Malware Analysis Report

2025-08-11 00:04

Sample ID 240525-2g62dade37
Target 73773564e15d14746d32982a0e40e6f8_JaffaCakes118
SHA256 fbe945a6e9351304c72e81afa79d3c27080c8cdb316f3bdef903c3daa1ecfc3c
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fbe945a6e9351304c72e81afa79d3c27080c8cdb316f3bdef903c3daa1ecfc3c

Threat Level: Known bad

The file 73773564e15d14746d32982a0e40e6f8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Disables RegEdit via registry modification

Executes dropped EXE

Checks computer location settings

Windows security modification

Reads user/profile data of web browsers

Loads dropped DLL

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 22:34

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 22:34

Reported

2024-05-25 22:36

Platform

win7-20240419-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nwdundsv = "bpbsfqldlu.exe" C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hhziaspg = "kmxtnjcxgxbfwye.exe" C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rtfwsxuhquogm.exe" C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\z: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rtybnyhk.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\rtfwsxuhquogm.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
File created C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rtybnyhk.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rtfwsxuhquogm.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bpbsfqldlu.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bpbsfqldlu.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rtybnyhk.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rtybnyhk.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rtybnyhk.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\rtybnyhk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rtybnyhk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FC834826826F9042D62F7E90BDE5E633584267316342D799" C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D789C5282256A4377D170532CDA7D8265DC" C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C6791491DAB2B8BC7FE7EC9E34CE" C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B02E44E7399953BFB9A2329DD7CD" C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFAB9FE65F2E2837E3B4B86983E99B08803FC4311033FE2C945E908D6" C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
N/A N/A C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
N/A N/A C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
N/A N/A C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
N/A N/A C:\Windows\SysWOW64\bpbsfqldlu.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\rtybnyhk.exe N/A
N/A N/A C:\Windows\SysWOW64\rtybnyhk.exe N/A
N/A N/A C:\Windows\SysWOW64\rtybnyhk.exe N/A
N/A N/A C:\Windows\SysWOW64\rtybnyhk.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtybnyhk.exe N/A
N/A N/A C:\Windows\SysWOW64\rtybnyhk.exe N/A
N/A N/A C:\Windows\SysWOW64\rtybnyhk.exe N/A
N/A N/A C:\Windows\SysWOW64\rtybnyhk.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\rtfwsxuhquogm.exe N/A
N/A N/A C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\bpbsfqldlu.exe
PID 2288 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\bpbsfqldlu.exe
PID 2288 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\bpbsfqldlu.exe
PID 2288 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\bpbsfqldlu.exe
PID 2288 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe
PID 2288 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe
PID 2288 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe
PID 2288 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe
PID 2288 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\rtybnyhk.exe
PID 2288 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\rtybnyhk.exe
PID 2288 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\rtybnyhk.exe
PID 2288 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\rtybnyhk.exe
PID 2288 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\rtfwsxuhquogm.exe
PID 2288 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\rtfwsxuhquogm.exe
PID 2288 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\rtfwsxuhquogm.exe
PID 2288 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\rtfwsxuhquogm.exe
PID 2628 wrote to memory of 2560 N/A C:\Windows\SysWOW64\bpbsfqldlu.exe C:\Windows\SysWOW64\rtybnyhk.exe
PID 2628 wrote to memory of 2560 N/A C:\Windows\SysWOW64\bpbsfqldlu.exe C:\Windows\SysWOW64\rtybnyhk.exe
PID 2628 wrote to memory of 2560 N/A C:\Windows\SysWOW64\bpbsfqldlu.exe C:\Windows\SysWOW64\rtybnyhk.exe
PID 2628 wrote to memory of 2560 N/A C:\Windows\SysWOW64\bpbsfqldlu.exe C:\Windows\SysWOW64\rtybnyhk.exe
PID 2288 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2288 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2288 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2288 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2820 wrote to memory of 344 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2820 wrote to memory of 344 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2820 wrote to memory of 344 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2820 wrote to memory of 344 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe"

C:\Windows\SysWOW64\bpbsfqldlu.exe

bpbsfqldlu.exe

C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe

kmxtnjcxgxbfwye.exe

C:\Windows\SysWOW64\rtybnyhk.exe

rtybnyhk.exe

C:\Windows\SysWOW64\rtfwsxuhquogm.exe

rtfwsxuhquogm.exe

C:\Windows\SysWOW64\rtybnyhk.exe

C:\Windows\system32\rtybnyhk.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2288-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\kmxtnjcxgxbfwye.exe

MD5 0c2865cd13bc7ecfc540c246424e11f0
SHA1 13631d5e1643600b20f3009ec3295786c0a2f131
SHA256 6c80375bb49e110c459f6f7d0f82a076004088c3b62bcf231b7b7fd144778813
SHA512 e0ef33130f87a4ecb21b911265edf51bb46653ba460a9e7ca01838b3283e690e2d1b200f70c1b18a45a36cd46da2ba117ad15522022c99fbc4776d5070f8aac5

