Malware Analysis Report

2025-08-05 19:16

Sample ID 240526-dv1vhsda6s
Target 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118
SHA256 3da141fdf33f54ef540f20ee3597c0381ec572f0e61140e5441244b124a0422c
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3da141fdf33f54ef540f20ee3597c0381ec572f0e61140e5441244b124a0422c

Threat Level: Known bad

The file 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Windows security modification

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 03:20

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 03:20

Reported

2024-05-26 03:23

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\vfblejvmkz.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\vfblejvmkz.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\vfblejvmkz.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\vfblejvmkz.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\vfblejvmkz.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\altlnsjx = "vfblejvmkz.exe" C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gloiuduu = "bzktouiylyunkrj.exe" C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hactrbztscczi.exe" C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\iozdavne.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\iozdavne.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\vfblejvmkz.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\vfblejvmkz.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bzktouiylyunkrj.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\iozdavne.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\hactrbztscczi.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hactrbztscczi.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vfblejvmkz.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\iozdavne.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\vfblejvmkz.exe N/A
File created C:\Windows\SysWOW64\bzktouiylyunkrj.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\iozdavne.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iozdavne.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iozdavne.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\iozdavne.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iozdavne.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iozdavne.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iozdavne.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\iozdavne.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iozdavne.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iozdavne.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iozdavne.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\iozdavne.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\iozdavne.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\iozdavne.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC67D15EDDAB2B9C17CE0ECE237CC" C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B15A44E4399F53CFB9D4329BD7B8" C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\vfblejvmkz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\vfblejvmkz.exe N/A
N/A N/A C:\Windows\SysWOW64\vfblejvmkz.exe N/A
N/A N/A C:\Windows\SysWOW64\vfblejvmkz.exe N/A
N/A N/A C:\Windows\SysWOW64\vfblejvmkz.exe N/A
N/A N/A C:\Windows\SysWOW64\vfblejvmkz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\iozdavne.exe N/A
N/A N/A C:\Windows\SysWOW64\iozdavne.exe N/A
N/A N/A C:\Windows\SysWOW64\iozdavne.exe N/A
N/A N/A C:\Windows\SysWOW64\iozdavne.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\iozdavne.exe N/A
N/A N/A C:\Windows\SysWOW64\iozdavne.exe N/A
N/A N/A C:\Windows\SysWOW64\iozdavne.exe N/A
N/A N/A C:\Windows\SysWOW64\iozdavne.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\hactrbztscczi.exe N/A
N/A N/A C:\Windows\SysWOW64\bzktouiylyunkrj.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\vfblejvmkz.exe
PID 2888 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\vfblejvmkz.exe
PID 2888 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\vfblejvmkz.exe
PID 2888 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\vfblejvmkz.exe
PID 2888 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\bzktouiylyunkrj.exe
PID 2888 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\bzktouiylyunkrj.exe
PID 2888 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\bzktouiylyunkrj.exe
PID 2888 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\bzktouiylyunkrj.exe
PID 2888 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\iozdavne.exe
PID 2888 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\iozdavne.exe
PID 2888 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\iozdavne.exe
PID 2888 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\iozdavne.exe
PID 2888 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\hactrbztscczi.exe
PID 2888 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\hactrbztscczi.exe
PID 2888 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\hactrbztscczi.exe
PID 2888 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\hactrbztscczi.exe
PID 2472 wrote to memory of 2536 N/A C:\Windows\SysWOW64\vfblejvmkz.exe C:\Windows\SysWOW64\iozdavne.exe
PID 2472 wrote to memory of 2536 N/A C:\Windows\SysWOW64\vfblejvmkz.exe C:\Windows\SysWOW64\iozdavne.exe
PID 2472 wrote to memory of 2536 N/A C:\Windows\SysWOW64\vfblejvmkz.exe C:\Windows\SysWOW64\iozdavne.exe
PID 2472 wrote to memory of 2536 N/A C:\Windows\SysWOW64\vfblejvmkz.exe C:\Windows\SysWOW64\iozdavne.exe
PID 2888 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2888 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2888 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2888 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2376 wrote to memory of 2732 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2376 wrote to memory of 2732 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2376 wrote to memory of 2732 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2376 wrote to memory of 2732 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe"

C:\Windows\SysWOW64\vfblejvmkz.exe

vfblejvmkz.exe

C:\Windows\SysWOW64\bzktouiylyunkrj.exe

bzktouiylyunkrj.exe

C:\Windows\SysWOW64\iozdavne.exe

iozdavne.exe

C:\Windows\SysWOW64\hactrbztscczi.exe

hactrbztscczi.exe

C:\Windows\SysWOW64\iozdavne.exe

C:\Windows\system32\iozdavne.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2888-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\iozdavne.exe

MD5 855f1d5753c6dfa0bfb6a19d9771fdc4
SHA1 619759a9ec54c2ac4b223b704c8510b63c292edb
SHA256 b36bfae9d515c3beebb7f844f0b4bd3ad33cad5b0477d226a2257f5a29e2cffe
SHA512 15764b4c902009a422b3dfde836242c849a59e51640bfbbc1b885d588e915da1fd8adae4e0bd2187769faf7314bd76d1463e0a0005e96eaaf1f6b6e11626c219

\Windows\SysWOW64\vfblejvmkz.exe

MD5 e49f358a5837f6475e28304288a802ab
SHA1 2aae425c3e4ebf89cb4e2ccdafdab27711d8f049
SHA256 7b5cbcb6cd9ed3c3e324afbe5b95ddaa435369ef38e0ab57676d0a145ac5f77f
SHA512 2e45c713b6daffd509cf20e8796e00d8130f271bc1099ff093f3f8f32a1cfa32f7ebc3ae55c7c555b89e405bd839a82d0a998a4430ee1c2a12ac58fd5e01e5bc

\Windows\SysWOW64\bzktouiylyunkrj.exe

MD5 3a4123588cf0d692837c1788ad62631c
SHA1 7b92bed03dd0d7b3f858a2a2fe59df91b32dcdb8
SHA256 a27a60218cedf076b7659c046b3a6504bf75fb3e5beae87d82f2779dd3661da9
SHA512 bcd89c2d83aa6f6ddacc1fceda7196adbb31335efd1da51e2c0f6c4a6362e289eba12c6d6edf53a40672260458266efb72507fd582420274ea6fd89b784e128e

\Windows\SysWOW64\hactrbztscczi.exe

MD5 9ce545b4b580a216de9aa812583627f1
SHA1 b2c0d8b7cb75ee151bd8b09afb0e4cb77ab6fca3
SHA256 b5033fd233cfd4aa639fa9f570a8f1c3fc92a757e5a18eecb305581da615e170
SHA512 315227ac3f09203c90f177d80212294fb131853db7cd15c1735890db338ccff0edfe988e6a07e3dc8d35a9f2556cafea82d786886d83f8894b7777595e4c7e52

memory/2376-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 ea9d5c58adaebe4b3008ae863766e491
SHA1 1cdb0c6ea6477df0222448eed7d72bfd9e054dd5
SHA256 44f7e54f539142ce21a0a8193a42cf20d092c9e40c42ff30dd9f1ad4d359ac16
SHA512 b46b9c262e12849a8db5ea58b29e4796ef1046a8f3b4ffbafdbeaf47e5d15081b3f68ff773291d1a48d46e51f8580e75b539cb6df271fc92ab953def4b61aa8b

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 52a5125c3902aafa896aac3d0cbbbd0a
SHA1 33eee2102471dd281a0e1895fc6aae2ff5862c0c
SHA256 62e5e4b0e3e8c39ca8a8b70285cb8d0b9044ce7a57949061e43bd5e3f572b483
SHA512 9c92084f00cc2bfefbce8c8cf5d201207feb2e0f57c1cdd8cdaf9130dbb06e9fedfb3615e0aef6aec607a8e5d58e3969eaac2b1d10b6a712bc4522da0e24e05b

