Malware Analysis Report

2024-11-13 14:01

Sample ID 240407-29ht9ahf46
Target e616af1d52ca2271af70c2b9f973894d_JaffaCakes118
SHA256 3468f34b8f72a76cff295420bc5693ef6a072df4e03a3b727b49fdffb3291ab5
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3468f34b8f72a76cff295420bc5693ef6a072df4e03a3b727b49fdffb3291ab5

Threat Level: Known bad

The file e616af1d52ca2271af70c2b9f973894d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Windows security modification

Reads user/profile data of web browsers

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:16

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:16

Reported

2024-04-07 23:19

Platform

win7-20231129-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zpbbinhc = "ckgmelvcsc.exe" C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cpdysxdw = "qwzntbjrkibzmus.exe" C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nkzerqgkwltga.exe" C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\irrvbslf.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ckgmelvcsc.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qwzntbjrkibzmus.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\irrvbslf.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\irrvbslf.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\nkzerqgkwltga.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\ckgmelvcsc.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\qwzntbjrkibzmus.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\nkzerqgkwltga.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification \??\c:\Program Files\DisconnectDisable.doc.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification C:\Program Files\DisconnectDisable.doc.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification \??\c:\Program Files\DisconnectDisable.doc.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification C:\Program Files\DisconnectDisable.nal C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification C:\Program Files\DisconnectDisable.doc.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File created \??\c:\Program Files\DisconnectDisable.doc.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification C:\Program Files\DisconnectDisable.nal C:\Windows\SysWOW64\irrvbslf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\irrvbslf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\irrvbslf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC70E15E6DBB2B9BE7F95EDE537CE" C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgmelvcsc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\irrvbslf.exe N/A
N/A N/A C:\Windows\SysWOW64\irrvbslf.exe N/A
N/A N/A C:\Windows\SysWOW64\irrvbslf.exe N/A
N/A N/A C:\Windows\SysWOW64\irrvbslf.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\irrvbslf.exe N/A
N/A N/A C:\Windows\SysWOW64\irrvbslf.exe N/A
N/A N/A C:\Windows\SysWOW64\irrvbslf.exe N/A
N/A N/A C:\Windows\SysWOW64\irrvbslf.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A
N/A N/A C:\Windows\SysWOW64\nkzerqgkwltga.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1108 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\ckgmelvcsc.exe
PID 1108 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\ckgmelvcsc.exe
PID 1108 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\ckgmelvcsc.exe
PID 1108 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\ckgmelvcsc.exe
PID 1108 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\qwzntbjrkibzmus.exe
PID 1108 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\qwzntbjrkibzmus.exe
PID 1108 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\qwzntbjrkibzmus.exe
PID 1108 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\qwzntbjrkibzmus.exe
PID 1108 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\irrvbslf.exe
PID 1108 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\irrvbslf.exe
PID 1108 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\irrvbslf.exe
PID 1108 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\irrvbslf.exe
PID 1108 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\nkzerqgkwltga.exe
PID 1108 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\nkzerqgkwltga.exe
PID 1108 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\nkzerqgkwltga.exe
PID 1108 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\nkzerqgkwltga.exe
PID 2996 wrote to memory of 2584 N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2584 N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2584 N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2584 N/A C:\Windows\SysWOW64\qwzntbjrkibzmus.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2472 N/A C:\Windows\SysWOW64\ckgmelvcsc.exe C:\Windows\SysWOW64\irrvbslf.exe
PID 2384 wrote to memory of 2472 N/A C:\Windows\SysWOW64\ckgmelvcsc.exe C:\Windows\SysWOW64\irrvbslf.exe
PID 2384 wrote to memory of 2472 N/A C:\Windows\SysWOW64\ckgmelvcsc.exe C:\Windows\SysWOW64\irrvbslf.exe
PID 2384 wrote to memory of 2472 N/A C:\Windows\SysWOW64\ckgmelvcsc.exe C:\Windows\SysWOW64\irrvbslf.exe
PID 1108 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1108 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1108 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1108 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2496 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2496 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2496 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2496 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe"

C:\Windows\SysWOW64\ckgmelvcsc.exe

ckgmelvcsc.exe

C:\Windows\SysWOW64\qwzntbjrkibzmus.exe

qwzntbjrkibzmus.exe

C:\Windows\SysWOW64\irrvbslf.exe

irrvbslf.exe

C:\Windows\SysWOW64\nkzerqgkwltga.exe

nkzerqgkwltga.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c nkzerqgkwltga.exe

C:\Windows\SysWOW64\irrvbslf.exe

C:\Windows\system32\irrvbslf.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1108-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\qwzntbjrkibzmus.exe

MD5 6682af76f8ec178ee49aca3989307129
SHA1 f12b4bd4ec61bbcdd7c9ad499181fbd35181804b
SHA256 5b65d228763d072850ae7529fa6ad13a8ffa1c02312c01b6457c23a176feceb0
SHA512 dd03507daeaf5fc03bc22860a558c5949889ed58fa76371c64f19db21b6233b01fa1c7e6f9c497463403aadce7c5273da37e42f463374862f144f277f384bac0

\Windows\SysWOW64\ckgmelvcsc.exe

MD5 50d640488006ab1b71c953a9d955f2ad
SHA1 cd4ba598cce15ff3ad994a471475c0d803ad4509
SHA256 87852cc841a55d1d5776df3775e745f4d087f67513962b368d194d86a0905566
SHA512 1381addfd46f7c3e071d5f4db27a6734666a7e1b5a4a49b23bda30cbf8077b4d5b908729c8c16453ef466dc0088722b25fced15afb2bca9f78c2ac9f1c2b3c27

\Windows\SysWOW64\irrvbslf.exe

MD5 237512a9b56cdf5d779650499b71ec31
SHA1 1e279475317912a10b1d6dd5f4750b5fcaa1cfea
SHA256 b312143ec54a984ba0f0568a672666ba7d79a472e10a186745cd0b7b91cfe82d
SHA512 186392d16ab59aff45d872a0bf343a30b192852e472d41a7079a389f0b4817a17f7217911e798c84cd20fb628a9c58ab7b80d849d9556c1db54ee9e094f27b3f

C:\Windows\SysWOW64\nkzerqgkwltga.exe

MD5 099d1e0e80966beec378bda3fe157ebb
SHA1 0b9358d3b0e68e41f422af25f9aa7ad3c968232f
SHA256 75e36632bb3cc3aff3e8968a8746a0ee29e65b1840f3cc1a2d777bce1ba36c23
SHA512 3f654cc6423f01127a42b80378f2df6ddd25fe4d2e9f8fe9feb46b041b6df34466b657e823b277c56e408c5414d58fb3563cd4d1a507287985a232d6d0eefd5d

memory/2496-45-0x000000002FF61000-0x000000002FF62000-memory.dmp

memory/2496-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2496-51-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 64ae00270ebb34d2fa8e5a0f223eb0e3
SHA1 c819df4be42f4ee57cc078e71354d8875c8a18b7
SHA256 d12c9c7892f7ae1252e076602647348c5df8525f3e27bd704c9b83263321cd2b
SHA512 f39ef61816ab0866c70a82d64d0f46fd99734c5715eae5a9873c7f682d3130e85362e5e5e64eef4210f1e46fcb1610caa05579706f1cf610c427fac20536b80e

memory/2496-84-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

memory/2496-105-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 369376ab306cebd085fd49257bd94423
SHA1 ac66ef509bf8fd685fce9d6ea896cb7022677ffc
SHA256 66259a3a347c14a698106a2a99275e485a4446a071c8a2b9cf25bb1c2878c43f
SHA512 29337b122253e52f4e1ba67f8990a381210d9d32250d7f809ae6d0170583ccf001a25ebf5ec4ce1f709ef25a4ca10650a27c18b5843a1cdc37b2a387da04e019

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:16

Reported

2024-04-07 23:19

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\busypuolpd.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\busypuolpd.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\busypuolpd.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\busypuolpd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\busypuolpd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jplildod = "busypuolpd.exe" C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tllsqfqx = "pcdfoonstjqnfsq.exe" C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fffosxigyvdct.exe" C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\n: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\busypuolpd.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zxrhzygl.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\busypuolpd.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\busypuolpd.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zxrhzygl.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fffosxigyvdct.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File created C:\Windows\SysWOW64\busypuolpd.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zxrhzygl.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fffosxigyvdct.exe C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\busypuolpd.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\zxrhzygl.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\zxrhzygl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zxrhzygl.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\busypuolpd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\busypuolpd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B05B449739EA52C4B9A23292D7CA" C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78068B5FE6821D1D27CD0D18A0F9111" C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\busypuolpd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\busypuolpd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D7D9D5182566D4577D570522CAB7C8E64DD" C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C67D1597DBC3B9BC7CE2EC9F37BA" C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\busypuolpd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFFF84826851E9042D62F7D9CBD95E640584167436346D690" C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\busypuolpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FACEF910F1E4837F3B3786EE3E92B38B02FE4269034EE1C8459C09D2" C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\busypuolpd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe N/A
N/A N/A C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe N/A
N/A N/A C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe N/A
N/A N/A C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe N/A
N/A N/A C:\Windows\SysWOW64\busypuolpd.exe N/A
N/A N/A C:\Windows\SysWOW64\busypuolpd.exe N/A
N/A N/A C:\Windows\SysWOW64\busypuolpd.exe N/A
N/A N/A C:\Windows\SysWOW64\busypuolpd.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe N/A
N/A N/A C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe N/A
N/A N/A C:\Windows\SysWOW64\busypuolpd.exe N/A
N/A N/A C:\Windows\SysWOW64\busypuolpd.exe N/A
N/A N/A C:\Windows\SysWOW64\busypuolpd.exe N/A
N/A N/A C:\Windows\SysWOW64\busypuolpd.exe N/A
N/A N/A C:\Windows\SysWOW64\fffosxigyvdct.exe N/A
N/A N/A C:\Windows\SysWOW64\fffosxigyvdct.exe N/A
N/A N/A C:\Windows\SysWOW64\fffosxigyvdct.exe N/A
N/A N/A C:\Windows\SysWOW64\fffosxigyvdct.exe N/A
N/A N/A C:\Windows\SysWOW64\fffosxigyvdct.exe N/A
N/A N/A C:\Windows\SysWOW64\fffosxigyvdct.exe N/A
N/A N/A C:\Windows\SysWOW64\fffosxigyvdct.exe N/A
N/A N/A C:\Windows\SysWOW64\fffosxigyvdct.exe N/A
N/A N/A C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe N/A
N/A N/A C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe N/A
N/A N/A C:\Windows\SysWOW64\busypuolpd.exe N/A
N/A N/A C:\Windows\SysWOW64\fffosxigyvdct.exe N/A
N/A N/A C:\Windows\SysWOW64\busypuolpd.exe N/A
N/A N/A C:\Windows\SysWOW64\fffosxigyvdct.exe N/A
N/A N/A C:\Windows\SysWOW64\fffosxigyvdct.exe N/A
N/A N/A C:\Windows\SysWOW64\fffosxigyvdct.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A
N/A N/A C:\Windows\SysWOW64\zxrhzygl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4560 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\busypuolpd.exe
PID 4560 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\busypuolpd.exe
PID 4560 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\busypuolpd.exe
PID 4560 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe
PID 4560 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe
PID 4560 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe
PID 4560 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\zxrhzygl.exe
PID 4560 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\zxrhzygl.exe
PID 4560 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\zxrhzygl.exe
PID 4560 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\fffosxigyvdct.exe
PID 4560 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\fffosxigyvdct.exe
PID 4560 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Windows\SysWOW64\fffosxigyvdct.exe
PID 4972 wrote to memory of 3740 N/A C:\Windows\SysWOW64\busypuolpd.exe C:\Windows\SysWOW64\zxrhzygl.exe
PID 4972 wrote to memory of 3740 N/A C:\Windows\SysWOW64\busypuolpd.exe C:\Windows\SysWOW64\zxrhzygl.exe
PID 4972 wrote to memory of 3740 N/A C:\Windows\SysWOW64\busypuolpd.exe C:\Windows\SysWOW64\zxrhzygl.exe
PID 4560 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4560 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe"

C:\Windows\SysWOW64\busypuolpd.exe

busypuolpd.exe

C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe

pcdfoonstjqnfsq.exe

C:\Windows\SysWOW64\zxrhzygl.exe

zxrhzygl.exe

C:\Windows\SysWOW64\fffosxigyvdct.exe

fffosxigyvdct.exe

C:\Windows\SysWOW64\zxrhzygl.exe

C:\Windows\system32\zxrhzygl.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3636 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4560-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\zxrhzygl.exe

MD5 4ea8aaee976e7fc829dc6d9a34d980b6
SHA1 0977509c8db972f3e0856fa8466c4834af6133c4
SHA256 ab7cfa9407db95db99a8816b3b3ddff3cf8e5d6223f1dff096032d025190dc5d
SHA512 b644631d4446f8757cbc1a7f10aa7cb8d3b8674696cb794108772e7d9737ff1c34f5a752f1fed546813570fdeffcf909a0a567b05bc51c310035cf3effefff51

C:\Windows\SysWOW64\busypuolpd.exe

MD5 7e165ca3979142f5e6dcea9a7751106e
SHA1 3ad46d04fff8cb75c23c19f4ac8405dd62aacefc
SHA256 8a6fc35f5ba650ebda5e6022036ccebe8909c40735e57c0e1e9bb2bb4366d37e
SHA512 a23cdc82556cf0b0b2b182ecbf2688ed2e6d033389bc9631db5f073d40c8897b3f0fc0d187ba7be9b3679d2cd243f806c70fa4ff88ca9b3c9feaf18cc3c44165

C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe

MD5 24b2fd703a3abd8c81a82a2ccbad97ba
SHA1 08a570e9d75796a7a98343e7e669efb6212f4140
SHA256 eceb3cf417bc55895cfc77e7020be4b27ec41f6948a7f84adf43da1039c57e97
SHA512 b3a3612980e35d98876b59168842479a9369f751604b1927a4bdd8678274f4b2a3bc6720759c8c4aa002aa293f140476d1255c0998e45d33b1ea1214a93697a0

C:\Windows\SysWOW64\fffosxigyvdct.exe

MD5 702617163fecbb371e3ee89b0cca16be
SHA1 ce76324de39234220568223c20532166b55b5181
SHA256 271c5c25ca03a7967b845dc6e7909be0a5cc09ea182b424465a554dad66641ac
SHA512 ff0ed5ba24d426c0872f3836212f3e34f2c4bf2d9c39f207f123ae1fc1f22a735af2a0345150af1a2014ac99d76a1a9c81051f988af50f3ca9cb2d808154de27

memory/3264-38-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-37-0x00007FFB97470000-0x00007FFB97480000-memory.dmp

memory/3264-41-0x00007FFB97470000-0x00007FFB97480000-memory.dmp

memory/3264-40-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-39-0x00007FFB97470000-0x00007FFB97480000-memory.dmp

memory/3264-42-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-43-0x00007FFB97470000-0x00007FFB97480000-memory.dmp

memory/3264-46-0x00007FFB97470000-0x00007FFB97480000-memory.dmp

memory/3264-45-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-44-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-47-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-48-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-49-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-50-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-51-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-52-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 b7002784497c4ff5178e181a3764bc66
SHA1 287dbc44b83c32fe929e4b367ff9c3c54f643b98
SHA256 0c619c259e6d56be62eb8c39927c495d55183c9be35abca52abe6069179971d3
SHA512 de0bac78cf48dc0094a2a94523d5496188ebd0e703dcd3ca393660532cd95ed8baca6e050adf67b93b719c073f5d4fcdbac96ce3249a4bccc78f350c6760ff36

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 867139a0427b9057c5042c0a70a827c5
SHA1 fe562bfc4b1c3f1a60fe9be12012df3c0cde2faa
SHA256 aafc6362e00f13caeaf735a4df3b9c88726c9d4528f9f4c8773b2dedf7a18997
SHA512 ff3bb752fd7471ef86daf9120b24eadde424002f94dbf661d17485c8a7f38217735f690aa62ca21c6852217ae2383c0ac59819b8f98534037dda8005a08cc8b0

memory/3264-65-0x00007FFB94C70000-0x00007FFB94C80000-memory.dmp

memory/3264-66-0x00007FFB94C70000-0x00007FFB94C80000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 2fae0fe44fb67ed515b21a2b6fba40e3
SHA1 d39c4cb134c596851c157406149129a69844613b
SHA256 bd528b67c4e7b5924426cb6edc6bd85896db3a43e596bc76d32632d33eccc2b1
SHA512 9902e514810847d11b83ceb64209c7a363f3b482f5444474673988fa0729295d8612ae6aa0d81a09d9adeb958f7e0251b414ef808f82f279df504bc04a347087

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 4779e301c01cafbec0ddd5af89df7bb5
SHA1 3260c750b8b399f8f4c060bf1163b710e9787f7f
SHA256 c3bc8bf9b4278ff8f7873d85e0180e64b735526e341b2a9deda788c53c134602
SHA512 0de336723c20ee8bc19afc3d092ab6d8ec042427036e4f85250e891c5c94e96d554d102653079a36641260f0f6ce06dab82abac4a916b71e2420aeaff645f813

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 6bb8aa5a12e7d06c632fd7aae5b23c90
SHA1 42d6d84cd1c17519d4ec8e233c950854973e08da
SHA256 adee2a1e981fb7f79dbffccf175fe7cdc9e604831ba108a6bb0484277d23c85b
SHA512 b96bf1f184e746d554a637567a32bbaf770ed9d05eebf5dc1ddb13d8bc44432beeb38a109896c49bd7a80231d92f2529eea4729eb7b99e718679c84ec24ee3ee

memory/3264-104-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-105-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-106-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 8363bccc9a7fc2e89bebb45cf20f5c0b
SHA1 88246690fddee29811b45a31a7f934eb07d26776
SHA256 dc4fa9b5d88e2422c5eea1f326e83cb5472ba463cec69dce16137e883c8571e5
SHA512 1bf336a6a0de7eaff65f6002e342029eabfae5b056b37c068d772e90ef63a89fcae36e3afe0f7aaed30875a88b8ce2cba9a92dc1e999ce946bf42329c81ac3ba

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 b87291fb2d96a794c658157275055f3e
SHA1 37c4d01e090657aefda6e4f02f581e43b85cb663
SHA256 a6e096a9cd049ea8ff1e3f622c4a19e57eafbde496108dd16263a140312577ac
SHA512 874c389104c58febc3b105a36f8fbf21d4c786e29c08c869b88c6b939a22bea866d9923f71ab5875de554f184e8f902900b79c54d639642125a980a261a2a1ac

memory/3264-141-0x00007FFB97470000-0x00007FFB97480000-memory.dmp

memory/3264-142-0x00007FFB97470000-0x00007FFB97480000-memory.dmp

memory/3264-143-0x00007FFB97470000-0x00007FFB97480000-memory.dmp

memory/3264-145-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-144-0x00007FFB97470000-0x00007FFB97480000-memory.dmp

memory/3264-146-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp

memory/3264-147-0x00007FFBD73F0000-0x00007FFBD75E5000-memory.dmp