\Windows\SysWOW64\bpbsfqldlu.exe

MD5 4e1b3b9994f7585f1e7af240ce3f52fd
SHA1 c191397356f024d971c698a6b00d1a351d21f947
SHA256 33b163d98a679df5ef358345f7927cd32f17143110788785595021f698436d0f
SHA512 2322a7b9791d589761d036731562836dbc5a37d1b261da62a2da3baa3612c98d1a8cb1b9a9867709e953adec82bfa3d572c93f872df2a75863a1dc5d47fef4bc

\Windows\SysWOW64\rtybnyhk.exe

MD5 ab9704121b883891aa0be15ceff70cde
SHA1 75d4265e4b8d5cc1ca41d8249f785cbc8f915783
SHA256 4c67bf281994f3e7105891995078fd0e17e738cd8a40ecbc056b9b7995eea87e
SHA512 35eb804bedb42d99fd8133b1fb194c0c8468c25bbc75436598a5812852e592cd8307fc2e76db0681b86b8b708fa4db8299865237e383d613971e039e475aee19

\Windows\SysWOW64\rtfwsxuhquogm.exe

MD5 de091042cd33feb3c64731e74dca0b1a
SHA1 988f5e363413e58b2a5a8f1fa065e622544532bc
SHA256 7d1c809e3450c830db0777549b5cad683d6d777d63f8c64fa3c04d593ed491ee
SHA512 b0d768d7e7c85a6928a1f8d2a66af018260d23d28eb2a37638ba192a1a92447e54cf3967511168625951a2f5849f614382fa4d34812d7e66eeec0987c5379d43

memory/2820-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 7bca00fa7edf98c490b6c73564411be7
SHA1 e1d25440faeba3cc6bfeec4ecfa84f49e2dbe5e5
SHA256 e18010947ac3ed29e7b5b88ecc501f59bd977a4df231abca1702a0dcdd522d99
SHA512 8470f42d2689654034bd1634452fbe48a17ed86fd8cd559c4c6d4545b50a2241bcfe66a4d6b9b7be385287fd659566d1cbfce11b3de6ed69a7f0a27d5b0f6eff

C:\Users\Admin\Downloads\StopRedo.doc.exe

MD5 d99c017fdc874c528cd0e62f929374ea
SHA1 3d5970ffdea948d14c2f2c02ae19f7c2d6934ed9
SHA256 a0c7d011f3e16652e95c9b5812a38a77d24feba93056d293f9182b5bb56e9975
SHA512 5ac428b9bb038ce890f147e0157f3b54cc214a29f1acc567505d404aac232c314fdf43d27d781c58eb672abf71ebb23b012baba60fe26ccce13f2c50792c1879

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 f3feb161c6fbf10f9f8cba0b14fe0bc0
SHA1 1b95fe5cb3363f315dcc2ded700d6195e73e9333
SHA256 ecf4154e5426bd0ee1129a2ded0bf6d27e4f17ac2cbee435c176c212e6ab913c
SHA512 06cb67892b9ecaa5296ac999ce43000e91765803c24374e31378dff403d4a77d7c6f3a49c9cd93d591aad156132612fd6fd268bfe9d05fe2aece216db5daadae

