm.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\nntywlgqxx.exe N/A
File created C:\Windows\SysWOW64\nntywlgqxx.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\nntywlgqxx.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\iafcashj.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ndigyujuqqgnm.exe C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\iafcashj.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iafcashj.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\iafcashj.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FABEFE10F196830C3A43819C3E98B38A03FE42690233E1BD45EA08D4" C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B12B4793399A53CFB9D1329DD7CC" C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF834829856F9031D65B7DE6BC93E633584667406330D799" C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BC3FE6C21DED279D1A88B7D9011" C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C77B15E4DAC5B9BB7CE0ED9334BE" C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342C769D2D82566D4476DC70212DDF7C8665A8" C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\nntywlgqxx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\nntywlgqxx.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\nntywlgqxx.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\ndigyujuqqgnm.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A
N/A N/A C:\Windows\SysWOW64\iafcashj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\nntywlgqxx.exe
PID 3492 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\nntywlgqxx.exe
PID 3492 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\nntywlgqxx.exe
PID 3492 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe
PID 3492 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe
PID 3492 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe
PID 3492 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\iafcashj.exe
PID 3492 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\iafcashj.exe
PID 3492 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\iafcashj.exe
PID 3492 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ndigyujuqqgnm.exe
PID 3492 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ndigyujuqqgnm.exe
PID 3492 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Windows\SysWOW64\ndigyujuqqgnm.exe
PID 3492 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3492 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3904 wrote to memory of 3584 N/A C:\Windows\SysWOW64\nntywlgqxx.exe C:\Windows\SysWOW64\iafcashj.exe
PID 3904 wrote to memory of 3584 N/A C:\Windows\SysWOW64\nntywlgqxx.exe C:\Windows\SysWOW64\iafcashj.exe
PID 3904 wrote to memory of 3584 N/A C:\Windows\SysWOW64\nntywlgqxx.exe C:\Windows\SysWOW64\iafcashj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\89c2959febd6444aa33a35847f79c1d3_JaffaCakes118.exe"

C:\Windows\SysWOW64\nntywlgqxx.exe

nntywlgqxx.exe

C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe

ljtogrwyuzqzhzg.exe

C:\Windows\SysWOW64\iafcashj.exe

iafcashj.exe

C:\Windows\SysWOW64\ndigyujuqqgnm.exe

ndigyujuqqgnm.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\iafcashj.exe

C:\Windows\system32\iafcashj.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 17.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3492-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ljtogrwyuzqzhzg.exe

MD5 02b082a56943fec52e35c20f77720c89
SHA1 709601aa90fd93c07ce5205a4c90c5d7da2cf846
SHA256 7436f08ec1e7b8552ddcf1bf2a44c9286488b6256a24668b180eb61df16353f2
SHA512 d7b41d963b798aba9a9fa28b1a798c53e2802dc4dbd2e182d45402440a610395faaf30be4944314bb6dd248805486a0c9dfa8b3706c69bc7372651149bd975fc

C:\Windows\SysWOW64\nntywlgqxx.exe

MD5 f01575b00fc6cd985f2d4ebbee9c9d77
SHA1 4163d469106b1f3f45167614c46249cc069c1910
SHA256 70d702db44163a4da024641434aa428ad19b5fc0c94e437eea5c0d7ca59cd929
SHA512 a248e8239042ad8ac560db72a6c4251be447750f2a01db1bb5ef4e709928ccef2033b427651d0a486c9f5a81a5fa0429dbe09d8b357ad78f379ee0bcc89079be

C:\Windows\SysWOW64\iafcashj.exe

MD5 67aa3fe4c52a72f3f8ce191df9922f4f
SHA1 ec1a2cb9726f02a07e5caeda154cd4af17d5278e
SHA256 0161039008494dee391f8bb7d64abaf530ca9528d29be13dbed63e610462ca0e
SHA512 2a2373cd58f9af01660b89cfb1f7a0a96ba9b8c26ea8d29befcba8b580bd0e5bff133f75d8c422ba2b1c6bd83abafab106218f309cffdf67c35521c044fc8fee

C:\Windows\SysWOW64\ndigyujuqqgnm.exe

MD5 cb223dcec5f90f9439bd065a3dd7a9fb
SHA1 26328573978d192e553cd3813d1edb248192d5d2
SHA256 5610f704e69b7b4aac52b095a16e246583954802bd4dba3f6f49982c58e1d2f6
SHA512 9b8ecc036122708e7bde1ff327bb1656301cf91a7544e5f6e13263337f0d1809e5d86d4f6218aff840f3b06e12c63ed3d59351b51437a099e0ad98b202b3147e

memory/1652-35-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1652-37-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1652-36-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1652-38-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1652-39-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1652-40-0x00007FFBD3FE0000-0x00007FFBD3FF0000-memory.dmp

memory/1652-43-0x00007FFBD3FE0000-0x00007FFBD3FF0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 cca345b46fa89f573e952304edfedce9
SHA1 3235e89dce7e4897bb454c254f93cbd930cc76de
SHA256 5e667a2eec51d90a4f9cdd8e8b50dcb755fa94044e1b58547fae27374c5659be
SHA512 781fe171fe25e7ae2b8cbc6f831768cc3a3cfae39f25c0303ddc68dc6929300e2e9fcc53f86bd32cfbdc1a7b890018a60dde6d328c7517415a71dd46d3a64585

C:\Users\Admin\Desktop\RegisterSync.doc.exe

MD5 348aabe194a4b1107a07f5979715535e
SHA1 e604627380a5faa72352250489cfc4bfa3c1df08
SHA256 b0d473207de96612e370fc12225889c482361b19e49f9f13dc63600827a87d04
SHA512 93481de4fcfb7064ef33b38d0116f0295957aec834338f139495c3bec431d478f73689c214ffd26c288545b2e7dc1585db5488534e55179dd90042a1ec6b48b8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 ae35af9b1fb1085d429c6fef97685aee
SHA1 d2fe3314ba69153aa59ff3c28a39896b3f19a6da
SHA256 274ecdf6c5b1e64c52df3b83f75b655be88a9029cd02447a1dfc6629841e1dd4
SHA512 878d357a527dfbf397d9f60356335d9ab6a024b4950f85b3eb5c5dfa5c6dae2dc74a7a202f33783a1518bb370e073a7a9fec990571c55c2397ef1126ac71b420

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 94f5ceb3ee7182e1ca46e90c3ab02165
SHA1 4e0837cdd74ebb313521f4f1bda02659709a4304
SHA256 d55d9230404f7b2b81ec2e806e83efe2785f45aba465efdf46132bb607e589b4
SHA512 d77f351a9af5eb8b32e79faad5d4ae4e593d8916ed2d4efc702a3c334f68becf6e51b2e9df3d94562e85419a8f047d5fd61e44eb2ee215d610c11c6adfccb617

C:\Users\Admin\AppData\Local\Temp\TCD8115.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 e2e098e0c2a3834c83a8bd2e5cfc6589
SHA1 4cf6e57437026a402ac5939b073f21c95149f15a
SHA256 c715781b93214cda80b9f20f1e7135f59d1ead5302d5c62f0b6391d465d21219
SHA512 2d3ee6724a31c02087b878da7c426e5cfdb2adfa72b5a843b5e4f7f46d8a9a0d1fc997dff2fa4d7abf9fa771f8b2248f2743d61918303c32437929b541b7d65a

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 7dc04f0781e2a04dcc424eb488da3467
SHA1 803988c00260e91986ab48048b8af8da49bd565b
SHA256 ac5e56204c6300eaf46d6d87506e408e783c08a349db2df2a49ea429df5fbe04
SHA512 33f7935fded779de44ddc4433860063a6c55357e64360e0f7b5ef89bc11937836be6bbc6d7daa23381b257a312ce05c7635b7aade412826404cea7419cc2bc16

memory/1652-606-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1652-608-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1652-607-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1652-605-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp