Malware Analysis Report

2025-03-14 22:36

Sample ID 240406-slmnvsda2v
Target e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118
SHA256 b7736ffd44d69a16213a96e771fae8d39546a2240b788971edeefe145d382268
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7736ffd44d69a16213a96e771fae8d39546a2240b788971edeefe145d382268

Threat Level: Known bad

The file e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Windows security bypass

Disables RegEdit via registry modification

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Windows security modification

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 15:12

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 15:12

Reported

2024-04-06 15:15

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\wdzafhirec.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\wdzafhirec.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wdzafhirec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wdzafhirec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wdzafhirec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wdzafhirec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wdzafhirec.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\wdzafhirec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wdzafhirec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\wdzafhirec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wdzafhirec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wdzafhirec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wdzafhirec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wdzafhirec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfvmxvft = "gwoyshgmbfuudpa.exe" C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yrinmiokclrnd.exe" C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ngxrrflg = "wdzafhirec.exe" C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wdzafhirec.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wdzafhirec.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\wdzafhirec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\wdzafhirec.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wdzafhirec.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\guptyhlf.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\guptyhlf.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\yrinmiokclrnd.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wdzafhirec.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\yrinmiokclrnd.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\wdzafhirec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\guptyhlf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\guptyhlf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\guptyhlf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\guptyhlf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\guptyhlf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\wdzafhirec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC60C14E4DAB6B9CC7FE2EDE337CD" C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\wdzafhirec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\wdzafhirec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B02F44EE389F52BEBAA13299D7B9" C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\wdzafhirec.exe N/A
N/A N/A C:\Windows\SysWOW64\wdzafhirec.exe N/A
N/A N/A C:\Windows\SysWOW64\wdzafhirec.exe N/A
N/A N/A C:\Windows\SysWOW64\wdzafhirec.exe N/A
N/A N/A C:\Windows\SysWOW64\wdzafhirec.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\guptyhlf.exe N/A
N/A N/A C:\Windows\SysWOW64\guptyhlf.exe N/A
N/A N/A C:\Windows\SysWOW64\guptyhlf.exe N/A
N/A N/A C:\Windows\SysWOW64\guptyhlf.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\guptyhlf.exe N/A
N/A N/A C:\Windows\SysWOW64\guptyhlf.exe N/A
N/A N/A C:\Windows\SysWOW64\guptyhlf.exe N/A
N/A N/A C:\Windows\SysWOW64\guptyhlf.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\yrinmiokclrnd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\wdzafhirec.exe
PID 1400 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\wdzafhirec.exe
PID 1400 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\wdzafhirec.exe
PID 1400 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\wdzafhirec.exe
PID 1400 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe
PID 1400 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe
PID 1400 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe
PID 1400 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe
PID 1400 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\guptyhlf.exe
PID 1400 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\guptyhlf.exe
PID 1400 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\guptyhlf.exe
PID 1400 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\guptyhlf.exe
PID 1400 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\yrinmiokclrnd.exe
PID 1400 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\yrinmiokclrnd.exe
PID 1400 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\yrinmiokclrnd.exe
PID 1400 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\yrinmiokclrnd.exe
PID 1400 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1400 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1400 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1400 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2968 wrote to memory of 2380 N/A C:\Windows\SysWOW64\wdzafhirec.exe C:\Windows\SysWOW64\guptyhlf.exe
PID 2968 wrote to memory of 2380 N/A C:\Windows\SysWOW64\wdzafhirec.exe C:\Windows\SysWOW64\guptyhlf.exe
PID 2968 wrote to memory of 2380 N/A C:\Windows\SysWOW64\wdzafhirec.exe C:\Windows\SysWOW64\guptyhlf.exe
PID 2968 wrote to memory of 2380 N/A C:\Windows\SysWOW64\wdzafhirec.exe C:\Windows\SysWOW64\guptyhlf.exe
PID 2500 wrote to memory of 1984 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2500 wrote to memory of 1984 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2500 wrote to memory of 1984 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2500 wrote to memory of 1984 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe"

C:\Windows\SysWOW64\wdzafhirec.exe

wdzafhirec.exe

C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe

gwoyshgmbfuudpa.exe

C:\Windows\SysWOW64\guptyhlf.exe

guptyhlf.exe

C:\Windows\SysWOW64\yrinmiokclrnd.exe

yrinmiokclrnd.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\SysWOW64\guptyhlf.exe

C:\Windows\system32\guptyhlf.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1400-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\guptyhlf.exe

MD5 fc33f1da2086eb188d7bf8d2afad5b8e
SHA1 2db383b7092bd1f9f46093be59a1f9cc34f5a2ac
SHA256 b6dd17a048b6949cb1eab09072dc19e4c6fae6e6765f87ff93a304a1524f193f
SHA512 8963efc0ca5a9de9f8613fb22052a30e75a306e9179ab60f3c9a0de2d5308676e84a3a0f7dd00dda12ed3dad6c588d82a6d951a44989c973ac86d178ef2978f4

\Windows\SysWOW64\wdzafhirec.exe

MD5 433a9574d81060d584a539df6541c1e1
SHA1 cf71fe1d409fd96d322c0e0be442ed7f6f5373a2
SHA256 8b62a7d367e2aca0b17e91fd04eecf00e8bbbd37acfb62bab60fe7cfb7f60a35
SHA512 a0af7f67e39c6724b6108d89bf1c0fa41a20132b4c390bbe4e768ac7ab6e8af0b32570cadb4799ab6857f4d7eb161966a18b4af78379179d373167308c57cda2

C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe

MD5 307cc4cefebc047d37b6d4bec2c35449
SHA1 f1dda92c9d80fd493cca1b48e7144b98f76ead29
SHA256 7d3b4fe7a64a95588fc9f8302434ca3d93ed4d535889c3fd278ae9d21ed2006d
SHA512 3201e2ccd5879ac5b2c45d652d9fb69fe2fa9ae4679e4c6e8f8a78354af860c54da8a89464e364b9e9c4f42f7ec02270a5e01f1b3b90531a3b94b679bdfbe531

C:\Windows\SysWOW64\yrinmiokclrnd.exe

MD5 6d469cb184053f14eb58fb3b283d73cb
SHA1 bc4f271249319ce4089139f4120c328440313db6
SHA256 0dcbe8a47928b912da5218108172ac3780c420e289f5f05102d60015d4fe1f6d
SHA512 98e9404ea5352d35d4ce4e88f133ae2044df2f3994e82fb3c3c7dde99772e09492089aa980ca0835d39410a8e267cca26ad2804f05a7b132e24794c38c9569db

memory/2500-42-0x000000002FDC1000-0x000000002FDC2000-memory.dmp

memory/2500-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2500-47-0x0000000070FDD000-0x0000000070FE8000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 02f7b2a324ee06d3eec0a6f4c0a0dc20
SHA1 ab849f6a33b7f453282a176660960766f7d715b8
SHA256 eea7e965e20a5f7f7f4965a21915e07bdc19b70699fdd2599ccfa08755d2e330
SHA512 f110c746812bcc9e50bbbbd198dc34b8c447f89d4076660ff25eab70e8a91640c8d48152036ef87c8ec33a55c028bd3c93236489f371e5cce7054061ed46b40a

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 b72b95f6b53cc365eaf11d883361d95e
SHA1 501b1e95b04e24577936764645b22bac3de11888
SHA256 962f5607a82ef6f7b41a3c9bd253169f67c8b1d3337fe1e5e3a1958b6e90c94a
SHA512 1f9a0cc1db685fe061c73d8b7c7bb794f3335b43a59440190958464ce719ff874c3e53744321be256fdb75c3a9c90c0a8644a1131b5879da7dc09733ebbafd49

C:\Users\Admin\Documents\RepairRename.doc.exe

MD5 14be3be406211e62b07e71fdfcd5a14f
SHA1 e6fcf195edb39e44313a595ac63cdd049cf9f787
SHA256 ba2d18b447014f588aee71023f5d063e18c5d4a6e2b987ef0a376e3d0a624844
SHA512 498e82409125e39bd56c2f5109be9d5e2f29e9c8ca235ec9a623b111cfdf7da0a6df3a312de2d124901026f5c36daffab982183b95ee5460e11d53b4e753b5c6

memory/2500-78-0x0000000070FDD000-0x0000000070FE8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 fe95b7fa3b95bc0f00ba276d0ba0ed36
SHA1 a99dd1a2557d7141b2f435f1850fec04a4adc478
SHA256 6deeb1ecd6f72202a48f858103442b1e9f7e0b874d35d612eef79d0b6b4d98b1
SHA512 4c7c26b247dd22cd184e7b9e731d087e0f3ad79797b0e1eec54b66b3118715b571002a5fc9b81539f1950990698f686ef39ab19a90fdc717c12b64552a1ad06e

memory/2500-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 15:12

Reported

2024-04-06 15:15

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gufrvhmr = "mtqsrgnzht.exe" C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opelsvuc = "ssikaxeilhffyvv.exe" C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zydgtlgfhwivc.exe" C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\mtqsrgnzht.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification C:\Windows\SysWOW64\ssikaxeilhffyvv.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bnutxamt.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zydgtlgfhwivc.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
File created C:\Windows\SysWOW64\zydgtlgfhwivc.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File created C:\Windows\SysWOW64\mtqsrgnzht.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mtqsrgnzht.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ssikaxeilhffyvv.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bnutxamt.exe C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\bnutxamt.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\bnutxamt.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\bnutxamt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bnutxamt.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2D7C9D5782256D3E76D770512DAD7D8665DD" C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F668B0FE1D22DAD109D0A68A749013" C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC70E15E7DAB7B9BE7FE2ECE234CA" C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B15D4492389F52BDBAD33298D4BB" C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFC8E485F856F903CD72B7D92BD92E1435840674E6241D7EE" C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9CEF964F192830E3A32869E3998B0FA02FC4315033FE2BE45E609D3" C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\mtqsrgnzht.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
N/A N/A C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
N/A N/A C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
N/A N/A C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
N/A N/A C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
N/A N/A C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
N/A N/A C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
N/A N/A C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
N/A N/A C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
N/A N/A C:\Windows\SysWOW64\mtqsrgnzht.exe N/A
N/A N/A C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A
N/A N/A C:\Windows\SysWOW64\zydgtlgfhwivc.exe N/A
N/A N/A C:\Windows\SysWOW64\zydgtlgfhwivc.exe N/A
N/A N/A C:\Windows\SysWOW64\zydgtlgfhwivc.exe N/A
N/A N/A C:\Windows\SysWOW64\zydgtlgfhwivc.exe N/A
N/A N/A C:\Windows\SysWOW64\zydgtlgfhwivc.exe N/A
N/A N/A C:\Windows\SysWOW64\zydgtlgfhwivc.exe N/A
N/A N/A C:\Windows\SysWOW64\zydgtlgfhwivc.exe N/A
N/A N/A C:\Windows\SysWOW64\zydgtlgfhwivc.exe N/A
N/A N/A C:\Windows\SysWOW64\zydgtlgfhwivc.exe N/A
N/A N/A C:\Windows\SysWOW64\zydgtlgfhwivc.exe N/A
N/A N/A C:\Windows\SysWOW64\zydgtlgfhwivc.exe N/A
N/A N/A C:\Windows\SysWOW64\zydgtlgfhwivc.exe N/A
N/A N/A C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ssikaxeilhffyvv.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnutxamt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4880 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\mtqsrgnzht.exe
PID 4880 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\mtqsrgnzht.exe
PID 4880 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\mtqsrgnzht.exe
PID 4880 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\ssikaxeilhffyvv.exe
PID 4880 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\ssikaxeilhffyvv.exe
PID 4880 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\ssikaxeilhffyvv.exe
PID 4880 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\bnutxamt.exe
PID 4880 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\bnutxamt.exe
PID 4880 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\bnutxamt.exe
PID 4880 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\zydgtlgfhwivc.exe
PID 4880 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\zydgtlgfhwivc.exe
PID 4880 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Windows\SysWOW64\zydgtlgfhwivc.exe
PID 4880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1848 wrote to memory of 1408 N/A C:\Windows\SysWOW64\mtqsrgnzht.exe C:\Windows\SysWOW64\bnutxamt.exe
PID 1848 wrote to memory of 1408 N/A C:\Windows\SysWOW64\mtqsrgnzht.exe C:\Windows\SysWOW64\bnutxamt.exe
PID 1848 wrote to memory of 1408 N/A C:\Windows\SysWOW64\mtqsrgnzht.exe C:\Windows\SysWOW64\bnutxamt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe"

C:\Windows\SysWOW64\mtqsrgnzht.exe

mtqsrgnzht.exe

C:\Windows\SysWOW64\ssikaxeilhffyvv.exe

ssikaxeilhffyvv.exe

C:\Windows\SysWOW64\bnutxamt.exe

bnutxamt.exe

C:\Windows\SysWOW64\zydgtlgfhwivc.exe

zydgtlgfhwivc.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\bnutxamt.exe

C:\Windows\system32\bnutxamt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/4880-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ssikaxeilhffyvv.exe

MD5 30432e8c56832c20cadc16e7ce510a57
SHA1 fa01c173b6371958b4e36a4e1b528a7e31b53dcc
SHA256 8228b64c218f623bbf97fa3639320964dea9c201ebe43989d55ca4ca73b2da1a
SHA512 fefdfff67713dbeb77ca5dd62fc5340ff55869fa66b4a0dc4a0bd6e3b7dfe4c3e5fedc3466fe05552cacde3f677b7a92a5d61ae1564e3da3f3e2cf2496397823

C:\Windows\SysWOW64\mtqsrgnzht.exe

MD5 ef0ff8da8178896373a6d33bda155e56
SHA1 c4efec58bfb390782d4861a2279bb97360bc2d0d
SHA256 322e899b375d92df125b77faca2cdcfdbff348505a3f0160e006532b4863e691
SHA512 e2bba970fb515491caf7b816be51bdd97c74a62178f319f5e6cdd8409bb0a8f7a1e23eed355c30ce8e1a98e9a379d7598c6cb144cf0e8828d2848b35e582706e

C:\Windows\SysWOW64\bnutxamt.exe

MD5 1af9a4f1f70648b5cd42a26bbf3e5535
SHA1 897dd8ee97135fcc331a892ffd04a3c4017df8d2
SHA256 24fc683b889485e71d9a75b6729dae27780c9a447ee98f4fa30070f7f63aaa23
SHA512 5d84495f23f638d713204e951ecbeb44c2b415046fd9275c1b8d4d8c1dcfd80d4409561d98078ea9bd8f354c686bb450b938e5fcd3040b3d425be118ba77496f

C:\Windows\SysWOW64\zydgtlgfhwivc.exe

MD5 0de48a9899940dc5c9a1d45528169c93
SHA1 d5191af96f760bd505636b482ed2a0b6e08ef4fe
SHA256 e69eb96a2e9f26ca55801d2c95573f8a7b5e65e5c4d25edd83a2140278f28f44
SHA512 ce7f5b2fe8403650e0eb9be68e7cfdbea7d123732818c2c44f294302e52c68aca87c443ff5d511820e85378c5bd6ac69c9860ba43a48ce34d33dfb5d90dca00b

memory/2888-37-0x00007FF89FDB0000-0x00007FF89FDC0000-memory.dmp

memory/2888-38-0x00007FF8DFD30000-0x00007FF8DFF25000-memory.dmp

memory/2888-39-0x00007FF89FDB0000-0x00007FF89FDC0000-memory.dmp

memory/2888-40-0x00007FF8DFD30000-0x00007FF8DFF25000-memory.dmp

memory/2888-42-0x00007FF8DFD30000-0x00007FF8DFF25000-memory.dmp

memory/2888-41-0x00007FF89FDB0000-0x00007FF89FDC0000-memory.dmp

memory/2888-43-0x00007FF89FDB0000-0x00007FF89FDC0000-memory.dmp

memory/2888-44-0x00007FF8DFD30000-0x00007FF8DFF25000-memory.dmp

memory/2888-45-0x00007FF89FDB0000-0x00007FF89FDC0000-memory.dmp

memory/2888-46-0x00007FF89D990000-0x00007FF89D9A0000-memory.dmp

memory/2888-47-0x00007FF89D990000-0x00007FF89D9A0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 c7667c3371d5d84c2c3d9801baa3dc0f
SHA1 25838b0056cd399422f492754b6437a95f318e52
SHA256 5596446f922d237efed146d488ec6e529f0d66a064960eeb6013773cfa45ab9d
SHA512 7e42fc3aad97260c7973eb4adb8dca390a207f2f8dee0c45f74e7e91441d9f548aa8ae03f7f6109e772bc67a8e6124e74bc37a0496120a0200f58d9e96451a09

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 a191a5a92759fca019302b4580f2fe78
SHA1 21af26007348a6f508d7f941d0dabf3f3c8207b3
SHA256 2d10db635d40c1478b9314b731111611feff59b033f6364b12b5ef042ad3644d
SHA512 3e9dc77c0e6e888d0e1c523be80c31daeb360daf97beedad422cccb004b93aed9f5efdb176b9cf27abdec95e31ca66c625c43af4d18a20794a33c9d26625d217

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 5ed0043db2102395f69cf705926bd134
SHA1 aec4692c5b951f7aac0f93c972645078058adcde
SHA256 89c9aab69d70c5c7f3360bcb750c74df3bd9be3a120990e5e81715f6a2c7364a
SHA512 0ed2af6b628fc72c83db7c2610223a82985c2e3e59f1cd1075d33ee122be658742a0478a274248db101fc0a40686cad89dc6c482017a8b05cff2270480f0767e

C:\Users\Admin\Desktop\CompressUninstall.doc.exe

MD5 c3d70021834a19c1b8fc231549125fee
SHA1 99ebc8ed8b5c2b8a08077d7ab9408f872a83e684
SHA256 8224787d93da6f3c087ee68ef4ce409aaf411af8cf72bf4d6392d074448e1fed
SHA512 abffa7b2187915f43f78c1534db48fc2f114b0af05f6b0e06dbf4bfcab68075b88aed3ddefc967da466d31a801986b580b675b352271a802158dc6caab1f8932

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 863f957b397e04bcb93109ae3e7cc00c
SHA1 a160591e41f0c7fbbeb41a48cf335ed35d305ed6
SHA256 75841d48da974107f03ef00ba8a16c15ecceddd3c1dee2f878cbf8921e7547e8
SHA512 cba44acd569c0cb3d74f720f8509e798274c9fb387ec16bf331ce53e7c95b41ca4b116a674d7e5d59705eac7cde18d26546efd52ae20e83693a9f04939bab155

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 a480a3b75acc3359bd3eef8188685e3c
SHA1 892e16fcec2b3fa743f093ad0c0c57eada7d0272
SHA256 42b142026408aef460ec0aaa4842774556bbd3aae3d98c734de52e474c024933
SHA512 580b489db3fbfd199715881fb911e1c8b467ed8177271e70c95d2d52c52d2a064ab4fd53ce9882f227cff141e9b8b80a914e59a993476facb5a970075b854fc0

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 f1ec67d98980f2f21c5cee9ce4444c31
SHA1 a1a2e55bda352c1c4c33640637c810f2d8e0705d
SHA256 1128af3f24733f419575b0982aa04ccd8d3b19b0d997e073800c35bb3413eb11
SHA512 c1083c0225cb9f024e7b423244e8281cc5621eefc3f57c17b806e15fbc186192ba037dd4df3ea49a312fbaafbd4e1c212a51ab363a4f731babdd24177bd213e9

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 e274e939692ff87c3a3f705561eb03fd
SHA1 684ee1e2fbb67dd4bf59b4db84a4ce197290c76b
SHA256 b22795f37c7e1b46f47bb5b0429b1d17e86613cf74838c0bc30a759ca05dfa5f
SHA512 a679cdf9b89fa2eae6561fbc07ac8f6a04e0be8f15c1094ecddf7ab53ee0ac5e6481d1daa2119ddb7fac6bda99f625c9fcef7406183c2f9b39ce748a46ebc89e

memory/2888-103-0x00007FF8DFD30000-0x00007FF8DFF25000-memory.dmp

memory/2888-104-0x00007FF8DFD30000-0x00007FF8DFF25000-memory.dmp

memory/2888-105-0x00007FF8DFD30000-0x00007FF8DFF25000-memory.dmp

memory/2888-130-0x00007FF8DFD30000-0x00007FF8DFF25000-memory.dmp

memory/2888-129-0x00007FF89FDB0000-0x00007FF89FDC0000-memory.dmp

memory/2888-131-0x00007FF89FDB0000-0x00007FF89FDC0000-memory.dmp

memory/2888-132-0x00007FF8DFD30000-0x00007FF8DFF25000-memory.dmp

memory/2888-128-0x00007FF89FDB0000-0x00007FF89FDC0000-memory.dmp

memory/2888-127-0x00007FF89FDB0000-0x00007FF89FDC0000-memory.dmp

memory/2888-134-0x00007FF8DFD30000-0x00007FF8DFF25000-memory.dmp

memory/2888-133-0x00007FF8DFD30000-0x00007FF8DFF25000-memory.dmp