Malware Analysis Report

2025-01-06 11:49

Sample ID 240603-em4f4saf9w
Target 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118
SHA256 d7d117e4bbcd6880006f68a014c68d43601d4df9bd64a61bd315a7981bef4e7e
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7d117e4bbcd6880006f68a014c68d43601d4df9bd64a61bd315a7981bef4e7e

Threat Level: Known bad

The file 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies Installed Components in the registry

Disables RegEdit via registry modification

Checks computer location settings

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:04

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:04

Reported

2024-06-03 04:06

Platform

win7-20240419-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otljynyc = "wuvlqrnfai.exe" C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nzqbczdq = "upekfowdplihxeu.exe" C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "iyorslpyqifuf.exe" C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wuvlqrnfai.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\upekfowdplihxeu.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\iyorslpyqifuf.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
File created C:\Windows\SysWOW64\wuvlqrnfai.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wuvlqrnfai.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\lovxpyfx.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\iyorslpyqifuf.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\upekfowdplihxeu.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\lovxpyfx.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\lovxpyfx.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\lovxpyfx.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lovxpyfx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lovxpyfx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442D7D9D5683536D4677D270512CD87D8F64AB" C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B15A449338EA52CEB9A23293D4CE" C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC77B14E3DAC0B8BE7F97EDE537C8" C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
N/A N/A C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
N/A N/A C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
N/A N/A C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
N/A N/A C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
N/A N/A C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe N/A
N/A N/A C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
N/A N/A C:\Windows\SysWOW64\wuvlqrnfai.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\iyorslpyqifuf.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\SysWOW64\lovxpyfx.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\wuvlqrnfai.exe
PID 2052 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\wuvlqrnfai.exe
PID 2052 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\wuvlqrnfai.exe
PID 2052 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\wuvlqrnfai.exe
PID 2052 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\upekfowdplihxeu.exe
PID 2052 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\upekfowdplihxeu.exe
PID 2052 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\upekfowdplihxeu.exe
PID 2052 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\upekfowdplihxeu.exe
PID 2052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\lovxpyfx.exe
PID 2052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\lovxpyfx.exe
PID 2052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\lovxpyfx.exe
PID 2052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\lovxpyfx.exe
PID 2052 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\iyorslpyqifuf.exe
PID 2052 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\iyorslpyqifuf.exe
PID 2052 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\iyorslpyqifuf.exe
PID 2052 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\iyorslpyqifuf.exe
PID 2680 wrote to memory of 2568 N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2568 N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2568 N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2568 N/A C:\Windows\SysWOW64\upekfowdplihxeu.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2576 N/A C:\Windows\SysWOW64\wuvlqrnfai.exe C:\Windows\SysWOW64\lovxpyfx.exe
PID 2108 wrote to memory of 2576 N/A C:\Windows\SysWOW64\wuvlqrnfai.exe C:\Windows\SysWOW64\lovxpyfx.exe
PID 2108 wrote to memory of 2576 N/A C:\Windows\SysWOW64\wuvlqrnfai.exe C:\Windows\SysWOW64\lovxpyfx.exe
PID 2108 wrote to memory of 2576 N/A C:\Windows\SysWOW64\wuvlqrnfai.exe C:\Windows\SysWOW64\lovxpyfx.exe
PID 2052 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2052 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2052 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2052 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2548 wrote to memory of 2260 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2548 wrote to memory of 2260 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2548 wrote to memory of 2260 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2548 wrote to memory of 2260 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe"

C:\Windows\SysWOW64\wuvlqrnfai.exe

wuvlqrnfai.exe

C:\Windows\SysWOW64\upekfowdplihxeu.exe

upekfowdplihxeu.exe

C:\Windows\SysWOW64\lovxpyfx.exe

lovxpyfx.exe

C:\Windows\SysWOW64\iyorslpyqifuf.exe

iyorslpyqifuf.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c iyorslpyqifuf.exe

C:\Windows\SysWOW64\lovxpyfx.exe

C:\Windows\system32\lovxpyfx.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2052-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\upekfowdplihxeu.exe

MD5 1aa35de9356dbdb861c6c80cf1c72bb9
SHA1 ad34c6136983e609cd557d7e559786ff91c719c9
SHA256 80e803a39a926873ea73cb32ba36d9b32bde0c206efdf2549c031fcf00fd76b0
SHA512 473cabe62a21b2dddf262334a7b6715acab944ab7929c111f7629e3951afec83a2a72a8db985ade328d7792c79fca817a0078e36adca39f1486d9320f4caf218

\Windows\SysWOW64\wuvlqrnfai.exe

MD5 cbd595eb81b675123cd1ff8eefee5888
SHA1 d54c2e69455450bfbcc37884eb153c6551f77b37
SHA256 b153f3c93e188a19526c87837a999120d6408a271b059a6744a6615814b7abd7
SHA512 6e32da23c99869915891febd7259bd0a6067fc300f849cabe58dbef6adcb3ab8925d0c83b26308797b98f0c8b6e6a0d187af6282b31bc64d08d0f592eb10791d

\Windows\SysWOW64\lovxpyfx.exe

MD5 b0cbe76472a3858095a88a2cdfa4e381
SHA1 444624c2e246d1df29b5949e11df8133b49ba2ad
SHA256 0fade0ae89e2d217ed2f62e034852ab21b55293cda5781992382b08fbc2cd3fe
SHA512 b74b869b1f82487929fe014fcbfd81e0170a4883af818923c71fd7ed2d7f8da8515517e81cf84b40934bb35ff0b561911dc62700ea0743e285db1d51bbb23c36

\Windows\SysWOW64\iyorslpyqifuf.exe

MD5 921968ae6bcda4df1b456df1efc732da
SHA1 f9d9450fdc70c77d8d6a2023e3d0e0c589226997
SHA256 866359adaecc2957e4f713dcac84bbabaf051faeacaf9785b4ebe0c27643407e
SHA512 705636764eb878dc30f03e55051cb44ea744a6b8c86b5551b41771654aa6195184d1a71d53906f82ce021286e5843c28682221ceea82f5afdb26cb0342198db6

memory/2548-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 e6f830248950f33f322c8513a686c435
SHA1 a547756ad54514832dd9ab0be9e5c2a31c9a6fe0
SHA256 cb2cd9993267bf17a4f417fdb97d3f62b73b20758ec788452d330c6ef5bbe20c
SHA512 c0e799fb75bc8552c4131e3f3142b3b51a15709a71eedb30bdf51d1757ec31c80068f2e516d8c574e57414b9da4d4e141e210fce441be0b1043a0938d148f0b0

C:\Users\Admin\Documents\TestApprove.doc.exe

MD5 4b6f920ba30da63ee2413d4256b7a0fe
SHA1 27a8d56c55a79c93720317fa50c98f86f5c5aebb
SHA256 bc78783b743818db7e95cbc3710f1c01d72b0665c3424c80f2fc7e9b7763464e
SHA512 4786604fd4b98fc0795dcf8179043c2d0252a9f5046edfdaf023a96fe9061dfbac66c7fd6aa299fd2af3dcaf122630b4368492305e37f3e7a2ca64d60dfc08ce

memory/2604-83-0x0000000003C00000-0x0000000003C10000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:04

Reported

2024-06-03 04:06

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\azsgnoggem.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\azsgnoggem.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\azsgnoggem.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\azsgnoggem.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\azsgnoggem.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jmjeslyz = "azsgnoggem.exe" C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bphpeoft = "gmxcpjqpjmvnfwm.exe" C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zyqixfxdndokn.exe" C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\azsgnoggem.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fnfqwypr.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\azsgnoggem.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File created C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fnfqwypr.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fnfqwypr.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zyqixfxdndokn.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File created C:\Windows\SysWOW64\azsgnoggem.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\azsgnoggem.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zyqixfxdndokn.exe C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\azsgnoggem.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\fnfqwypr.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\fnfqwypr.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fnfqwypr.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422D0D9D5183586A3276A670212CD97DF464AF" C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9FAB9FE65F1E384093B4B819A3E91B0FC02F94215034EE1C845E708A7" C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFC8E4F5885189030D7217E9DBD90E13C594367316335D79A" C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7806BB8FE6E21DDD173D0A28B099060" C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B15D479338E352C9B9A233EED4C4" C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C70E1593DBC2B8C17C90EDE337CD" C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\azsgnoggem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\azsgnoggem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\azsgnoggem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\azsgnoggem.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\azsgnoggem.exe N/A
N/A N/A C:\Windows\SysWOW64\azsgnoggem.exe N/A
N/A N/A C:\Windows\SysWOW64\azsgnoggem.exe N/A
N/A N/A C:\Windows\SysWOW64\azsgnoggem.exe N/A
N/A N/A C:\Windows\SysWOW64\azsgnoggem.exe N/A
N/A N/A C:\Windows\SysWOW64\azsgnoggem.exe N/A
N/A N/A C:\Windows\SysWOW64\azsgnoggem.exe N/A
N/A N/A C:\Windows\SysWOW64\azsgnoggem.exe N/A
N/A N/A C:\Windows\SysWOW64\azsgnoggem.exe N/A
N/A N/A C:\Windows\SysWOW64\azsgnoggem.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\fnfqwypr.exe N/A
N/A N/A C:\Windows\SysWOW64\fnfqwypr.exe N/A
N/A N/A C:\Windows\SysWOW64\fnfqwypr.exe N/A
N/A N/A C:\Windows\SysWOW64\fnfqwypr.exe N/A
N/A N/A C:\Windows\SysWOW64\fnfqwypr.exe N/A
N/A N/A C:\Windows\SysWOW64\fnfqwypr.exe N/A
N/A N/A C:\Windows\SysWOW64\fnfqwypr.exe N/A
N/A N/A C:\Windows\SysWOW64\fnfqwypr.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A
N/A N/A C:\Windows\SysWOW64\zyqixfxdndokn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\azsgnoggem.exe
PID 748 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\azsgnoggem.exe
PID 748 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\azsgnoggem.exe
PID 748 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe
PID 748 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe
PID 748 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe
PID 748 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\fnfqwypr.exe
PID 748 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\fnfqwypr.exe
PID 748 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\fnfqwypr.exe
PID 748 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\zyqixfxdndokn.exe
PID 748 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\zyqixfxdndokn.exe
PID 748 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Windows\SysWOW64\zyqixfxdndokn.exe
PID 748 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 748 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2664 wrote to memory of 4516 N/A C:\Windows\SysWOW64\azsgnoggem.exe C:\Windows\SysWOW64\fnfqwypr.exe
PID 2664 wrote to memory of 4516 N/A C:\Windows\SysWOW64\azsgnoggem.exe C:\Windows\SysWOW64\fnfqwypr.exe
PID 2664 wrote to memory of 4516 N/A C:\Windows\SysWOW64\azsgnoggem.exe C:\Windows\SysWOW64\fnfqwypr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe"

C:\Windows\SysWOW64\azsgnoggem.exe

azsgnoggem.exe

C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe

gmxcpjqpjmvnfwm.exe

C:\Windows\SysWOW64\fnfqwypr.exe

fnfqwypr.exe

C:\Windows\SysWOW64\zyqixfxdndokn.exe

zyqixfxdndokn.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\fnfqwypr.exe

C:\Windows\system32\fnfqwypr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 17.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/748-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe

MD5 5ebe0857dfc84aae8a9853371b6e56ec
SHA1 8fe129e1879f327347a788ee848379298ca2754a
SHA256 f1afc7e8ac2fe8a4e1844a81d0e0eaac18861b92f9b49afe457c713fc3f83057
SHA512 750db96626becafdd7af6333ee092cfcc62de042ba29704022eaa135ed3d670b33084a481a643ae4c005aec7c067b73a839d83ca70910942e4ee69024787c588

C:\Windows\SysWOW64\azsgnoggem.exe

MD5 f0bf4b580e4810fe438be89a58153330
SHA1 c00bf8622f560f660292d5e26138f5ba7ebcc1cf
SHA256 9ff21abaefcd933067a2e18a14f052479823fd6813eaf887a6993c81b68bfe23
SHA512 b88aff1c8ca9edd889ddee9981453cf8f128e1c9166ccf3935fe0acd371d9fe075e1d06dd6eb4ad045bd798361e0ffc39e5bad361977af91e50d1653b83e4ee4

C:\Windows\SysWOW64\fnfqwypr.exe

MD5 8afa6046a96e9ca345ee21d3519c9446
SHA1 eaab374932201e68bccf9c7b2eb4536fa00ebb06
SHA256 d673fcd4c87093009ab071f1764815eac5b7a8ef8a524707bf39b1043a121091
SHA512 9aedcf41a4c9b237157f8c5eb407207061f5db33547392d27a21b36ab742bfcd1febc3b46eecdb14d97a8ffbd1ffdc23007accd9688d22d6c5e8efae031112e7

C:\Windows\SysWOW64\zyqixfxdndokn.exe

MD5 793376f775364d7a73caaa78244b2b9e
SHA1 aeed29a74a885b3cbd0431acec3c07a510464409
SHA256 6fe0c119123a5a52a4a0d772ac6398905513cdc22edb58dd8ce4b4fa946465f1
SHA512 35be72ee6c5c57cb82804014459bbbeb0e77c6e08a4813a70fe26411828c50bf280c9e57128c0e890e03782667a7b39428e7e14e64e9b1699342daf3154faafc

memory/2280-35-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/2280-37-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/2280-36-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/2280-38-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/2280-39-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/2280-40-0x00007FF9C72D0000-0x00007FF9C72E0000-memory.dmp

memory/2280-43-0x00007FF9C72D0000-0x00007FF9C72E0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 e92ca4fef967247c7a9df86b13d43eb7
SHA1 2114dc9eaa2f094a17a250c16f995f059264803b
SHA256 96c996384abe7a9fda3b55a1dbf40ee23ef36e10fa4faab6f8589eb555da6eef
SHA512 bbaf2bc785939b8987299617c35c3eba6b02d8e2dd397f3b590f12faf1033741d95e4da6d101987b477d59aaaf127a0959459d908079636766114705ef669b1e

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 10767850e1a1ab15346744be26f6109a
SHA1 8aa8ca656edfb61645cd8c9f0d91eba4a33d6ddc
SHA256 1c462407d4f4718299144cdcac4e0b6ac1c2fbd3bdf0848e7d964ba769743538
SHA512 ba93d2d6af1f126d35a6d72dde5cfe4e3ea8c89b432add0d52042456b3d5096fa6bc271912b4ebcc014a232c9c6585889a2599a1987bca698ac20b477724b662

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 8541b8f68b1ebb191eecd33a66f932a6
SHA1 0b07a81a137e1574ce0ecdf70aeb838176b8057b
SHA256 2fb2d882a98fbf1fd95479ce89847164d8dfd8365bda0aba0502e36a2bb401ba
SHA512 d0cfb3d3d90a7357ce74f4c03ad0762b2649c050942973ac0ded3651a4f79cee5af43c617ae335abe9499549b0c43509b85d54f223821e07bca9b9100e1d0648

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 78bbb275ee7c4f95ae9bcdf53ec6d8e9
SHA1 e2dcd3fec20003abd0dec81e1edd98cc1731302c
SHA256 bb8860b517b293a5e593d56b5b3adfbe5e95e17c41572ba886283581f752d992
SHA512 cd859582795677146d92f9b131a53d7c537037c5ac5ae8331a6ae9be7b3c01adef3bb6edc7fa7d8108848cc49746eeeaba1153f2eaf3e9d44375c1b975ed9284

C:\Users\Admin\Documents\DisableResume.doc.exe

MD5 e7e8ac49c17476f7b6cd39082d490e7f
SHA1 7da9d4ed3502b5be31f8958bac65c7693fea795f
SHA256 522a526256b4d55d4a2e2dee1f36d3a1b0d5e544105247bec202ada4c1b8ff2c
SHA512 1a0d310fe8bc9bbe3761d332859beecfabe36f94e4ad451f12f04f2e6fbc86f0d35b688433780aca53e66e91a489b069f31fefba708704e200cbd70829814fe1

C:\Users\Admin\Documents\RegisterRemove.doc.exe

MD5 79143e693f765631f5fa8c56478f283d
SHA1 b7fccf87d1caaaed2685a523e10a40c52f336b30
SHA256 d5ce3d0d73ae831a7fa45edffc6411301acabd7966f7807b000effb25bdf023f
SHA512 0def78070ed9e96f80e28c5894d02c38d76df3424573a9a38a981f60760ef0b72d6dee3aaf30df31d976480ff24c6992ba23c0b8c1fbedb8181696abedca286a

\??\c:\Users\Admin\Documents\RegisterRemove.doc.exe

MD5 530290362f283464a6d1e3aaa9aa4ecd
SHA1 cae6b21079d3c2483712301a80872ded55df8fca
SHA256 5494061f6a89ae045b27da43ec16ea64d4131027e690f297e5089691128decc5
SHA512 3940cae74024ad126bf2a42bb6365434c7a5e189389dcf2d08c941420995c1ea0cffa954106b9b13bde91e9edffa56b04eb82968bcf09a7bdf5a3712f67ecbd2

C:\Users\Admin\AppData\Local\Temp\TCD9BF6.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 63bef064744e4cc9c958502cf118b639
SHA1 f26875aedebb6871af7101d82077a7f40324c615
SHA256 79c46c0525fb2c480e108a134c91b281db11988eec4c7a22a6cb01bbf758bcfe
SHA512 2ffac0497276183cbf4d9067b99364d5c64aa9c273c8068528a7e706d7e617138da7ede08af8e4f9708cce9a36fa8bf7537e2d1c50763fa98785f084e9ade06c

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 4d6295a99246db92bcb83836cdb37925
SHA1 67485c14125d0fbcb9e56b40b4f789b859a635f8
SHA256 9961bf6c5729d12219620ff68079fe45320c547f5e622f09c82394b33f926d5c
SHA512 ff98ef80cf8e329b5d6167c736ffab90ad057529a1fb1af7fb1fef2ca186d00a0af2752153256b2832f4cffe25b25e54a6f38d0af769fc70fe1fbfd2818fc74a

memory/2280-608-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/2280-609-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/2280-610-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/2280-607-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp