Malware Analysis Report

2024-11-30 02:48

Sample ID 240407-wvhytaaf9z
Target e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118
SHA256 9d2e1079756c759fcd7d9178ceda5acdff1b7846a8311d177b411dd6a537f97c
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d2e1079756c759fcd7d9178ceda5acdff1b7846a8311d177b411dd6a537f97c

Threat Level: Known bad

The file e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Checks computer location settings

Loads dropped DLL

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Modifies WinLogon

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Checks processor information in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:14

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:14

Reported

2024-04-07 18:17

Platform

win7-20231129-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\jmddiryurw.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\jmddiryurw.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\jmddiryurw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\jmddiryurw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\jmddiryurw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\jmddiryurw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\jmddiryurw.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\jmddiryurw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\jmddiryurw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\jmddiryurw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\jmddiryurw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\jmddiryurw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\jmddiryurw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\jmddiryurw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qttiemgl = "jmddiryurw.exe" C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\auasxdiw = "gorxvqkvrivtyhi.exe" C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rtifhoplczsjc.exe" C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\jmddiryurw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\nujvbezi.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\jmddiryurw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\jmddiryurw.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\jmddiryurw.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\nujvbezi.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rtifhoplczsjc.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\jmddiryurw.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\nujvbezi.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rtifhoplczsjc.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\jmddiryurw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\nujvbezi.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\nujvbezi.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\nujvbezi.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\nujvbezi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\jmddiryurw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\jmddiryurw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9FABBFE16F291840F3A4086E93E97B38D02FD4215023DE2BE42E808A3" C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FC83482985689130D7287E95BDE1E131583666446334D7EE" C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\jmddiryurw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F068B1FF1B21D1D20CD0A38A7E9166" C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C77415E3DBC3B9CC7CE0ED9737CE" C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\jmddiryurw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\jmddiryurw.exe N/A
N/A N/A C:\Windows\SysWOW64\jmddiryurw.exe N/A
N/A N/A C:\Windows\SysWOW64\jmddiryurw.exe N/A
N/A N/A C:\Windows\SysWOW64\jmddiryurw.exe N/A
N/A N/A C:\Windows\SysWOW64\jmddiryurw.exe N/A
N/A N/A C:\Windows\SysWOW64\nujvbezi.exe N/A
N/A N/A C:\Windows\SysWOW64\nujvbezi.exe N/A
N/A N/A C:\Windows\SysWOW64\nujvbezi.exe N/A
N/A N/A C:\Windows\SysWOW64\nujvbezi.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\nujvbezi.exe N/A
N/A N/A C:\Windows\SysWOW64\nujvbezi.exe N/A
N/A N/A C:\Windows\SysWOW64\nujvbezi.exe N/A
N/A N/A C:\Windows\SysWOW64\nujvbezi.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A
N/A N/A C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe N/A
N/A N/A C:\Windows\SysWOW64\rtifhoplczsjc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\jmddiryurw.exe
PID 3060 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\jmddiryurw.exe
PID 3060 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\jmddiryurw.exe
PID 3060 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\jmddiryurw.exe
PID 3060 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe
PID 3060 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe
PID 3060 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe
PID 3060 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe
PID 3060 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\nujvbezi.exe
PID 3060 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\nujvbezi.exe
PID 3060 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\nujvbezi.exe
PID 3060 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\nujvbezi.exe
PID 3060 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\rtifhoplczsjc.exe
PID 3060 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\rtifhoplczsjc.exe
PID 3060 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\rtifhoplczsjc.exe
PID 3060 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\rtifhoplczsjc.exe
PID 2744 wrote to memory of 2572 N/A C:\Windows\SysWOW64\jmddiryurw.exe C:\Windows\SysWOW64\nujvbezi.exe
PID 2744 wrote to memory of 2572 N/A C:\Windows\SysWOW64\jmddiryurw.exe C:\Windows\SysWOW64\nujvbezi.exe
PID 2744 wrote to memory of 2572 N/A C:\Windows\SysWOW64\jmddiryurw.exe C:\Windows\SysWOW64\nujvbezi.exe
PID 2744 wrote to memory of 2572 N/A C:\Windows\SysWOW64\jmddiryurw.exe C:\Windows\SysWOW64\nujvbezi.exe
PID 3060 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3060 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3060 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3060 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2556 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2556 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2556 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2556 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe"

C:\Windows\SysWOW64\jmddiryurw.exe

jmddiryurw.exe

C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe

gorxvqkvrivtyhi.exe

C:\Windows\SysWOW64\nujvbezi.exe

nujvbezi.exe

C:\Windows\SysWOW64\rtifhoplczsjc.exe

rtifhoplczsjc.exe

C:\Windows\SysWOW64\nujvbezi.exe

C:\Windows\system32\nujvbezi.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/3060-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\gorxvqkvrivtyhi.exe

MD5 95cbf452d5ecfee09a395662b120fc38
SHA1 a47c0cf5ba8c6fe76340f8d579053afe82b7a8ea
SHA256 77b07633c6c90042e5f44eec367d28afdef2974b7b7ec1224adba0ae11839f4c
SHA512 ea5140a3d119146e3f7e5ce98ea8e347cfa19c5638867b382afa38c8755e18c80cec2a6fba08e075eea6f7a9a6adfec004b4d714b916dddce0d9f2934b4049d3

\Windows\SysWOW64\jmddiryurw.exe

MD5 47e74304fe20efc4b768ad2a32d4373b
SHA1 7841e8867fdcdef9bd0e7506c2d157e2d02e0927
SHA256 14f4e4a8627c2e74e0f47e28df71e0c34cd47abe9eda67071aedd6272a15051d
SHA512 aeeea1b87ce1291e592d495fdd87954d2650f0a9420b9dbedbd02a2465eddd6dc658b9231f99442ba384686603146d25995d8ebdb435dde421621964e0022b02

\Windows\SysWOW64\rtifhoplczsjc.exe

MD5 e15b57b07812a622bbe7a280f8f917ea
SHA1 95a2e86f7ffbf2f184f26bde1a18d7d115834f0f
SHA256 3cbec9cd071e31c1dac2412b7c9b69b6fe061f3eea95402e622857d3a23c8c30
SHA512 fa4adb32dab771fdc4ac66238247802372a96b2bd8ad9bfbfdee2304c8fdd8c65e7cd687e8ba6107c41d098acb0ed0ee78c6913e7f0263a4d1014c18cc244d4d

\Windows\SysWOW64\nujvbezi.exe

MD5 04425d24483b5a319c80f9a34f50598f
SHA1 92dfc7b8212e4c3c66d6318cc4b976a3c40f4012
SHA256 56f0a55e5483ac9b907bd2b3de773d067b802370e061378f61300741f2e40757
SHA512 76927117d046b0e1d9411f48ecdeb229bd94e43493768d6248a099486fa355101f6f9fcd8ec60e1eff3219061abda98d12cf996e16316decdaae4af575394918

memory/2556-45-0x000000002FCF1000-0x000000002FCF2000-memory.dmp

memory/2556-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2556-47-0x000000007155D000-0x0000000071568000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\Downloads\UnblockMeasure.doc.exe

MD5 eb32978ef7a2bc4aea39a1b4b35a93ff
SHA1 6b9ebef8938f238a59f05b526c434154b812f5bd
SHA256 6c788bd9ffbaf922a5856e10ff98112bc444d1ad70ba5e2c7182cac6dcc1eeec
SHA512 6e95312b62a4be52ffb1d2abe0541a3d3aacd107d0d0160c131a868a292cc90989bce66b8e092420fd0385ffebfce4b417b46528d0a9dd41d90d6fc7ed0ae52c

memory/2556-80-0x000000007155D000-0x0000000071568000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 656a4a8c0ce50e16e4b90775b2884c97
SHA1 8542c9556e9910a8390264c4bb70b33ab02a3733
SHA256 33014e99ea4b7f4ca99aba955123d649ce7a28581044036c5a9ad0d10e19cbb9
SHA512 45d46f25f54a399cca673a9e72094e9beb6e1b7390fd6f9eab01bf149c9a3b23dc90e6bf00e4ce6a531037d08a36cdb9ecfbfc9b113824dda11a3cf166ca6383

memory/2556-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:14

Reported

2024-04-07 18:17

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iijkbrll = "ztxuzdzlte.exe" C:\Windows\SysWOW64\jjjmyicxuswhtys.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\frznifaq = "jjjmyicxuswhtys.exe" C:\Windows\SysWOW64\jjjmyicxuswhtys.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ysblmfzjogjfs.exe" C:\Windows\SysWOW64\jjjmyicxuswhtys.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ztxuzdzlte.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File created C:\Windows\SysWOW64\ztxuzdzlte.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ztxuzdzlte.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\jjjmyicxuswhtys.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\meplzzjb.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\jjjmyicxuswhtys.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\meplzzjb.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ysblmfzjogjfs.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ysblmfzjogjfs.exe C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\meplzzjb.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\meplzzjb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\meplzzjb.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFABEF967F19484793B3186983E99B38A038C42160348E2CA45E909A9" C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC7081491DAB5B8CD7CE2ED9F37C8" C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FCFF485D851D9135D7217EE6BDE7E13D594067366341D6EE" C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B12F44EE39EE52C4B9A7329FD7C4" C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7816BC3FE6E21AAD272D1D38A759166" C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D7C9D2182236D3676D477552CAB7CF364DC" C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
N/A N/A C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
N/A N/A C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
N/A N/A C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
N/A N/A C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
N/A N/A C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
N/A N/A C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
N/A N/A C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
N/A N/A C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
N/A N/A C:\Windows\SysWOW64\ztxuzdzlte.exe N/A
N/A N/A C:\Windows\SysWOW64\jjjmyicxuswhtys.exe N/A
N/A N/A C:\Windows\SysWOW64\jjjmyicxuswhtys.exe N/A
N/A N/A C:\Windows\SysWOW64\jjjmyicxuswhtys.exe N/A
N/A N/A C:\Windows\SysWOW64\jjjmyicxuswhtys.exe N/A
N/A N/A C:\Windows\SysWOW64\jjjmyicxuswhtys.exe N/A
N/A N/A C:\Windows\SysWOW64\jjjmyicxuswhtys.exe N/A
N/A N/A C:\Windows\SysWOW64\jjjmyicxuswhtys.exe N/A
N/A N/A C:\Windows\SysWOW64\jjjmyicxuswhtys.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\jjjmyicxuswhtys.exe N/A
N/A N/A C:\Windows\SysWOW64\jjjmyicxuswhtys.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\ysblmfzjogjfs.exe N/A
N/A N/A C:\Windows\SysWOW64\ysblmfzjogjfs.exe N/A
N/A N/A C:\Windows\SysWOW64\ysblmfzjogjfs.exe N/A
N/A N/A C:\Windows\SysWOW64\ysblmfzjogjfs.exe N/A
N/A N/A C:\Windows\SysWOW64\ysblmfzjogjfs.exe N/A
N/A N/A C:\Windows\SysWOW64\ysblmfzjogjfs.exe N/A
N/A N/A C:\Windows\SysWOW64\ysblmfzjogjfs.exe N/A
N/A N/A C:\Windows\SysWOW64\ysblmfzjogjfs.exe N/A
N/A N/A C:\Windows\SysWOW64\ysblmfzjogjfs.exe N/A
N/A N/A C:\Windows\SysWOW64\ysblmfzjogjfs.exe N/A
N/A N/A C:\Windows\SysWOW64\ysblmfzjogjfs.exe N/A
N/A N/A C:\Windows\SysWOW64\ysblmfzjogjfs.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A
N/A N/A C:\Windows\SysWOW64\meplzzjb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\ztxuzdzlte.exe
PID 3856 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\ztxuzdzlte.exe
PID 3856 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\ztxuzdzlte.exe
PID 3856 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\jjjmyicxuswhtys.exe
PID 3856 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\jjjmyicxuswhtys.exe
PID 3856 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\jjjmyicxuswhtys.exe
PID 3856 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\meplzzjb.exe
PID 3856 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\meplzzjb.exe
PID 3856 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\meplzzjb.exe
PID 3856 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\ysblmfzjogjfs.exe
PID 3856 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\ysblmfzjogjfs.exe
PID 3856 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Windows\SysWOW64\ysblmfzjogjfs.exe
PID 3972 wrote to memory of 2704 N/A C:\Windows\SysWOW64\ztxuzdzlte.exe C:\Windows\SysWOW64\meplzzjb.exe
PID 3972 wrote to memory of 2704 N/A C:\Windows\SysWOW64\ztxuzdzlte.exe C:\Windows\SysWOW64\meplzzjb.exe
PID 3972 wrote to memory of 2704 N/A C:\Windows\SysWOW64\ztxuzdzlte.exe C:\Windows\SysWOW64\meplzzjb.exe
PID 3856 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3856 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58d37514028ebe2fdea9e30e3053e81_JaffaCakes118.exe"

C:\Windows\SysWOW64\ztxuzdzlte.exe

ztxuzdzlte.exe

C:\Windows\SysWOW64\jjjmyicxuswhtys.exe

jjjmyicxuswhtys.exe

C:\Windows\SysWOW64\meplzzjb.exe

meplzzjb.exe

C:\Windows\SysWOW64\ysblmfzjogjfs.exe

ysblmfzjogjfs.exe

C:\Windows\SysWOW64\meplzzjb.exe

C:\Windows\system32\meplzzjb.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/3856-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\jjjmyicxuswhtys.exe

MD5 8e4b7ba5912e987eeb1da05cb1e08124
SHA1 de5f8c2500fc05d883dc55756285c19f14d72ec1
SHA256 e234301cc0214691cb088cc661202a037bdfc166792140f71e4644ee54e678a9
SHA512 3b434657a0af3b71b4eafd8253dac804dcd6fc0e3b3252f7835d3aa38d0ba15f6a97fc2fcea34ffee3d506e69d5d799eae4d923262a27d864a5c62dc3cd781c8

C:\Windows\SysWOW64\ztxuzdzlte.exe

MD5 0eeee82f9be2d09c895ae846a5a939d2
SHA1 eaae1a263942d55b9e73f912c09be42f293187bd
SHA256 4501ce81a29079e35e6c287fe2600277f40cc8de93978421d3f4ddf09677ec15
SHA512 3e0b889479409eb460bd1f57711c4ce8fe027a228457dd20550ab19d2c3fd3a24669237ce3cb8fba95792112e3f2de340c18cf2b9e2d51e1a5a3194b6bc9a1ec

C:\Windows\SysWOW64\meplzzjb.exe

MD5 c7136c72c3a5f2cff89082c0f164cff9
SHA1 b7b09d02471fb378c03e5d772a13359d13b69621
SHA256 cf4aa6c40f83a04fd50afcea61cce2095a3c08b3045c1d207471e9f7d1efe6ec
SHA512 b2b96ca33d235da855eb40a5dd48abb387c78980cd1074ad0302afc03accdf1e071ab603741fa1c31c648fbf648ac23618144d87df20085dfef34212d820124f

C:\Windows\SysWOW64\ysblmfzjogjfs.exe

MD5 264af566cc8f9a6f0a2e5dc2bdff9291
SHA1 bc90fd7f01a11fae075d72dff75438fc4f3b569d
SHA256 58e33ecbba07df7144aae1a36b812ed975fc162dfdc0bb0e7784455080efb4cd
SHA512 5d687eafd7151eaeb3787bbacde1ded24420f8d6d9beb4816c21904b287562b8dd0989a69bdad1ad66ab0700d0fcc12162c96910918e61e34af9f745216fdaea

memory/1684-37-0x00007FFF0C390000-0x00007FFF0C3A0000-memory.dmp

memory/1684-38-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp

memory/1684-40-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp

memory/1684-39-0x00007FFF0C390000-0x00007FFF0C3A0000-memory.dmp

memory/1684-42-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp

memory/1684-43-0x00007FFF0C390000-0x00007FFF0C3A0000-memory.dmp

memory/1684-41-0x00007FFF0C390000-0x00007FFF0C3A0000-memory.dmp

memory/1684-44-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp

memory/1684-45-0x00007FFF0C390000-0x00007FFF0C3A0000-memory.dmp

memory/1684-46-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp

memory/1684-47-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp

memory/1684-48-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp

memory/1684-49-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp

memory/1684-50-0x00007FFF09C20000-0x00007FFF09C30000-memory.dmp

memory/1684-51-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp

memory/1684-52-0x00007FFF09C20000-0x00007FFF09C30000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 3955f5c83fda45ec68f29ca68c8bf032
SHA1 07959a23ffa4508cfbaf467c4a4bf0b13a0044ca
SHA256 a3aa1bb5e7682dc958b7817b1997fcd0e21bc7fd2394e390f88d8fd92f1f23a5
SHA512 00152d6bafb437a4c3e866032b2c91c3fe35c97e18a80d9d8b2106f77b0dd7ea4f6f016632b6487f41c5f04447157cd8c9d670a27b01b7a50fa80e21bdb4b315

C:\Users\Admin\Documents\MeasureWrite.doc.exe

MD5 0b68546b7b95df61faa73bc2931b0fa6
SHA1 ed354f130014125d788abaca522a34e7b57d71b8
SHA256 2842362d40fcf1ee12fed9b05014ad2246a0f1e3f506546cae73cc9588a6001f
SHA512 9f8b220bd4e6f922d1bd028de88ce92fec5f902494c9c4da1933fc3bd6ed3fea6c17552697bba090ec0795784624331c532cf4570cd68ab0ba4897425355503d

C:\Users\Admin\Downloads\GrantUnprotect.doc.exe

MD5 8693850cadae0444c79358251c94e796
SHA1 f2e6ac2fac99537b93b61af827a848b8212c02ce
SHA256 ac76ad5d9da7d5951ef9cf92fc2a2d4daddcbeb4deda134a41d7c654b62ec8f0
SHA512 ed30d4eac048f09bdd57b1073cda8e2ae4fedfda4c6a2e4ae6bbd00e577536f4b3b297ac25808db624af402c229e6db660150ca599cdb9f46a1cf639e0da4df5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 7fe920ca8998e1f74ddcdfcd4dd8064a
SHA1 8676d7cc9546eb30b317f1508656780b403b71c2
SHA256 103bd465d0fbd10692c316282a157fdf6d6814fa65879f48e4efa485f6ee96b3
SHA512 a05cfcbd4714c090f7deb17bd8ff760751663a8c0bea6ba5ccc683d1444bbf184bb9e414a3ae44063d1c0387a703b1ba54092b5e9af99376354cb43585e304e3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 082be223f2169dc76a47dad80d6db12a
SHA1 9b0164ebe42e07516b3a75a4a4c4d4391764d1f8
SHA256 4d6814bf41fe79606e3bf1f48e1693f5fcc4d57d1b0600a917feb1a10dd6eddd
SHA512 eb110ed3f73125ccf210a25001d4836703130863b58f47be639df65cf877d1768f62c02db97dff8abea7ade011b7a2634bd7255f05e86873811c04708d5a054e

memory/1684-107-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp

memory/1684-108-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp

memory/1684-109-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 303ca216585c1ccd5849b968b3593740
SHA1 2de78dffd6a4d3f2e85e98f1da8686541b0b6a92
SHA256 a2c5b1819b562b626d00c14c2d3374ae5a1e97eecd10f35bd8b8ce7619f34c4c
SHA512 65985e92a32ed690ff1e6c91ec2c6d2820ace52eb1acb424b67ed9c9714645413fab274f29a2dbcdbe09bc938aa2edc7b1c4284c61f1a499f2a2fcc4abebe00e

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 79574a24aaa249435e83249f925fb3a3
SHA1 d0aae5e0fe5f2d5c27b4d1fbd63a0c7f9fdb50d8
SHA256 f98f349ef8d557b135a4aaf750675b308419289e5aac1efb78b372590fb3f36f
SHA512 913d42495ef9aa5dd842cbe5c4319ef31394145aa1eaa7bd5c559e3eadd04e5c9d1881cab95c06927da26cd7442b615a85e72525fb7e1cfd6b73f0d66a258f9b

memory/1684-142-0x00007FFF0C390000-0x00007FFF0C3A0000-memory.dmp

memory/1684-143-0x00007FFF0C390000-0x00007FFF0C3A0000-memory.dmp

memory/1684-144-0x00007FFF0C390000-0x00007FFF0C3A0000-memory.dmp

memory/1684-145-0x00007FFF0C390000-0x00007FFF0C3A0000-memory.dmp

memory/1684-146-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp

memory/1684-147-0x00007FFF4C310000-0x00007FFF4C505000-memory.dmp