Malware Analysis Report

2024-11-30 02:41

Sample ID 240407-t64csagh91
Target e5617b2da499c88bc5802c3f8e952737_JaffaCakes118
SHA256 f48046909760b08428a87969d87f465e64c1fdaeccc3ee5a9050eab9037828d1
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f48046909760b08428a87969d87f465e64c1fdaeccc3ee5a9050eab9037828d1

Threat Level: Known bad

The file e5617b2da499c88bc5802c3f8e952737_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Modifies registry class

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 16:41

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 16:41

Reported

2024-04-07 16:43

Platform

win7-20240221-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\lrdufovhda.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\lrdufovhda.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\lrdufovhda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\lrdufovhda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\lrdufovhda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\lrdufovhda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\lrdufovhda.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\lrdufovhda.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\lrdufovhda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\lrdufovhda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\lrdufovhda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\lrdufovhda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\lrdufovhda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\lrdufovhda.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vslgdvld = "txrkctxivszdvvj.exe" C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mccbvvsmmamva.exe" C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hwpungez = "lrdufovhda.exe" C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\lrdufovhda.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gppmilix.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gppmilix.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\lrdufovhda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\lrdufovhda.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\lrdufovhda.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gppmilix.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mccbvvsmmamva.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mccbvvsmmamva.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\lrdufovhda.exe N/A
File created C:\Windows\SysWOW64\lrdufovhda.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\txrkctxivszdvvj.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\txrkctxivszdvvj.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gppmilix.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gppmilix.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gppmilix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gppmilix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\gppmilix.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gppmilix.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gppmilix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\gppmilix.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gppmilix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\gppmilix.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gppmilix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gppmilix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\gppmilix.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gppmilix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gppmilix.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\lrdufovhda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFFFF485A85139045D6217E96BDE0E144594667336241D7EC" C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\lrdufovhda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\lrdufovhda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\lrdufovhda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\lrdufovhda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC70B1597DAC7B8C07FE2ED9234CD" C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\lrdufovhda.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\lrdufovhda.exe N/A
N/A N/A C:\Windows\SysWOW64\lrdufovhda.exe N/A
N/A N/A C:\Windows\SysWOW64\lrdufovhda.exe N/A
N/A N/A C:\Windows\SysWOW64\lrdufovhda.exe N/A
N/A N/A C:\Windows\SysWOW64\lrdufovhda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\gppmilix.exe N/A
N/A N/A C:\Windows\SysWOW64\gppmilix.exe N/A
N/A N/A C:\Windows\SysWOW64\gppmilix.exe N/A
N/A N/A C:\Windows\SysWOW64\gppmilix.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\gppmilix.exe N/A
N/A N/A C:\Windows\SysWOW64\gppmilix.exe N/A
N/A N/A C:\Windows\SysWOW64\gppmilix.exe N/A
N/A N/A C:\Windows\SysWOW64\gppmilix.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A
N/A N/A C:\Windows\SysWOW64\mccbvvsmmamva.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\lrdufovhda.exe
PID 2372 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\lrdufovhda.exe
PID 2372 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\lrdufovhda.exe
PID 2372 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\lrdufovhda.exe
PID 2372 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\txrkctxivszdvvj.exe
PID 2372 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\txrkctxivszdvvj.exe
PID 2372 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\txrkctxivszdvvj.exe
PID 2372 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\txrkctxivszdvvj.exe
PID 2372 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\gppmilix.exe
PID 2372 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\gppmilix.exe
PID 2372 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\gppmilix.exe
PID 2372 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\gppmilix.exe
PID 2372 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\mccbvvsmmamva.exe
PID 2372 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\mccbvvsmmamva.exe
PID 2372 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\mccbvvsmmamva.exe
PID 2372 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\mccbvvsmmamva.exe
PID 2640 wrote to memory of 2632 N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2632 N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2632 N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2632 N/A C:\Windows\SysWOW64\txrkctxivszdvvj.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2680 N/A C:\Windows\SysWOW64\lrdufovhda.exe C:\Windows\SysWOW64\gppmilix.exe
PID 2556 wrote to memory of 2680 N/A C:\Windows\SysWOW64\lrdufovhda.exe C:\Windows\SysWOW64\gppmilix.exe
PID 2556 wrote to memory of 2680 N/A C:\Windows\SysWOW64\lrdufovhda.exe C:\Windows\SysWOW64\gppmilix.exe
PID 2556 wrote to memory of 2680 N/A C:\Windows\SysWOW64\lrdufovhda.exe C:\Windows\SysWOW64\gppmilix.exe
PID 2372 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2372 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2372 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2372 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2872 wrote to memory of 524 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2872 wrote to memory of 524 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2872 wrote to memory of 524 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2872 wrote to memory of 524 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe"

