Malware Analysis Report

2024-11-30 02:44

Sample ID 240407-v2x6mshg9w
Target e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118
SHA256 e1be9c2e645983bef21100e9c324f859c8c3fa5efe7f6d7bdfce7f56c32060aa
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1be9c2e645983bef21100e9c324f859c8c3fa5efe7f6d7bdfce7f56c32060aa

Threat Level: Known bad

The file e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Windows security modification

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:29

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:29

Reported

2024-04-07 17:32

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\ykuspggdxq.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\ykuspggdxq.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ykuspggdxq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ykuspggdxq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ykuspggdxq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ykuspggdxq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ykuspggdxq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ykuspggdxq.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ykuspggdxq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ykuspggdxq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ykuspggdxq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ykuspggdxq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ykuspggdxq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\ykuspggdxq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "esuhreelieohq.exe" C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fqtyyqbh = "ykuspggdxq.exe" C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cxdqrquq = "vlvmwwaogjzpkoj.exe" C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gcajaito.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gcajaito.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\ykuspggdxq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\ykuspggdxq.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ykuspggdxq.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\esuhreelieohq.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\ykuspggdxq.exe N/A
File created C:\Windows\SysWOW64\ykuspggdxq.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gcajaito.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gcajaito.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\esuhreelieohq.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\gcajaito.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gcajaito.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\gcajaito.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gcajaito.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gcajaito.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gcajaito.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gcajaito.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\gcajaito.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gcajaito.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\gcajaito.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gcajaito.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gcajaito.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gcajaito.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gcajaito.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C0A9D2C82256D4576D770212CDA7C8665D8" C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\ykuspggdxq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\ykuspggdxq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F768B4FF1B22D1D179D1D68A7B9162" C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\ykuspggdxq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B12947EF39E853CFBAA233EAD7C9" C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ykuspggdxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ykuspggdxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ykuspggdxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ykuspggdxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ykuspggdxq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\gcajaito.exe N/A
N/A N/A C:\Windows\SysWOW64\gcajaito.exe N/A
N/A N/A C:\Windows\SysWOW64\gcajaito.exe N/A
N/A N/A C:\Windows\SysWOW64\gcajaito.exe N/A
N/A N/A C:\Windows\SysWOW64\gcajaito.exe N/A
N/A N/A C:\Windows\SysWOW64\gcajaito.exe N/A
N/A N/A C:\Windows\SysWOW64\gcajaito.exe N/A
N/A N/A C:\Windows\SysWOW64\gcajaito.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\esuhreelieohq.exe N/A
N/A N/A C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\ykuspggdxq.exe
PID 2224 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\ykuspggdxq.exe
PID 2224 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\ykuspggdxq.exe
PID 2224 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\ykuspggdxq.exe
PID 2224 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe
PID 2224 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe
PID 2224 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe
PID 2224 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe
PID 2224 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\gcajaito.exe
PID 2224 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\gcajaito.exe
PID 2224 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\gcajaito.exe
PID 2224 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\gcajaito.exe
PID 2224 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\esuhreelieohq.exe
PID 2224 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\esuhreelieohq.exe
PID 2224 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\esuhreelieohq.exe
PID 2224 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\esuhreelieohq.exe
PID 3008 wrote to memory of 2436 N/A C:\Windows\SysWOW64\ykuspggdxq.exe C:\Windows\SysWOW64\gcajaito.exe
PID 3008 wrote to memory of 2436 N/A C:\Windows\SysWOW64\ykuspggdxq.exe C:\Windows\SysWOW64\gcajaito.exe
PID 3008 wrote to memory of 2436 N/A C:\Windows\SysWOW64\ykuspggdxq.exe C:\Windows\SysWOW64\gcajaito.exe
PID 3008 wrote to memory of 2436 N/A C:\Windows\SysWOW64\ykuspggdxq.exe C:\Windows\SysWOW64\gcajaito.exe
PID 2224 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2224 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2224 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2224 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2420 wrote to memory of 1968 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2420 wrote to memory of 1968 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2420 wrote to memory of 1968 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2420 wrote to memory of 1968 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe"

C:\Windows\SysWOW64\ykuspggdxq.exe

ykuspggdxq.exe

C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe

vlvmwwaogjzpkoj.exe

C:\Windows\SysWOW64\gcajaito.exe

gcajaito.exe

C:\Windows\SysWOW64\esuhreelieohq.exe

esuhreelieohq.exe

C:\Windows\SysWOW64\gcajaito.exe

C:\Windows\system32\gcajaito.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2224-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\vlvmwwaogjzpkoj.exe

MD5 b2aeda4acce5ac97cd7ac05ee50cdf11
SHA1 4e0b73635116033880840ea6a4aeedfb0a2180a9
SHA256 5e2c29afb6ecf4b77890abd2d0f98f20e70125e378824827d6ae7e8c2ea93ec7
SHA512 23cfc68dce3b7e83458bb2d76e64d895bbc71ada8a1ac43fc0629b905c3743477c0ebed5c87268b34e998ac79024ca20c9603e82463a65cd346243ead23d12cb

\Windows\SysWOW64\ykuspggdxq.exe

MD5 a44167f4597c3a25c5167dbde638182c
SHA1 b012a0d3bba9e4c39201974275e37003db1238f1
SHA256 58dd890ac767dbf8e9393b4e83a4507dcf787f16ad2fe684e3e273047ea40459
SHA512 80e2c8a0167a2094b3511013d0065be191d1f3dc83c860ca255ef7963df10ff02c0287f9cea75106b0c8b46efe7ef8d285ec9adf9004b9bbf2fa42d74e412eae

C:\Windows\SysWOW64\gcajaito.exe

MD5 5e49eb0df7f1b7b89ec9f64b7920aa6b
SHA1 9cc6d05cf1b87b5628b1ee0b05ec9b20d4c794e6
SHA256 e00a585eb8442f9eeba45ac8c9790b374501bf2fbdf99b557412953a475ff05c
SHA512 4711017bb4aa41621a13981c1a4182fdede653ae76b6d7893b56e2242886f4a5f25a70110a633273c8bcbc1c68a78df5363c8795b4d39e012495a0f1f6de944e

\Windows\SysWOW64\esuhreelieohq.exe

MD5 458b140c7f160d3a0d76715cfcc7eeae
SHA1 52216e72c0a57be04e681d030ffdeb6571ff3366
SHA256 f825ff152e9c1c1b9a7341ae1ac7550e543a9ade8baa86dc0a0a0ed8f0d655e5
SHA512 6c46c8e91efbe2037718cab6db400a7f4254bfa2d01ee1eb64cb40d0e1a07fa70c5280aeeb3f65700dcae193ac9a7f18cb7e8d6323ba4db1a01ed716a56964ac

memory/2420-45-0x000000002FBF1000-0x000000002FBF2000-memory.dmp

memory/2420-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2420-47-0x000000007164D000-0x0000000071658000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 271b42eb84f21fb74d3aa56b9f6dc372
SHA1 d89e954d77edac7c8ea7319c108e44b63c262b97
SHA256 b3ebe77131295b133f29e58c8563f84407b44f0f59595230ca228a32c6c7b634
SHA512 fa1b3c9b80496d35d7faeff020a0b36509105c95686d657c7530d421518f1208c6f4ac244ae3b182364b3bd169e7d58a182ae2429ff76247f7e5b500e4830e65

C:\Users\Admin\AppData\Roaming\OpenStart.doc.exe

MD5 867942564c61b8e27e841dbaaddb6352
SHA1 3b83e3f1879872bc9b4713542cccf1f5e0ae44ae
SHA256 36c60c86b6cb28cc4de3bfebafe75c61b2f94c69d2bb80782be5e2ce80e85b15
SHA512 c90e511880e856c8cea017b1cdf3571ae9f32090777abda230d713380660a794349cbd910fe108f6df6c80bfbc59964d56540423486e77760ce3146bf35ab5fb

memory/2420-84-0x000000007164D000-0x0000000071658000-memory.dmp

memory/2420-105-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 5771c9dc629ab071d0b87a7e678d62e0
SHA1 8958cffa9eba737d7d24a2fe1f6ecda839d473a3
SHA256 3bd60ad01a47937ca2827e802bf3e57c95078e9caeb72b61883970dff2976552
SHA512 b98479baf7f66b907e56b21e4fe3f15325191b7e1f28d942617d34b91dd9e3697b6b099a80a43d60519bc215921d693fcf3b9c369d11203d5ee1d3a4b4a7963a

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:29

Reported

2024-04-07 17:32

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\msdmvnltnr.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\msdmvnltnr.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\msdmvnltnr.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\msdmvnltnr.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\msdmvnltnr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vbkqbtgwlvkzy.exe" C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kugsakss = "msdmvnltnr.exe" C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vixantwf = "pyrgscbeoqprkwo.exe" C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\r: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fsgtqtih.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\msdmvnltnr.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fsgtqtih.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\msdmvnltnr.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\msdmvnltnr.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification C:\Windows\SysWOW64\msdmvnltnr.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fsgtqtih.exe C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\fsgtqtih.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\fsgtqtih.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fsgtqtih.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5F9BDFE16F1E784083B4286993994B080038A4268023BE1C545E708A5" C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFFFC482B82699141D6587D92BC95E147584167356234D69D" C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78368B0FE1A22DBD208D0A58B7A9010" C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2D7B9C2D83526D4376A570532DDA7D8065DB" C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B0294790389F52CFB9D6329CD7CE" C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC6781493DAC5B8CA7FE0ECE034CF" C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\msdmvnltnr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\msdmvnltnr.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\msdmvnltnr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdmvnltnr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdmvnltnr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdmvnltnr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdmvnltnr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdmvnltnr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdmvnltnr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdmvnltnr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdmvnltnr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdmvnltnr.exe N/A
N/A N/A C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
N/A N/A C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
N/A N/A C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
N/A N/A C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A
N/A N/A C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
N/A N/A C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A
N/A N/A C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
N/A N/A C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
N/A N/A C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
N/A N/A C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
N/A N/A C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
N/A N/A C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe N/A
N/A N/A C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe N/A
N/A N/A C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe N/A
N/A N/A C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe N/A
N/A N/A C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe N/A
N/A N/A C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe N/A
N/A N/A C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe N/A
N/A N/A C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe N/A
N/A N/A C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe N/A
N/A N/A C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe N/A
N/A N/A C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe N/A
N/A N/A C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe N/A
N/A N/A C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A
N/A N/A C:\Windows\SysWOW64\fsgtqtih.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\msdmvnltnr.exe
PID 2324 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\msdmvnltnr.exe
PID 2324 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\msdmvnltnr.exe
PID 2324 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe
PID 2324 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe
PID 2324 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe
PID 2324 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\fsgtqtih.exe
PID 2324 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\fsgtqtih.exe
PID 2324 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\fsgtqtih.exe
PID 2324 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe
PID 2324 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe
PID 2324 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe
PID 2324 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2324 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3664 wrote to memory of 3828 N/A C:\Windows\SysWOW64\msdmvnltnr.exe C:\Windows\SysWOW64\fsgtqtih.exe
PID 3664 wrote to memory of 3828 N/A C:\Windows\SysWOW64\msdmvnltnr.exe C:\Windows\SysWOW64\fsgtqtih.exe
PID 3664 wrote to memory of 3828 N/A C:\Windows\SysWOW64\msdmvnltnr.exe C:\Windows\SysWOW64\fsgtqtih.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e578cc3b07d3c00458568b1dd19b7783_JaffaCakes118.exe"

C:\Windows\SysWOW64\msdmvnltnr.exe

msdmvnltnr.exe

C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe

pyrgscbeoqprkwo.exe

C:\Windows\SysWOW64\fsgtqtih.exe

fsgtqtih.exe

C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe

vbkqbtgwlvkzy.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\fsgtqtih.exe

C:\Windows\system32\fsgtqtih.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=2000,i,9877262470271371196,11878025205711850266,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
IE 94.245.104.56:443 tcp
GB 51.11.108.188:443 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 17.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/2324-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\fsgtqtih.exe

MD5 7cc77d7a2bbb72372fa80a1aa303c53b
SHA1 fcf47509e129ff3b480b267218e53366ac23e8c3
SHA256 51dd1e4feed6697c75a480e1d0db19d69ffe0cd1c40ec4b00056b24ad98d1c6b
SHA512 8a694bbdcfb80c941a7805957633e09d018126a6a03ee5e750f1523db0e439cc2c84664df519605604a4493dbc4bcd3dbfefe37d1cc585f7092343bf00519434

C:\Windows\SysWOW64\msdmvnltnr.exe

MD5 ef7092e8264da67180e5c0bd2890770a
SHA1 237b8f8a00888f639fc2765bea1caa29fa55dad4
SHA256 18f7105ebe64042162f8dd23c49faaf45ebf0662b25f2a07744d82c63fcfc3dc
SHA512 7a274d54db06fc720a5d367b1d8bf1f939ce1cd93410552f5133933ee9054614be98a7449ed7333454d7b28bf227c1b82603d4c9106ac2c3fc62c40f3897152d

C:\Windows\SysWOW64\pyrgscbeoqprkwo.exe

MD5 647cb6255809446659c2dafec5e10dfb
SHA1 255a8e65f3d07c8b7067557108cec883f3335974
SHA256 87e999afeacb37b19a8279618f2c02abea429c04c341fbecaa1aefa6314c2a06
SHA512 3c136b6e5cf2196298272784418130203ecf29e3c1948a9b3bb94e492066cd9016468bcb3757626452181df06eaa21a5b10fdb97b8c4f84167821ec5844e443c

C:\Windows\SysWOW64\vbkqbtgwlvkzy.exe

MD5 aeff630acbc76154095ede7c60caf2dc
SHA1 f41c4f5bf176af6ab07b1f2ff9409fe1c44f7d68
SHA256 18a8888ff78c763874804650b7267a70022ee710808ea827aba7c11c4cad07e8
SHA512 a53adc35835c03e7e5d463a712c5b9fe15b6b5373d12f9ca7e52c1ee8ba5a40ca32dee09bddea2fd602c153835825ac4fc186fbe9e24880ed107a3b7d64c07f6

memory/1100-35-0x00007FFFBA750000-0x00007FFFBA760000-memory.dmp

memory/1100-37-0x00007FFFBA750000-0x00007FFFBA760000-memory.dmp

memory/1100-36-0x00007FFFBA750000-0x00007FFFBA760000-memory.dmp

memory/1100-38-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-39-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-40-0x00007FFFBA750000-0x00007FFFBA760000-memory.dmp

memory/1100-42-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-41-0x00007FFFBA750000-0x00007FFFBA760000-memory.dmp

memory/1100-45-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-46-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-47-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-48-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-49-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-50-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-51-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-52-0x00007FFFB8340000-0x00007FFFB8350000-memory.dmp

memory/1100-53-0x00007FFFB8340000-0x00007FFFB8350000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Users\Admin\Downloads\EditSet.doc.exe

MD5 f70a39578dc1564816e8498252c62671
SHA1 52babd40960e1dfe1af8c9013d75937a25055aed
SHA256 09a53cff01d6668024941f18f370c8f70411b2ced3dd8b2735110536a7aca999
SHA512 9f7e428bedaf8336610b2d1803c3d9c1d646d5c521a12a75b014b26869f65c2beeaba99934315bf2c25b2fc24c26259d8956d8da681b1cb7b46394f504aaefe8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 d82c4c50bed477ff722a6f48768764bb
SHA1 629bff415718a715ee74f17b9d9b9abf1bcfb2db
SHA256 62cedb6184f8b0d9569a0ca2902faf1655dccff92465fdfe57404f26807f13eb
SHA512 27379fbd11cbfe6d8e4982f01d04d5bbf679951c67e3ad079d8617c4603fa0a51de1185d471b6b526e612066098c8d9a6301883c5129fa265e651eebe4c9a753

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 ea3ab5c0d6f90192d77bdc007d6fddce
SHA1 8b134dacb5172fb9f88eb5578146e0ce0c9d22dd
SHA256 e65de27d8ef5d17c34dc59e77c2d34c60cfb4ad7ff16f25f1dd1b4a34fda9ce0
SHA512 d50812bd42b396ae7ecdf4cf4278cbab00d0aa22c98b21a3d8f41c5b20cd7e48fd301d9616dedb362c6ab70cda5e016f30f9e9b2302b38580005b88a53874188

C:\Users\Admin\AppData\Local\Temp\TCDDA86.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/1100-575-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-576-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-577-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 43205493b08536781445593b38147ed7
SHA1 2d4360c3c0dd2c12cc17f3cd409409d1d0c47b6f
SHA256 5644c036eadd1ba57ead5a0ab36f1b01723bacee60f211a1272d9d61c4cdba0e
SHA512 5da6e32f9d761d52c7fff581588f00fe8bb6140deb5a2ac815759d3fd1e0723f8b6e6fe3951611d3a46d766cbbf3cf26f3238811d81fa88c88ee16acf888d046

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 9327feeb7334e76ffe56f5490b9e88ec
SHA1 728f09a71e5fe18958c4af565624d4f8ede272b1
SHA256 6f5698698cd17ebe77a464d6901815efa0b8ad973349a6d68a0c665df87d8009
SHA512 bbbf9f6c8254c1c01cf2c4c6e0a0aa5223fb3c74aa195245152aee573c6341c6c5bf221c518374410383ba6c197b62fdd90ccae1e62e37f1a4bb56ac856bbe1f

memory/1100-610-0x00007FFFBA750000-0x00007FFFBA760000-memory.dmp

memory/1100-611-0x00007FFFBA750000-0x00007FFFBA760000-memory.dmp

memory/1100-612-0x00007FFFBA750000-0x00007FFFBA760000-memory.dmp

memory/1100-613-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-614-0x00007FFFBA750000-0x00007FFFBA760000-memory.dmp

memory/1100-617-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-616-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp

memory/1100-615-0x00007FFFFA6D0000-0x00007FFFFA8C5000-memory.dmp