Malware Analysis Report

2024-11-16 13:21

Sample ID 240614-fjl84azcml
Target a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118
SHA256 f236c7797ba80626f23048c995d7109c1de3dbd9474b07933efeac5abca711b1
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f236c7797ba80626f23048c995d7109c1de3dbd9474b07933efeac5abca711b1

Threat Level: Known bad

The file a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Modifies Installed Components in the registry

Disables RegEdit via registry modification

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Checks computer location settings

Executes dropped EXE

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of SendNotifyMessage

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:54

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:54

Reported

2024-06-14 04:56

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pbhsyqhb = "xidomtmniciiejk.exe" C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "agctnxpnsgeaz.exe" C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xqojdzsn = "qrwqthkqqu.exe" C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Windows\SysWOW64\qrwqthkqqu.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wweryzty.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\xidomtmniciiejk.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wweryzty.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\agctnxpnsgeaz.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File created C:\Windows\SysWOW64\qrwqthkqqu.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\agctnxpnsgeaz.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File created C:\Windows\SysWOW64\xidomtmniciiejk.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\wweryzty.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422D7A9D5582276D4176A770562DDF7C8F65DC" C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B4FE6B21A9D20FD1A48B7A9164" C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02D4792389952BEB9A733EAD4CF" C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FFFB485A826E9136D62F7E95BDE3E63159406742633FD69E" C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC6081593DBC3B9CD7FE5ED9634CB" C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDFABDF910F196837D3A45869639E6B0FD028C4361034BE1CB42EA08A1" C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\qrwqthkqqu.exe
PID 4588 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\qrwqthkqqu.exe
PID 4588 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\qrwqthkqqu.exe
PID 4588 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\xidomtmniciiejk.exe
PID 4588 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\xidomtmniciiejk.exe
PID 4588 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\xidomtmniciiejk.exe
PID 4588 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\wweryzty.exe
PID 4588 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\wweryzty.exe
PID 4588 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\wweryzty.exe
PID 4588 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\agctnxpnsgeaz.exe
PID 4588 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\agctnxpnsgeaz.exe
PID 4588 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\agctnxpnsgeaz.exe
PID 4588 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4588 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2448 wrote to memory of 2948 N/A C:\Windows\SysWOW64\qrwqthkqqu.exe C:\Windows\SysWOW64\wweryzty.exe
PID 2448 wrote to memory of 2948 N/A C:\Windows\SysWOW64\qrwqthkqqu.exe C:\Windows\SysWOW64\wweryzty.exe
PID 2448 wrote to memory of 2948 N/A C:\Windows\SysWOW64\qrwqthkqqu.exe C:\Windows\SysWOW64\wweryzty.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe"

C:\Windows\SysWOW64\qrwqthkqqu.exe

qrwqthkqqu.exe

C:\Windows\SysWOW64\xidomtmniciiejk.exe

xidomtmniciiejk.exe

C:\Windows\SysWOW64\wweryzty.exe

wweryzty.exe

C:\Windows\SysWOW64\agctnxpnsgeaz.exe

agctnxpnsgeaz.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\wweryzty.exe

C:\Windows\system32\wweryzty.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3852,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 112.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4588-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\xidomtmniciiejk.exe

MD5 21d097d2aa435fb1477f44c33b19f340
SHA1 4728650e9a4d4de4546f7f5760661a9e8351e3f9
SHA256 7ec77dc2f7980466ff5d0b404f597c0e0acc377a79464d51c19949ffb868989b
SHA512 106c4a4013f516bf42555caa1226ce73c04a4f94396e35851fb229099eb34983a81812ecbf60898a2a26bd4e3168a3656358963546709f8c24618aacabc0ff09

C:\Windows\SysWOW64\qrwqthkqqu.exe

MD5 cce95e58b13ad2712508ed6ebe06db5d
SHA1 7e9d83c73e2904c934e318bcb88e756ee04609be
SHA256 f0de4a0f2a7ec9d2b56a4e48b7b0251647d0ee322477025f66bc97ecaa10e85a
SHA512 4d968ec97a4d3c13d254ed6aee9f64407f021b1c9359b1701efe2cb099d268b4ea7d4619868b91ea5c38cd1c18a96cf3c322c0394c01d5386f12d21fc994dbd1

C:\Windows\SysWOW64\wweryzty.exe

MD5 c751c6fb65dd04bfa8967ff107dcfd1e
SHA1 19b584c3562da0291f33e53f987192fd08046c4a
SHA256 cc0e083928f22297dfb99635e5a6a79388a158f119cb8dae1fcfdc357c5a5490
SHA512 e1e11c5b9e7846c9a914a849ad5213d601c47400d16255b93aba85839255f172d0beed997b2334679eb24a9379c5e8756919f4046633a30bcc9e096d74054a1f

C:\Windows\SysWOW64\agctnxpnsgeaz.exe

MD5 2ec3584f78700385cd549ca69f1d1577
SHA1 4f4f46291d66345d62cbf8888874257842da7074
SHA256 bc2db8aa09375027cae7de6615786d86fe6ba13b9490512675e7cac657450ec1
SHA512 b31df70f13a77ef04a026bff2b9546b660af03c314a8514f0e5d83f551df67091adb3458f2364c1cf47a8250ca08ecd9f991de30fb24e83a8a542c7c1ddd53cb

memory/3736-35-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

memory/3736-37-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

memory/3736-36-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

memory/3736-39-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

memory/3736-38-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

memory/3736-40-0x00007FFD2FD90000-0x00007FFD2FDA0000-memory.dmp

memory/3736-43-0x00007FFD2FD90000-0x00007FFD2FDA0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 99faf9a69d3cc29c3f509e62e3e710fe
SHA1 7dbe191a020d6912802af38c99db60647c17485b
SHA256 3b16033f2b77417f32827ac90734ec4197e947b2e5f512fca3e8d9912806060f
SHA512 d269d2cf99c178b0f26a53b49425e6ebceacaed3ae2906bc86c83cd90fc2747180480da0d2af88378d96b02b2e6e61e559cac56a239e549496b6a731d589d7b4

\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 ace697b7cd59eb1643a6847fba065594
SHA1 511ac4f9123cabb832ccfc2826d6f426843cb922
SHA256 a9ab5e18d45e4662d3d3b3d6bcf0a9a6a655d344f013b56328b5aec2ffc5ddf8
SHA512 b5c4e2c3c44ca6b2a845156ecb2148ee7c79508eeb668d078213ada4c7f98bbee94b8fe5d4f13c3bc34ebbcdcf9397e635cf0f698b3a4cdce786ff22d5763d96

C:\Users\Admin\Documents\CheckpointSplit.doc.exe

MD5 f1945245ab348f0eaefe1488dbef4c9f
SHA1 86db08f0952c7a6857be1bbad5ad7a8af1880ca3
SHA256 32f7c9c20aa4c7c8653b973d5f8c53cb99d166d858b899a67ef53817fe227a42
SHA512 5dfe03e4e36ad1b626893a6955027355b61f92cee7c819fa50384e8b9240f28bb167840f516b162218babbbaaf6ef3d4e7aa27ab62b3398de26e94732d07f122

C:\Users\Admin\Documents\SendStart.doc.exe

MD5 fe078d20d9f25e2f4181bbd30025f3a2
SHA1 81771e8def8815037233bac1f46c27d867a4bfa4
SHA256 1a57dd9eea0d60fd4cb379345bf63fef208c709c4bdd7b5eaef22603c95ba4b1
SHA512 d090981096990fd6a1321101fc3a4e2ba22483c2c70a787ad6f948cd8950ce116b7e8f345749bc81b92cdd68f1f13e75f98d728800dde403eeaafc94cd1de860

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 cdfb4dd464c9b36426041ccac8036ab8
SHA1 2351a265c186643e6c771d6c019873a7c6e4dfcd
SHA256 bcbaa0be4e42cda3c788731fba120b4aee19be69b380c42307360cc9f6fec379
SHA512 d3d1e860e042c676cc8907e0be3b169568c4d6d581d5354c0b13ab099ebe24b28ce6a740cdaa2026abad46d37ce95588ef10571154ca553ab01fd35c7044e3b3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 c441a5875e1b53ba06b59c06351b1f2e
SHA1 aa0139fc39b53514841466340ee20d074bff4ad1
SHA256 96a2fd11685a0675ed04cff59331dea7ddfa18e6f13de500ddb6231aaea2f70d
SHA512 d7228600487f19aa67592b01812d1ffb862018d55b926eeb42abe563f475efee48ae2a258d1aeb270c0807d9cab7537ea8867726b3b5d4a7b7f178cfab028d9f

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 99f84c98cf8a0e15a814c54874cc9281
SHA1 2e142eb8d98f9b7bd5d791de73341a8ba55e78ed
SHA256 4290058335ee1df72cd27c89e176855ec7a9fde776e6efcb70fdaf2e89bf63c2
SHA512 298de5e9b11443ea204dcf6a1207d22b0613f5409cf473449351b6c797ba3622c3ec52cbc3b5a1fff73eac0da73d4a35317acbfe7db00a8310bc4c870c3b9a77

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 4ad8649b625570bbd7e723a6d65f0abc
SHA1 1eef6155bc9b2055a4ecfaa6fb3764d16c42fda9
SHA256 919a345b63afcb81681c8be0f099ec90ed40a5da3c7827e8d1f989f07262d140
SHA512 d485b92898e0dff89b2aace0064acd8d481bee7679c250482e40c6564fca34466df3a10d464ee0a23b3f5d96b7ec583ee371c3a8fc0bb3b8c5396b93746ab033

C:\Users\Admin\AppData\Local\Temp\TCD2D4E.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/3736-604-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

memory/3736-605-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

memory/3736-606-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

memory/3736-603-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:54

Reported

2024-06-14 04:56

Platform

win7-20240220-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xqojdzsn = "qrwqthkqqu.exe" C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pbhsyqhb = "xidomtmniciiejk.exe" C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "agctnxpnsgeaz.exe" C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wweryzty.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\qrwqthkqqu.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qrwqthkqqu.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xidomtmniciiejk.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wweryzty.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wweryzty.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\agctnxpnsgeaz.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
File opened for modification C:\Windows\SysWOW64\xidomtmniciiejk.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\agctnxpnsgeaz.exe C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Program Files\SuspendCompare.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Program Files\SuspendCompare.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File created \??\c:\Program Files\SuspendCompare.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files\SuspendCompare.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files\SuspendCompare.nal C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files\SuspendCompare.doc.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files\SuspendCompare.nal C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wweryzty.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\wweryzty.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\qrwqthkqqu.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\wweryzty.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\SysWOW64\agctnxpnsgeaz.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\qrwqthkqqu.exe
PID 2360 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\qrwqthkqqu.exe
PID 2360 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\qrwqthkqqu.exe
PID 2360 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\qrwqthkqqu.exe
PID 2360 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\xidomtmniciiejk.exe
PID 2360 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\xidomtmniciiejk.exe
PID 2360 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\xidomtmniciiejk.exe
PID 2360 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\xidomtmniciiejk.exe
PID 2360 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\wweryzty.exe
PID 2360 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\wweryzty.exe
PID 2360 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\wweryzty.exe
PID 2360 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\wweryzty.exe
PID 2360 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\agctnxpnsgeaz.exe
PID 2360 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\agctnxpnsgeaz.exe
PID 2360 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\agctnxpnsgeaz.exe
PID 2360 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Windows\SysWOW64\agctnxpnsgeaz.exe
PID 2560 wrote to memory of 2616 N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2616 N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2616 N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2616 N/A C:\Windows\SysWOW64\xidomtmniciiejk.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2372 N/A C:\Windows\SysWOW64\qrwqthkqqu.exe C:\Windows\SysWOW64\wweryzty.exe
PID 2548 wrote to memory of 2372 N/A C:\Windows\SysWOW64\qrwqthkqqu.exe C:\Windows\SysWOW64\wweryzty.exe
PID 2548 wrote to memory of 2372 N/A C:\Windows\SysWOW64\qrwqthkqqu.exe C:\Windows\SysWOW64\wweryzty.exe
PID 2548 wrote to memory of 2372 N/A C:\Windows\SysWOW64\qrwqthkqqu.exe C:\Windows\SysWOW64\wweryzty.exe
PID 2360 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2360 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2360 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2360 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe"

C:\Windows\SysWOW64\qrwqthkqqu.exe

qrwqthkqqu.exe

C:\Windows\SysWOW64\xidomtmniciiejk.exe

xidomtmniciiejk.exe

C:\Windows\SysWOW64\wweryzty.exe

wweryzty.exe

C:\Windows\SysWOW64\agctnxpnsgeaz.exe

agctnxpnsgeaz.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c agctnxpnsgeaz.exe

C:\Windows\SysWOW64\wweryzty.exe

C:\Windows\system32\wweryzty.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

Network

N/A

Files

memory/2360-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\xidomtmniciiejk.exe

MD5 45ac1bc4a19023e0e7dbcd0be80a0e8d
SHA1 16aedd64ed812d0f3f8bf48b04532d6f7dbccb13
SHA256 e4c6e8333a811ec4a8555af8dc3438204814924854e5e84fc318845117e6fc99
SHA512 80f06a55339fb164e9376b8227d54a5e8de9e23534d1f82744419a2d1e5350e857d6f664136393f75def47b8b77583e2d929fcc9810a4964a98600d7707df9f2

\Windows\SysWOW64\qrwqthkqqu.exe

MD5 18e5b70f964ddd7a4f224e223b9e2e7a
SHA1 1cccba5530568f6ca9f48dee17036658278d5110
SHA256 d6ef58200fcf4365af84eb09e85ba70f527782b45e0b5255113ddb109f3b66aa
SHA512 b8427ed3991533d3cff3cf22ef7e0445681db6523df218a3ffcaf4c9f7aa1bf1d95dc67d134e0c0dca72d1390c599727b2aca70e75282b1b48290c706db22556

\Windows\SysWOW64\wweryzty.exe

MD5 c537df2b58a00e5ab321a379b5d73193
SHA1 03042b72ad05c6f1b0347b257b99ebfae1a9371b
SHA256 ae117a97d99d11b2d4bccca78ed0600f6d6fb6a15a3dab1f139e7efb67d69034
SHA512 1a7f7d9889937e3504c84e70bb253f6ec45a6cfa40132c3db11d9bc81dc3bc3381a6414a98686df6e1d8cf62e87109b38b9c38907671d28ad47abc075c1578c3

\Windows\SysWOW64\agctnxpnsgeaz.exe

MD5 e2aaed03565c30f416b8354be8c88b5a
SHA1 09d6af266dbef25f79fdcb9391dad1b71278d5ff
SHA256 bc1e535d839f368a17a643d7113fddd305e4fedb10d196ccfc22489eb977d07a
SHA512 d9048646415fff2534d057bcd7257357d18f46fc8dfe539c8c00374719d60c844707986cf4f78b90316fbcd0ff94faa6921b397f25c93211acbe3d3f3e95bcce

memory/2468-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files\SuspendCompare.doc.exe

MD5 10c0dda04c8a26bf4cd9398cf2e2e907
SHA1 19d3057307cb31ebc69b2d5f8d80df7f45848716
SHA256 7e65b2d67a1df5749f3b7390f4693dd55944cb0cb6c2d82dc460bebf4370d690
SHA512 fbf9ce79ba6e4ad483ef6c0d2fff171f54271ea2f3eb094b310691bc552730eec229db584058503aa3cfc2d656c07046670ebc9137ec0964be28e623f7b9140a

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 818a47fb2b70829649555912ba64396f
SHA1 0bf8d24d4c38675f60ea7fc4a4a566ee7044cd2d
SHA256 c1040c850ae511723e3c06f0a9529494185a22778f1f680ea00c8243c4b447f6
SHA512 8ed9f5f8d6d85ef2668194bb4e9de69083e5e2a0a2d2f4f3fad8396f57d20a62dbd02719924043e3945dadce3fd08effe0addae4d29b50eb8b94bfbbe15ab5ae

memory/820-88-0x0000000002AD0000-0x0000000002AE0000-memory.dmp