C:\Windows\SysWOW64\lrdufovhda.exe

lrdufovhda.exe

C:\Windows\SysWOW64\txrkctxivszdvvj.exe

txrkctxivszdvvj.exe

C:\Windows\SysWOW64\gppmilix.exe

gppmilix.exe

C:\Windows\SysWOW64\mccbvvsmmamva.exe

mccbvvsmmamva.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c mccbvvsmmamva.exe

C:\Windows\SysWOW64\gppmilix.exe

C:\Windows\system32\gppmilix.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2372-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\txrkctxivszdvvj.exe

MD5 d3109b83c25cd435548f5b3af1e111dd
SHA1 fe5fc3f946e130142b45eb5bb2c20c5fa4a1d804
SHA256 9828ec4e274edd1322191b5a51bef8268811bff10e2b0e871053f3a2795bc487
SHA512 8fd3e6c31616a3330472d373bc5f0fa82eccbbab6c9aaa6c3d8a7285b9103a2d4454985832a36007aa5827ab23c986aa1ba31b8974b4c8ad3982245a3d0d3672

\Windows\SysWOW64\lrdufovhda.exe

MD5 19f7e5015cc19dd4a0a23afb69e08edd
SHA1 424475fa4af4b5de80174bfb41c1c2f6cf95c227
SHA256 970e3f94008dcf9fb0181695f942c7eb71aaf36991d23a8e3b7b4383176a0207
SHA512 0688e40262dd75edf8e26650f168ef715d3a652b9e60ecbca5cf2df3f575b13835da0fd91a2b52963f9dedfb5b0b92e81536986435d4aa2ce3761dce7101fc07

\Windows\SysWOW64\gppmilix.exe

MD5 1d1048be730d0cf51f329be152954d97
SHA1 1c8608aa14ef9b089d03de672ce3e65dc451fecc
SHA256 0904ef4ff2389e7d65c26924e28df3d5a81017cc6fd61970171908089a97f1c2
SHA512 675e56da872013a54d32b90caf224fc9284319464654a4c09cefc9e820b6c679ee44a25037fbdc87d6772c1be5cd467ee1aa579edabe49c65b7db8f7eb56213e

\Windows\SysWOW64\mccbvvsmmamva.exe

MD5 b370c562a0c29072d9ae1ee969176ea7
SHA1 e25c723ec7836f6b1be03c70835abb6928ec8633
SHA256 7a3a0447f965b999e6d5ab218d669b8e59f8726a1aefb4468c9dd8cbb2c4871c
SHA512 e6e0e259a1bab6963491f281a4ad959a37b695d3da2e025624679212a49c7de8780e55b23af26a0f876526b39fa59580c19366d499bcabdb985ec5cfeab1ee0c

memory/2872-45-0x000000002FE31000-0x000000002FE32000-memory.dmp

memory/2872-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2872-47-0x0000000070CAD000-0x0000000070CB8000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 ad61b9d0b935e34c4ae957b35e8ef9cd
SHA1 8fbdbc5d4e04c9a1d1644e65bf44430f614e5d54
SHA256 8e93110b81981f2351df975aa160c071cd83619604434f68ee644e69d2005780
SHA512 14d45a9897799035f2262c596a0a366859e4e3b496e02e4c10cafb0587e782d0201d2cd684df1cab3a698214444580da445a2fcb0bc1d02bd7bd6bd38043a383

memory/2872-81-0x0000000070CAD000-0x0000000070CB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 54f92513155744724961563a4a04f63e
SHA1 d5cebead3c6f8235906f0a674723844a6295bfdd
SHA256 813423b36c35fe950e3759636dae2b6a3f907f6f507ed574fe2a2a5d1493757a
SHA512 48ac9e96979b09b35fa8bc679aad7089ae1efd86115e8b7319169b6117a919fd28114af3b82101b9aee4b33685fd956fd146abed9ac25434a86b2b2f233e5340

memory/2872-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 16:41

Reported

2024-04-07 16:43

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\htmvvpcupl.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\htmvvpcupl.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\htmvvpcupl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\htmvvpcupl.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\htmvvpcupl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mondyfnzpabqx.exe" C:\Windows\SysWOW64\psnkyfehphuqpau.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nxmksaif = "htmvvpcupl.exe" C:\Windows\SysWOW64\psnkyfehphuqpau.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bxsfwtwg = "psnkyfehphuqpau.exe" C:\Windows\SysWOW64\psnkyfehphuqpau.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\xhzaqqfq.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\htmvvpcupl.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\xhzaqqfq.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\htmvvpcupl.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File created C:\Windows\SysWOW64\htmvvpcupl.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\psnkyfehphuqpau.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xhzaqqfq.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mondyfnzpabqx.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification C:\Windows\SysWOW64\htmvvpcupl.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\psnkyfehphuqpau.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mondyfnzpabqx.exe C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\xhzaqqfq.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78468C4FE6921AAD173D0D68A099117" C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C77914E1DAC4B9BA7FE0ECE034CE" C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322D7C9C2482596D4377D070252DDB7C8E64AC" C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5F9CEF963F19284793B47869E3999B38F02FC42140238E2CE429A09D6" C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B15B44E439E352CFB9D33293D4BC" C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFF88482E856E9031D7217DE2BCE7E63259466745623FD69C" C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\htmvvpcupl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\htmvvpcupl.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\htmvvpcupl.exe N/A
N/A N/A C:\Windows\SysWOW64\htmvvpcupl.exe N/A
N/A N/A C:\Windows\SysWOW64\htmvvpcupl.exe N/A
N/A N/A C:\Windows\SysWOW64\htmvvpcupl.exe N/A
N/A N/A C:\Windows\SysWOW64\htmvvpcupl.exe N/A
N/A N/A C:\Windows\SysWOW64\htmvvpcupl.exe N/A
N/A N/A C:\Windows\SysWOW64\htmvvpcupl.exe N/A
N/A N/A C:\Windows\SysWOW64\htmvvpcupl.exe N/A
N/A N/A C:\Windows\SysWOW64\htmvvpcupl.exe N/A
N/A N/A C:\Windows\SysWOW64\htmvvpcupl.exe N/A
N/A N/A C:\Windows\SysWOW64\psnkyfehphuqpau.exe N/A
N/A N/A C:\Windows\SysWOW64\psnkyfehphuqpau.exe N/A
N/A N/A C:\Windows\SysWOW64\psnkyfehphuqpau.exe N/A
N/A N/A C:\Windows\SysWOW64\psnkyfehphuqpau.exe N/A
N/A N/A C:\Windows\SysWOW64\psnkyfehphuqpau.exe N/A
N/A N/A C:\Windows\SysWOW64\psnkyfehphuqpau.exe N/A
N/A N/A C:\Windows\SysWOW64\psnkyfehphuqpau.exe N/A
N/A N/A C:\Windows\SysWOW64\psnkyfehphuqpau.exe N/A
N/A N/A C:\Windows\SysWOW64\psnkyfehphuqpau.exe N/A
N/A N/A C:\Windows\SysWOW64\psnkyfehphuqpau.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\mondyfnzpabqx.exe N/A
N/A N/A C:\Windows\SysWOW64\mondyfnzpabqx.exe N/A
N/A N/A C:\Windows\SysWOW64\mondyfnzpabqx.exe N/A
N/A N/A C:\Windows\SysWOW64\mondyfnzpabqx.exe N/A
N/A N/A C:\Windows\SysWOW64\mondyfnzpabqx.exe N/A
N/A N/A C:\Windows\SysWOW64\mondyfnzpabqx.exe N/A
N/A N/A C:\Windows\SysWOW64\mondyfnzpabqx.exe N/A
N/A N/A C:\Windows\SysWOW64\mondyfnzpabqx.exe N/A
N/A N/A C:\Windows\SysWOW64\mondyfnzpabqx.exe N/A
N/A N/A C:\Windows\SysWOW64\mondyfnzpabqx.exe N/A
N/A N/A C:\Windows\SysWOW64\mondyfnzpabqx.exe N/A
N/A N/A C:\Windows\SysWOW64\mondyfnzpabqx.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A
N/A N/A C:\Windows\SysWOW64\xhzaqqfq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 404 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\htmvvpcupl.exe
PID 404 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\htmvvpcupl.exe
PID 404 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\htmvvpcupl.exe
PID 404 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\psnkyfehphuqpau.exe
PID 404 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\psnkyfehphuqpau.exe
PID 404 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\psnkyfehphuqpau.exe
PID 404 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\xhzaqqfq.exe
PID 404 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\xhzaqqfq.exe
PID 404 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\xhzaqqfq.exe
PID 404 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\mondyfnzpabqx.exe
PID 404 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\mondyfnzpabqx.exe
PID 404 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Windows\SysWOW64\mondyfnzpabqx.exe
PID 404 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 404 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4036 wrote to memory of 2160 N/A C:\Windows\SysWOW64\htmvvpcupl.exe C:\Windows\SysWOW64\xhzaqqfq.exe
PID 4036 wrote to memory of 2160 N/A C:\Windows\SysWOW64\htmvvpcupl.exe C:\Windows\SysWOW64\xhzaqqfq.exe
PID 4036 wrote to memory of 2160 N/A C:\Windows\SysWOW64\htmvvpcupl.exe C:\Windows\SysWOW64\xhzaqqfq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe"

C:\Windows\SysWOW64\htmvvpcupl.exe

htmvvpcupl.exe

C:\Windows\SysWOW64\psnkyfehphuqpau.exe

psnkyfehphuqpau.exe

C:\Windows\SysWOW64\xhzaqqfq.exe

xhzaqqfq.exe

C:\Windows\SysWOW64\mondyfnzpabqx.exe

mondyfnzpabqx.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\xhzaqqfq.exe

C:\Windows\system32\xhzaqqfq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/404-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\psnkyfehphuqpau.exe

MD5 ed8431dfcf2dfb9413f51e2287de1563
SHA1 cc1eb22f81ae860731ba42dc08f47bd945cc6dd8
SHA256 846991730fd37306e27d61df32d0f06ad5347d9bd882fa6d1822df73a7caf381
SHA512 4f30fb55ddc0db0396480b2f5727365cf09b066abc75ddac9f9fb57d93a7b328d7a8c9e7042b1982c25408e1ef4885258b579e8a923e60f4c084c2b7b493578f

C:\Windows\SysWOW64\htmvvpcupl.exe

MD5 6a3a99b1e0c73496e34a6db4126b5cdb
SHA1 80ce9f68cbf3327ab90601cd973ee76bef5d0f09
SHA256 eec8007f377cb42db46963fd5b3b1bc26031ca25f3a0c342bc480f0ff137d6dc
SHA512 61b4ac70ddbd354d5894b901e649204a0776f434bef736ac9ee33dc464635b8720c492352c9777fe5411f41279d73ffd71d88a6114712bdf7a89c4223d35fbec

C:\Windows\SysWOW64\mondyfnzpabqx.exe

MD5 f32a6f451b762b337670db057d224315
SHA1 c180fdeff352e9ae1ce8debb272be1b224d87c57
SHA256 7f77397259b82e60eca79c24c8bdea46cbffa0e3079524b2d0cbbf61ae9d42f4
SHA512 9b00eb238bff50e69a7e1ea2d26b46f5d2d3be4a3519daf8b30cc2e1bce3fe33487a746c51e89a77f142c3c1cd76b9a94e0a5e2042111c8341271fc1ea54a074

C:\Windows\SysWOW64\xhzaqqfq.exe

MD5 a87c2d614188028ab26a8977f952a3d8
SHA1 665086b2a507949ee07610a73cf5bb61b33b73cb
SHA256 f9ac5f0ba0892c67f0e3ddba249b76d1a8c7131af67fa52519ba839a19dfbbc6
SHA512 410db630ee8cde0c1f0a1b9f729614c124b956650d92ff78ad400c132447f89126522b670a1f466843d6acb70fd4436dbc8acf1e091eb596de8c7a659b7c1cb3

memory/1104-35-0x00007FFBD3AF0000-0x00007FFBD3B00000-memory.dmp

memory/1104-40-0x00007FFBD3AF0000-0x00007FFBD3B00000-memory.dmp

memory/1104-41-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-42-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-44-0x00007FFBD3AF0000-0x00007FFBD3B00000-memory.dmp

memory/1104-45-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-48-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-47-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-46-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-49-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-50-0x00007FFBD1460000-0x00007FFBD1470000-memory.dmp

memory/1104-37-0x00007FFBD3AF0000-0x00007FFBD3B00000-memory.dmp

memory/1104-53-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-54-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-52-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-51-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-38-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-36-0x00007FFBD3AF0000-0x00007FFBD3B00000-memory.dmp

memory/1104-55-0x00007FFBD1460000-0x00007FFBD1470000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 955cfba83c355f3f6ad29e889ef145f4
SHA1 e0af6190ffa9db812ff91cd876ebe4e124cd0d7e
SHA256 e7c59d033ba6a5ea308e7d7251d7a73b4446637dfe25e212a74b02f0f97879f0
SHA512 52e3b919ff075b11fab36855bf9bcb5f3756c4602267ad61c8d46de20c8cf458b54bf638afe1c1b4b7503d6cc18ab32acd200d455144a2bef45fddd4b7d5a5fa

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 f676459a78753b577e73569994c28379
SHA1 6701f3a0d080362dc1bebec229d5260234bbf5b1
SHA256 9c0e9b75d6714a85a0a39b3463af04f08929406a0ad3c188516486d5bd72f7ee
SHA512 deb94501dc65dd40f7aab221356148f4e723fc94d71ae66c7fe033d4cbbd356900d5405aecc159e3e8254917972b4e11f5e375f4d1af635525eb9506284b552b

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 0267975e69270d05edd6f8eb79764b63
SHA1 ed6f620e0c4aa317bc0a280bf16085987c88289c
SHA256 e9ce0031670ed5fd0144dbc645d8d21620f34de0477292d0c07dca636404e4a2
SHA512 b28b8f7b1d6064193e112284d6765b5485dab077a3fdc7c135dc78cf5d7db30ca8a90d7e8e81ed7bfd99a6a7517641945bdaab3bbb4d46a1335242f01844d29b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 eebcf64d8a787ffa07b020652965d1a6
SHA1 21fdd92186b658db37493872f4032b88b7093564
SHA256 6ab8052b31c15b4c3f6822504c6f999ff4500a2686d192f54d19456f00ce14b0
SHA512 8d3d1ef2341a48eff7ee640aa23c4a9ffb161b4672ddf860190b6e3c881125ed3039eae8f25d63ea285124677e250bc16be5daa585907d32690de6856d1cd66f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 7a1c882e951547be084f9fc6714d3765
SHA1 f771c84e21c7bf938071578ed5fa297c20ee8e1f
SHA256 a341bd34e4bed357df9960d76833d83073cf768a50f86978a245adf7a7c5fd24
SHA512 02dbffb1d674dcdaa98d5bc84309ddd26a700b60e913ee18d1769c11a4f13f2c09426f4a052d012f6cc80f61f9a9680b108f1d05b4ebae3c6d05a278f5a81553

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 e4e7cfc35663b6c5c42f1d7b4f25594d
SHA1 38607cc99101f3c13bb9ab4bb8485f6ff2ca286a
SHA256 8cc0c8cd3a380510e1c0e29ea8b81975cbc9957f01185015b19471a0ad884c90
SHA512 8e0b4fa66460b3883ca1c2e256fb9518128caa090147a9f65732a761a9c4440af3fadcdc01b4f44fbc56ff4949eecc0f8ace48b47e7f5ca3d244ba15f2e003df

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 b20375b8403c30a94ae3a5e5a4468c2f
SHA1 ab3b6e63889fd13249790fec3a50e329be44e3ec
SHA256 e399ea7efd06c076e72fb3171fc57772b802760c41de79f325b233a00c5a074c
SHA512 b99767a57585b4e0b9743d26b592a33c413fe251380699b05650a72eded0c36b2d88ea303d0e98549cb8b82c8750868210a88f798ebe9d680d1e1520072def3f

memory/1104-104-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-128-0x00007FFBD3AF0000-0x00007FFBD3B00000-memory.dmp

memory/1104-127-0x00007FFBD3AF0000-0x00007FFBD3B00000-memory.dmp

memory/1104-126-0x00007FFBD3AF0000-0x00007FFBD3B00000-memory.dmp

memory/1104-129-0x00007FFBD3AF0000-0x00007FFBD3B00000-memory.dmp

memory/1104-132-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-131-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp

memory/1104-130-0x00007FFC13A70000-0x00007FFC13C65000-memory.dmp