memory/2820-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 22:34

Reported

2024-05-25 22:36

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\jcxwqskknr.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\jcxwqskknr.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\jcxwqskknr.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\jcxwqskknr.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\jcxwqskknr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pgqioghm = "jcxwqskknr.exe" C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmajteu = "qsceevrlnyjgjzq.exe" C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gzmtxoedrzizs.exe" C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\n: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\awhkygvo.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\jcxwqskknr.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\awhkygvo.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gzmtxoedrzizs.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\jcxwqskknr.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File created C:\Windows\SysWOW64\jcxwqskknr.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\jcxwqskknr.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\awhkygvo.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gzmtxoedrzizs.exe C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\awhkygvo.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\awhkygvo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\awhkygvo.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302C7B9D2182586D4677D370562CAE7D8065DB" C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB02D47E639E952BEBAD53393D7C9" C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BB2FF1C21D1D27FD0A98A0E9167" C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C6791594DAC5B8CE7FE0EDE237CC" C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFC8D482D826E9030D7287D90BD90E6305836674E6234D6EE" C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4F9CEF911F1E583753A47819939E4B08103FD4362033EE1C445EA09D2" C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\jcxwqskknr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\jcxwqskknr.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\jcxwqskknr.exe N/A
N/A N/A C:\Windows\SysWOW64\jcxwqskknr.exe N/A
N/A N/A C:\Windows\SysWOW64\jcxwqskknr.exe N/A
N/A N/A C:\Windows\SysWOW64\jcxwqskknr.exe N/A
N/A N/A C:\Windows\SysWOW64\jcxwqskknr.exe N/A
N/A N/A C:\Windows\SysWOW64\jcxwqskknr.exe N/A
N/A N/A C:\Windows\SysWOW64\jcxwqskknr.exe N/A
N/A N/A C:\Windows\SysWOW64\jcxwqskknr.exe N/A
N/A N/A C:\Windows\SysWOW64\jcxwqskknr.exe N/A
N/A N/A C:\Windows\SysWOW64\jcxwqskknr.exe N/A
N/A N/A C:\Windows\SysWOW64\gzmtxoedrzizs.exe N/A
N/A N/A C:\Windows\SysWOW64\gzmtxoedrzizs.exe N/A
N/A N/A C:\Windows\SysWOW64\gzmtxoedrzizs.exe N/A
N/A N/A C:\Windows\SysWOW64\gzmtxoedrzizs.exe N/A
N/A N/A C:\Windows\SysWOW64\gzmtxoedrzizs.exe N/A
N/A N/A C:\Windows\SysWOW64\gzmtxoedrzizs.exe N/A
N/A N/A C:\Windows\SysWOW64\gzmtxoedrzizs.exe N/A
N/A N/A C:\Windows\SysWOW64\gzmtxoedrzizs.exe N/A
N/A N/A C:\Windows\SysWOW64\gzmtxoedrzizs.exe N/A
N/A N/A C:\Windows\SysWOW64\gzmtxoedrzizs.exe N/A
N/A N/A C:\Windows\SysWOW64\gzmtxoedrzizs.exe N/A
N/A N/A C:\Windows\SysWOW64\gzmtxoedrzizs.exe N/A
N/A N/A C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe N/A
N/A N/A C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe N/A
N/A N/A C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe N/A
N/A N/A C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe N/A
N/A N/A C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe N/A
N/A N/A C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe N/A
N/A N/A C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe N/A
N/A N/A C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe N/A
N/A N/A C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A
N/A N/A C:\Windows\SysWOW64\awhkygvo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1568 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\jcxwqskknr.exe
PID 1568 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\jcxwqskknr.exe
PID 1568 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\jcxwqskknr.exe
PID 1568 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe
PID 1568 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe
PID 1568 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe
PID 1568 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\awhkygvo.exe
PID 1568 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\awhkygvo.exe
PID 1568 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\awhkygvo.exe
PID 1568 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\gzmtxoedrzizs.exe
PID 1568 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\gzmtxoedrzizs.exe
PID 1568 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Windows\SysWOW64\gzmtxoedrzizs.exe
PID 3976 wrote to memory of 4356 N/A C:\Windows\SysWOW64\jcxwqskknr.exe C:\Windows\SysWOW64\awhkygvo.exe
PID 3976 wrote to memory of 4356 N/A C:\Windows\SysWOW64\jcxwqskknr.exe C:\Windows\SysWOW64\awhkygvo.exe
PID 3976 wrote to memory of 4356 N/A C:\Windows\SysWOW64\jcxwqskknr.exe C:\Windows\SysWOW64\awhkygvo.exe
PID 1568 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1568 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\73773564e15d14746d32982a0e40e6f8_JaffaCakes118.exe"

C:\Windows\SysWOW64\jcxwqskknr.exe

jcxwqskknr.exe

C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe

qsceevrlnyjgjzq.exe

C:\Windows\SysWOW64\awhkygvo.exe

awhkygvo.exe

C:\Windows\SysWOW64\gzmtxoedrzizs.exe

gzmtxoedrzizs.exe

C:\Windows\SysWOW64\awhkygvo.exe

C:\Windows\system32\awhkygvo.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 17.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.97:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp

Files

memory/1568-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\qsceevrlnyjgjzq.exe

MD5 310126990929cf614da0fe740050a27d
SHA1 884fd674982574f5ad38852ba8575c73c5a600da
SHA256 40437c786fcd3396d0a597bccabbca8eb6b0c9c95a1673a9ed63c55c5f2bce11
SHA512 a3ad439f6ae431d29b1fcfc66cd3715f1f67bbacbfb2cf42e7810460f251bc1fa18dac00e12b2aa3d4cf9747ded742b60bdc1b633868f813eaa0b5ac4169b081

C:\Windows\SysWOW64\jcxwqskknr.exe

MD5 7acdd5a5dbe25b25683c8a649381a9d4
SHA1 4fb52eb63b57ceaedf44507a71d1a2e14eba9f04
SHA256 48237fb8b6e42b9d9269889ac675e5698082bc920e1256bdb7dd0750076391d4
SHA512 1d2869a26b927bbb3cc3cc2558daf912df158a8866b73625e57e161a0f99c086b72d8c64caeb20b7a3ae9dd85bdb24de4c2756dc21c085d7d3b6a2d4df61afa5

C:\Windows\SysWOW64\awhkygvo.exe

MD5 241816a68f9bdab545ab9fb57ec9a855
SHA1 24029d092468ef66becd4144e71f24a772e39dd8
SHA256 ad5b72ed3c47a0934c250b986b09fe0306ff9db0bbb74d3f8f51894845869f02
SHA512 4bd97bdb7e845b7af621d07d6aa9d4c6f0f1e8cdd9b9e5eba113d862522b5af430a14f355b4efa76d6dcbde5a5b2b52998dad2bae43d79e4a81e9bc492c3fa57

C:\Windows\SysWOW64\gzmtxoedrzizs.exe

MD5 2c35101fb2bc9e1a592108f0ddd70eaf
SHA1 ab437906bfa33fb8cf289497cc4d47daefffc047
SHA256 429f6108297adc9235f6211da0f18b19b5b731b08025e245ec78bc58f9a7dcaf
SHA512 da857a2c0221833b9bc59d9d5a5e307faf9a99ea0210ae4bd6830e70b1515033b4ec30c91fb71f48abdfed1e98fbd5d8703ef4fa7788615febcb0e707a90c3f8

memory/1420-37-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

memory/1420-39-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

memory/1420-38-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

memory/1420-40-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

memory/1420-41-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

memory/1420-42-0x00007FFD7A570000-0x00007FFD7A580000-memory.dmp

memory/1420-43-0x00007FFD7A570000-0x00007FFD7A580000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 1bbfe4a2f7653a41cff37480555de415
SHA1 f8ced8af823418c118bbb7a7eec9045e02f22584
SHA256 dcd949ab6884ac813021f0fbf098ed688b1673e2594ede1b3b78f31c88862a9d
SHA512 c7ced8cb51a01f01bd1843f5d12eaf992e46408a7cc320b9cdaf1bbed3e72c1c6f3f35a68cc02e7c4f9c7a6eef52587d9c1cc11ed5acdf205eab59fa2c512a57

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 6f66a249ef63a69abd9ab76199f3789d
SHA1 1fdd600085820426d048d29fd3da558f40f9c767
SHA256 9bd59862afd23ed4053814170da7944dfdc2334eac9ddba7c2b7aef42a008deb
SHA512 37d2236ec19e08b71385ac9a1f46699ef825c77ca6ebfb014fe24765fa10eb451dee5d2d2af0d3b3ea90ce4777c4adc4c66d561013a80a0f7b5288dd67f0246e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 bc95dcdc69974ed1e98d9d1cdb3899d7
SHA1 7dbc2cdea059c147f411835a6113fc3b41d1bcbd
SHA256 6d8943278594d0fd9c49928b41fb4848281c5faa934c5682ff634315a2aedae0
SHA512 fbf459ec87fa0f4a02437c6ca01e65096cb707701b3ab187d25d9cfca3d456a43fe3f17c2262d7609a16e6d2b78e277b5df407f1e78a5841705a5930bcdeb0a3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 6fd50a07ebea4d75d9327c3482b37c52
SHA1 63246d5449786082129830fc344fc3f2c4124477
SHA256 ee8fab8a0cdfdb6a10976bd18651cd16848b615595b02d28c733d6edae88d3c0
SHA512 4474a91d93171d8c7f7b2beb269d73b3a7e682aa91918ec8578698889166bd6b8127f93e8e05c181b61912684e84beee0f3f61d33a6a36ff4485ac890baf5a56

C:\Users\Admin\AppData\Local\Temp\TCD8F18.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 1628db0aa13658f48ded0d9b3b9f2b79
SHA1 8f2ccc43fe64e9d29a865dc50b3fd44575adc287
SHA256 615de3e0be3d2e792655b1b0058f415df352aa001d522a70ef6caf5fb09e829d
SHA512 3f1c4da40d41636d985f5d8b31709995dcdce52f426236ca223a3c245d952bab629b907f1ec089e2376c5916caa0bf7d94810be5cf4f0a45706718d620daa5d9

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 52ac5300705b6546af2091643fc4f612
SHA1 28a4e528ed401f495c0c597810d941dd1d6a5e95
SHA256 473efd6db4fcfc40d1d91bf93b080ab5c156b0df5b40cf63f0460bc23f365f5d
SHA512 17bb9cd7a1e59f9ee328df92418116046c59a880357bc4ea0b9a94325d630ca0ca067f0c51eaea4f05ea9bbbbc481e069d39c7bdb1d7caf1efa65b4d56f4aecf

memory/1420-598-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

memory/1420-597-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

memory/1420-596-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

memory/1420-595-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp