Malware Analysis Report

2024-11-30 11:08

Sample ID 240613-b7fc8stdjr
Target a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118
SHA256 0930d449e6bbec6c23ba96e0f4edd4692889070eb7c0465826036793a9d4f8d4
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0930d449e6bbec6c23ba96e0f4edd4692889070eb7c0465826036793a9d4f8d4

Threat Level: Known bad

The file a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Modifies Installed Components in the registry

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies registry class

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:46

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:46

Reported

2024-06-13 01:49

Platform

win7-20240508-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\ygummmhywo.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\ygummmhywo.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ygummmhywo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ygummmhywo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ygummmhywo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ygummmhywo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ygummmhywo.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ygummmhywo.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ygummmhywo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\ygummmhywo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ygummmhywo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ygummmhywo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ygummmhywo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ygummmhywo.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cgooxlnytqhtf.exe" C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rgqvjrjx = "ygummmhywo.exe" C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\acvkvqcg = "cpytztwshgxkxfe.exe" C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\j: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ygummmhywo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vlbbbwnr.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\ygummmhywo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\ygummmhywo.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\cgooxlnytqhtf.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cpytztwshgxkxfe.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ygummmhywo.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cpytztwshgxkxfe.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vlbbbwnr.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vlbbbwnr.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cgooxlnytqhtf.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\ygummmhywo.exe N/A
File created C:\Windows\SysWOW64\ygummmhywo.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vlbbbwnr.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vlbbbwnr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C60B14E4DAB0B9B97FE5EDE434CE" C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BB2FF1C22DED27AD1D38A089062" C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\ygummmhywo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B15F4797399953CCB9D5329BD4C4" C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\ygummmhywo.exe N/A
N/A N/A C:\Windows\SysWOW64\ygummmhywo.exe N/A
N/A N/A C:\Windows\SysWOW64\ygummmhywo.exe N/A
N/A N/A C:\Windows\SysWOW64\ygummmhywo.exe N/A
N/A N/A C:\Windows\SysWOW64\ygummmhywo.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\ygummmhywo.exe N/A
N/A N/A C:\Windows\SysWOW64\ygummmhywo.exe N/A
N/A N/A C:\Windows\SysWOW64\ygummmhywo.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\cpytztwshgxkxfe.exe N/A
N/A N/A C:\Windows\SysWOW64\ygummmhywo.exe N/A
N/A N/A C:\Windows\SysWOW64\ygummmhywo.exe N/A
N/A N/A C:\Windows\SysWOW64\ygummmhywo.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\SysWOW64\cgooxlnytqhtf.exe N/A
N/A N/A C:\Windows\SysWOW64\vlbbbwnr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\ygummmhywo.exe
PID 2364 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\ygummmhywo.exe
PID 2364 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\ygummmhywo.exe
PID 2364 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\ygummmhywo.exe
PID 2364 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\cpytztwshgxkxfe.exe
PID 2364 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\cpytztwshgxkxfe.exe
PID 2364 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\cpytztwshgxkxfe.exe
PID 2364 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\cpytztwshgxkxfe.exe
PID 2364 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\vlbbbwnr.exe
PID 2364 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\vlbbbwnr.exe
PID 2364 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\vlbbbwnr.exe
PID 2364 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\vlbbbwnr.exe
PID 2364 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\cgooxlnytqhtf.exe
PID 2364 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\cgooxlnytqhtf.exe
PID 2364 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\cgooxlnytqhtf.exe
PID 2364 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\cgooxlnytqhtf.exe
PID 2364 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2364 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2364 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2364 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2288 wrote to memory of 2720 N/A C:\Windows\SysWOW64\ygummmhywo.exe C:\Windows\SysWOW64\vlbbbwnr.exe
PID 2288 wrote to memory of 2720 N/A C:\Windows\SysWOW64\ygummmhywo.exe C:\Windows\SysWOW64\vlbbbwnr.exe
PID 2288 wrote to memory of 2720 N/A C:\Windows\SysWOW64\ygummmhywo.exe C:\Windows\SysWOW64\vlbbbwnr.exe
PID 2288 wrote to memory of 2720 N/A C:\Windows\SysWOW64\ygummmhywo.exe C:\Windows\SysWOW64\vlbbbwnr.exe
PID 2520 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2520 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2520 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2520 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe"

C:\Windows\SysWOW64\ygummmhywo.exe

ygummmhywo.exe

C:\Windows\SysWOW64\cpytztwshgxkxfe.exe

cpytztwshgxkxfe.exe

C:\Windows\SysWOW64\vlbbbwnr.exe

vlbbbwnr.exe

C:\Windows\SysWOW64\cgooxlnytqhtf.exe

cgooxlnytqhtf.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\SysWOW64\vlbbbwnr.exe

C:\Windows\system32\vlbbbwnr.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2364-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\vlbbbwnr.exe

MD5 72ade7fa3d5c24f83e98eebf39c8fc95
SHA1 22007daae2983cc95eea14fccf2cff120d773592
SHA256 e697d94568a22795c51271c2378138fd3a2845c3226929f1a78306a3bd34242a
SHA512 dc4962288538bb2470865e4574f2e06d6af897e8a06636337cd15bbeb01760b40589ca6ffa74fb9963be346d3eb6177fbf0b036cbef0246667d5b9e78d4c29cb

\Windows\SysWOW64\ygummmhywo.exe

MD5 911a0ff72431c933021cd11c1bda5c3a
SHA1 c351609720a33358113ef2f056f6892db90800c6
SHA256 7d859c73df62c15d94ea1a1e4af32513cb47a3e77381b00fee86d49bff416202
SHA512 1cf1079725c57b28baad307274066da9a8ff76b41b93de33038d70ef3e2551cc44ce4647b3b166e4d024a8399ae02997bd352de72c9e4a102feed1c3f9c03421

C:\Windows\SysWOW64\cpytztwshgxkxfe.exe

MD5 b05d9bbaeeb1ef04f47bc050f520af34
SHA1 e61d28f2d71ed9052ba9e286e6fb1fcd8bd719a7
SHA256 f1c5e2ec0d6481eadf4083ab4bfbcbecb22612029fd57b90eeb197578b8bae96
SHA512 4ba1e83e3eb4b73ef62b226bf8233762d8de46f56c2a99e32ad1a2fe69d2b1f0cc4f7fd021abce9c85ed3595ab004bd4a10a0d09a6653e1837525d91ec87fdff

C:\Windows\SysWOW64\cgooxlnytqhtf.exe

MD5 eeb5a5817c7a869c95b2ad53d899a9bf
SHA1 a30e122e331277a2ca937601a4a954b2b4fa3d2a
SHA256 83c4ce051232a03f57ce683186e66d39e1d4e457b606b4aaa2a6c1817a2399d2
SHA512 8c65f10c4216165e6c450d766ccd895bd80a20fc3c128ae7862036068c016fbbe64b86b4a03180f24f66f80fc5d79f06e80470583d75c23b71a39d819660650b

memory/2520-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 8b12c73b3abd3c3b247ceea80b12a14b
SHA1 78beebf7867c39ef7251a8fa1bcff31529d97e24
SHA256 87fb63388f253cdaa68a6acd519ae1e49cd6b47e314375446ad76a598b70cf1d
SHA512 385bba88df71254904b331a62176828a89b8fbe22395a5f489841db2cbc009449acbe3a232caaf5593802382cb3a4d8097b2bac6e5de566419a73c2a9ed45612

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 a5333c9734f91ebb03f0732580a6b15e
SHA1 812ce3b9301d439b30cce541fdd696af63258023
SHA256 d86636faa1eff36a50b6248db294e911521a8917c0b4264762801033aa7506ad
SHA512 87a95fa6198d7349c4493c56f37ce9c27ad8a35509ee7a3dd134c69cf81076a3bb8a4c32b69669b67251932bf6e27ff2a258c7e5b048817504dcb1b80823f015

memory/320-83-0x0000000002A20000-0x0000000002A30000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:46

Reported

2024-06-13 01:49

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\fsapuocvai.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\fsapuocvai.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\fsapuocvai.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\fsapuocvai.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\fsapuocvai.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgxkrdnm = "fsapuocvai.exe" C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fcfcsfjr = "bdeyephxalyllhf.exe" C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nqtowejvnwdtv.exe" C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\t: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fsapuocvai.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hrnaraur.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\fsapuocvai.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File created C:\Windows\SysWOW64\fsapuocvai.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bdeyephxalyllhf.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bdeyephxalyllhf.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\hrnaraur.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\fsapuocvai.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification C:\Windows\SysWOW64\fsapuocvai.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hrnaraur.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\nqtowejvnwdtv.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\nqtowejvnwdtv.exe C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\hrnaraur.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hrnaraur.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hrnaraur.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B02847E039E352CCBAD333E9D4C4" C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC60B15E4DAC3B9BE7CE2ED9437CB" C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFAB0F913F29083753A4186EC3E99B08E02F84261034CE1B942E808D3" C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\fsapuocvai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFCF94F5F851E9046D75B7DE6BC92E13C584067436243D6E9" C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\fsapuocvai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D7B9C5782246D4276A670252DD87D8F64AB" C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\fsapuocvai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F66BB2FF6C21AAD172D0D18A0C9167" C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\fsapuocvai.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\fsapuocvai.exe N/A
N/A N/A C:\Windows\SysWOW64\fsapuocvai.exe N/A
N/A N/A C:\Windows\SysWOW64\fsapuocvai.exe N/A
N/A N/A C:\Windows\SysWOW64\fsapuocvai.exe N/A
N/A N/A C:\Windows\SysWOW64\fsapuocvai.exe N/A
N/A N/A C:\Windows\SysWOW64\fsapuocvai.exe N/A
N/A N/A C:\Windows\SysWOW64\fsapuocvai.exe N/A
N/A N/A C:\Windows\SysWOW64\fsapuocvai.exe N/A
N/A N/A C:\Windows\SysWOW64\fsapuocvai.exe N/A
N/A N/A C:\Windows\SysWOW64\fsapuocvai.exe N/A
N/A N/A C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
N/A N/A C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
N/A N/A C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
N/A N/A C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
N/A N/A C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
N/A N/A C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
N/A N/A C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
N/A N/A C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
N/A N/A C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
N/A N/A C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A
N/A N/A C:\Windows\SysWOW64\nqtowejvnwdtv.exe N/A
N/A N/A C:\Windows\SysWOW64\nqtowejvnwdtv.exe N/A
N/A N/A C:\Windows\SysWOW64\nqtowejvnwdtv.exe N/A
N/A N/A C:\Windows\SysWOW64\nqtowejvnwdtv.exe N/A
N/A N/A C:\Windows\SysWOW64\nqtowejvnwdtv.exe N/A
N/A N/A C:\Windows\SysWOW64\nqtowejvnwdtv.exe N/A
N/A N/A C:\Windows\SysWOW64\nqtowejvnwdtv.exe N/A
N/A N/A C:\Windows\SysWOW64\nqtowejvnwdtv.exe N/A
N/A N/A C:\Windows\SysWOW64\nqtowejvnwdtv.exe N/A
N/A N/A C:\Windows\SysWOW64\nqtowejvnwdtv.exe N/A
N/A N/A C:\Windows\SysWOW64\nqtowejvnwdtv.exe N/A
N/A N/A C:\Windows\SysWOW64\nqtowejvnwdtv.exe N/A
N/A N/A C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
N/A N/A C:\Windows\SysWOW64\bdeyephxalyllhf.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A
N/A N/A C:\Windows\SysWOW64\hrnaraur.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\fsapuocvai.exe
PID 2916 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\fsapuocvai.exe
PID 2916 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\fsapuocvai.exe
PID 2916 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\bdeyephxalyllhf.exe
PID 2916 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\bdeyephxalyllhf.exe
PID 2916 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\bdeyephxalyllhf.exe
PID 2916 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\hrnaraur.exe
PID 2916 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\hrnaraur.exe
PID 2916 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\hrnaraur.exe
PID 2916 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\nqtowejvnwdtv.exe
PID 2916 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\nqtowejvnwdtv.exe
PID 2916 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Windows\SysWOW64\nqtowejvnwdtv.exe
PID 2916 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2916 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2252 wrote to memory of 4800 N/A C:\Windows\SysWOW64\fsapuocvai.exe C:\Windows\SysWOW64\hrnaraur.exe
PID 2252 wrote to memory of 4800 N/A C:\Windows\SysWOW64\fsapuocvai.exe C:\Windows\SysWOW64\hrnaraur.exe
PID 2252 wrote to memory of 4800 N/A C:\Windows\SysWOW64\fsapuocvai.exe C:\Windows\SysWOW64\hrnaraur.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a36d1f7a02e89dc2c52b8fc526965032_JaffaCakes118.exe"

C:\Windows\SysWOW64\fsapuocvai.exe

fsapuocvai.exe

C:\Windows\SysWOW64\bdeyephxalyllhf.exe

bdeyephxalyllhf.exe

C:\Windows\SysWOW64\hrnaraur.exe

hrnaraur.exe

C:\Windows\SysWOW64\nqtowejvnwdtv.exe

nqtowejvnwdtv.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\hrnaraur.exe

C:\Windows\system32\hrnaraur.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 2.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 112.43.201.23.in-addr.arpa udp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

memory/2916-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\bdeyephxalyllhf.exe

MD5 72923b9d7cd1f90f506cf785451400e4
SHA1 69aff4174a7188b963999a80f70bda4cb69dd939
SHA256 14d289d6f19d51baa4097b79841b0cd8cf67028e4a6b7184dc2023221af4d9ce
SHA512 6ef03e75c0ea910d36c0262a9be24c55ca2bdcc9b7c0ea7499373bfc997ed3599a7af6ac02216ef0eacc05fc0d30b344a26674a5760af268d445404e80a3a519

C:\Windows\SysWOW64\fsapuocvai.exe

MD5 12d36539a300fba3b984da68d0c06a09
SHA1 098a4f60c1c1531d0e697ffb1c706a26380993b5
SHA256 d11f6242a06854e795f9393ea7f4d7f10b77fff9a14f1028e680c0c5c5e736dd
SHA512 744cd2887031384cdf0621202424280f921b1263fc237f536de0381e80f241c3cf8ab9bdc92d07e0d50fa481f2272f3ce5b69cb810f1ef93456b244135d2be49

C:\Windows\SysWOW64\hrnaraur.exe

MD5 36556b7578c0d794659c3334260de5ff
SHA1 9ab25849d6c914961a9c4a886d61689ac21dc61f
SHA256 5b009d80428df3028c8015d20ddeff733ef408922d6274e27e5f0c07eca9e54e
SHA512 ff8a068e040721bb68eea4c713a25a8561115ace35004efd1aee658599bbdfdfbb1e0bd697e9a11dd171c24a283c8b6023b30bb2dda5e4872f401a420bd40323

C:\Windows\SysWOW64\nqtowejvnwdtv.exe

MD5 5169c3e9d69f69e16067ae3d23f0e5ec
SHA1 a9eade9660d6bcd30b076f2057ce7b402b9a1f01
SHA256 9b4ac8f5b539195aac25a04f986e3e441a4ac425443d576f3d7785f8fd743c03
SHA512 df581e14e71a8db3652638dc866faaf6b7cbcc8ea592ecf54d34146e0010ab342e9c5eea2e5f29a2eb8995d955779d505b161d5305cc4aa27e393edd3744e38d

memory/4408-35-0x00007FF7FED30000-0x00007FF7FED40000-memory.dmp

memory/4408-37-0x00007FF7FED30000-0x00007FF7FED40000-memory.dmp

memory/4408-36-0x00007FF7FED30000-0x00007FF7FED40000-memory.dmp

memory/4408-38-0x00007FF7FED30000-0x00007FF7FED40000-memory.dmp

memory/4408-39-0x00007FF7FED30000-0x00007FF7FED40000-memory.dmp

memory/4408-40-0x00007FF7FC6A0000-0x00007FF7FC6B0000-memory.dmp

memory/4408-43-0x00007FF7FC6A0000-0x00007FF7FC6B0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 ea7debd381e5a1680ce12a842f0c84f3
SHA1 aa120a05f1a4d4eca20256a6c2b5547ca2906673
SHA256 a77164f59647ad75d398badc03406af1740354aac046600c0048f1c193a50661
SHA512 cb0c607dbed1f4d55adb5002abcceeedaa605f801688f8151255b7f469ea9eca380292b9547643c9441a013bc958bb674fa418a995523b38ca4800aa7b023d9f

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 796d146a708ee9094e67152d12df4b0d
SHA1 bae6161501fa0fdc088411ab67fd458881aa42a6
SHA256 27ddc46ff195de1afbe8d4d10eba8e9be33a2e9b205046903aaa4898934e399a
SHA512 50428bd41805726f23e61b67b944134f21fd55b7ca65e252405e645be873aab98db12a7bd26d59e74de646f23dc5a6ab07de582439533cad0a04a9ca95679c58

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 31eb0d84efd123b228383705c1273f94
SHA1 00a3116d4ecbf6d960285a10e299bc5baa9632e3
SHA256 ad8c06763c43b02ebcebb4bfcccb47178680e3f1274e98e92b42c1d3c76f5e4f
SHA512 5fbe0ac9ec34285c6944c33a24a749f7ff5e331bba36e61c04cd4fb50c63a4d73e192f5b835d59379b4069ccbf217b785a1fb808b1b0e7298ee08749a0c9f21a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 50107b84714daf28bbd2e8ea7e22f0fb
SHA1 a377cecc54832986410f2f1e7bc86f3aebf72d42
SHA256 3c8bdf290608a798ec0129be518c866aac42c1d390671c7b7532254b59d2f57a
SHA512 4d1d677eb18ccc2cae6819311a76af4a49a1322a1efc94143ab7441ba89af258febb32f479b047321ec8c72607f4c0980219b129afce8dbadc6e82e36a050aa4

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 0c7635edc0f76a0549d599f8889768b1
SHA1 16764adcf5874791855e3d01dd846d362e53705b
SHA256 6f4c113790ad6f21fae1e10ccc00f7717c13d51931c82abf5f587caecbb2fe01
SHA512 0c9f95f4d08ed69943180f0e1b4c7ed79cb0a4fd9ee2e7e58b1d7ac51bc4d9070cf503e194245918f665e5c8b0f51bbe84530ca6ca86f2f7b8839e5425c73d97

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 a08c1762083d6743ca69db2bffcff07e
SHA1 8cec6749f6ee23a33bb686c04ecd25875aa03d12
SHA256 bf3891893d2472d52c6a08100525a051067fa9f95051942913eeeb1ba161c253
SHA512 af40ce191ef11abb5b625a7b2362eb4ec2c71e5f8011bac81e474903138c5bf38d57ea93861a34bb8560cc75778cc3ceec30a85b24bd140f40dd440fc6337932

C:\Users\Admin\AppData\Local\Temp\TCD794F.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/4408-589-0x00007FF7FED30000-0x00007FF7FED40000-memory.dmp

memory/4408-590-0x00007FF7FED30000-0x00007FF7FED40000-memory.dmp

memory/4408-588-0x00007FF7FED30000-0x00007FF7FED40000-memory.dmp

memory/4408-591-0x00007FF7FED30000-0x00007FF7FED40000-memory.dmp