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 6a56573c1ef361d20a1f606e31f17276
SHA1 f0a6349e606a8d189baf04266a20d2386bff1c2a
SHA256 c528575cb5312d7d38a3e568a56b635d60c466d70f576a17c67df4ea4dfd5c29
SHA512 9338e347f2762e403cefdede1f8f545e103582bc78bccdeb021d06c5d7f3266d39aa25f804a8fdd5d08462f535c423a5a5eeae9195f50936304c33ca289532f2

memory/2376-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 03:20

Reported

2024-05-26 03:23

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\abfuynxees.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\abfuynxees.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\abfuynxees.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\abfuynxees.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\abfuynxees.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqwywsje = "zlhfrvicyamkfcf.exe" C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rfwsouyjkgevd.exe" C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ksfklsyp = "abfuynxees.exe" C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\z: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\abfuynxees.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\yjkgyvkn.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\abfuynxees.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\yjkgyvkn.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\abfuynxees.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File created C:\Windows\SysWOW64\abfuynxees.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rfwsouyjkgevd.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rfwsouyjkgevd.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification C:\Windows\SysWOW64\abfuynxees.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\yjkgyvkn.exe C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\yjkgyvkn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\yjkgyvkn.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFAB8F965F1E4840B3A4786EB3992B3FD028A43650332E1C8429C08D3" C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\abfuynxees.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\abfuynxees.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\abfuynxees.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78368B6FE1D21AAD27CD1D48B09906A" C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\abfuynxees.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\abfuynxees.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\abfuynxees.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\abfuynxees.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C7A9C5682236D3576A5772E2CDB7DF465DA" C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B12047E5399E52BEB9D4329ED7C8" C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FFF84F2782129137D65B7E9CBDE7E146594067426241D790" C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C70914E5DBB2B9BA7FE7ED9434CC" C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\abfuynxees.exe N/A
N/A N/A C:\Windows\SysWOW64\abfuynxees.exe N/A
N/A N/A C:\Windows\SysWOW64\abfuynxees.exe N/A
N/A N/A C:\Windows\SysWOW64\abfuynxees.exe N/A
N/A N/A C:\Windows\SysWOW64\abfuynxees.exe N/A
N/A N/A C:\Windows\SysWOW64\abfuynxees.exe N/A
N/A N/A C:\Windows\SysWOW64\abfuynxees.exe N/A
N/A N/A C:\Windows\SysWOW64\abfuynxees.exe N/A
N/A N/A C:\Windows\SysWOW64\abfuynxees.exe N/A
N/A N/A C:\Windows\SysWOW64\abfuynxees.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe N/A
N/A N/A C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe N/A
N/A N/A C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe N/A
N/A N/A C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe N/A
N/A N/A C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe N/A
N/A N/A C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe N/A
N/A N/A C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe N/A
N/A N/A C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe N/A
N/A N/A C:\Windows\SysWOW64\rfwsouyjkgevd.exe N/A
N/A N/A C:\Windows\SysWOW64\rfwsouyjkgevd.exe N/A
N/A N/A C:\Windows\SysWOW64\rfwsouyjkgevd.exe N/A
N/A N/A C:\Windows\SysWOW64\rfwsouyjkgevd.exe N/A
N/A N/A C:\Windows\SysWOW64\rfwsouyjkgevd.exe N/A
N/A N/A C:\Windows\SysWOW64\rfwsouyjkgevd.exe N/A
N/A N/A C:\Windows\SysWOW64\rfwsouyjkgevd.exe N/A
N/A N/A C:\Windows\SysWOW64\rfwsouyjkgevd.exe N/A
N/A N/A C:\Windows\SysWOW64\rfwsouyjkgevd.exe N/A
N/A N/A C:\Windows\SysWOW64\rfwsouyjkgevd.exe N/A
N/A N/A C:\Windows\SysWOW64\rfwsouyjkgevd.exe N/A
N/A N/A C:\Windows\SysWOW64\rfwsouyjkgevd.exe N/A
N/A N/A C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe N/A
N/A N/A C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A
N/A N/A C:\Windows\SysWOW64\yjkgyvkn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3684 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\abfuynxees.exe
PID 3684 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\abfuynxees.exe
PID 3684 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\abfuynxees.exe
PID 3684 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe
PID 3684 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe
PID 3684 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe
PID 3684 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\yjkgyvkn.exe
PID 3684 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\yjkgyvkn.exe
PID 3684 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\yjkgyvkn.exe
PID 3684 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\rfwsouyjkgevd.exe
PID 3684 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\rfwsouyjkgevd.exe
PID 3684 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Windows\SysWOW64\rfwsouyjkgevd.exe
PID 3684 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3684 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3816 wrote to memory of 4476 N/A C:\Windows\SysWOW64\abfuynxees.exe C:\Windows\SysWOW64\yjkgyvkn.exe
PID 3816 wrote to memory of 4476 N/A C:\Windows\SysWOW64\abfuynxees.exe C:\Windows\SysWOW64\yjkgyvkn.exe
PID 3816 wrote to memory of 4476 N/A C:\Windows\SysWOW64\abfuynxees.exe C:\Windows\SysWOW64\yjkgyvkn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe"

C:\Windows\SysWOW64\abfuynxees.exe

abfuynxees.exe

C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe

zlhfrvicyamkfcf.exe

C:\Windows\SysWOW64\yjkgyvkn.exe

yjkgyvkn.exe

C:\Windows\SysWOW64\rfwsouyjkgevd.exe

rfwsouyjkgevd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\yjkgyvkn.exe

C:\Windows\system32\yjkgyvkn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 17.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/3684-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe

MD5 ed3254a891874cae2054468f6875e917
SHA1 5630c70ce8ecef317aca154cfdce1f5e591033a1
SHA256 8bd5d914448c37dd3025708ddd51cc677bdd5518074fe7ce94143a64e0ced6a2
SHA512 857c45ee60104ccb62b6bb88a30942ab7e1c80ed03f07b60ce41b7e5564fee83627b70547a83f8dc73267f280e1b144eb3e1589776ab9d64ff9496fedcc4715c

C:\Windows\SysWOW64\abfuynxees.exe

MD5 0ea7104d9bdb769573bfb75766339742
SHA1 4de4c4c7f0db14c6a2999271c376601799bb63cb
SHA256 cd1bfac26134a21f363128cc1e95515f81c01b23eb815d434c89b7dc9d07d9dc
SHA512 671db94c8c86b8d378582d960754ade4a8a70af340ea84561afca35bc97e43bb272d606e1dd16c2ffa917be3caf9d92d52a95028400a8aa2ffffb27bc068f8d9

C:\Windows\SysWOW64\yjkgyvkn.exe

MD5 c170c0c80ea3d7777c46a20315866421
SHA1 f34c0efcda6ea0026e9fff5f634afaa977f6e2fc
SHA256 1a55fd3ab993779c4adc422880668b9772b5a877c7bbad434e762bd3591ac4d5
SHA512 afa97a11118cfc113d643a8f602f5bbb869ae4105fa2f00e0bc48309bd4288b4121ab04365af86f80908dac163353d9bfb7d3e2741204f0fccf7d98856d115f6

C:\Windows\SysWOW64\rfwsouyjkgevd.exe

MD5 dc861194a975f2a4e564efcf6ee97f6f
SHA1 d5b417e8d8e018f8dea7864de038aab594b5aa5a
SHA256 19c8dfeb1c58501a5e8cd61a8af441b3751ae7f8f2a3bb66378babf14e912b5e
SHA512 61bbfe7d3f61d619bf41355e317bc3c2da1afc4202a65b66d39db2d4ac8506a8c3f565dc870375fe15808350b6a52020cd5745db3f1112c13a57a3ab6eee36e7

memory/1992-35-0x00007FFE17C30000-0x00007FFE17C40000-memory.dmp

memory/1992-37-0x00007FFE17C30000-0x00007FFE17C40000-memory.dmp

memory/1992-36-0x00007FFE17C30000-0x00007FFE17C40000-memory.dmp

memory/1992-38-0x00007FFE17C30000-0x00007FFE17C40000-memory.dmp

memory/1992-39-0x00007FFE17C30000-0x00007FFE17C40000-memory.dmp

memory/1992-40-0x00007FFE15A60000-0x00007FFE15A70000-memory.dmp

memory/1992-41-0x00007FFE15A60000-0x00007FFE15A70000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 60db0b7578af3356e2c1599b31d4a7b9
SHA1 57f79cf1b50c3657f1f7d7a8ffccb92dc7e448cb
SHA256 82c6db443ab29df4e1df7f72100e033130c292fe607a8a689016663878f6dcd7
SHA512 33ef06a098e9e97890711b47ef2a41053f08d138c79ffe1735651e259286207b344d6c8d7f33092d83739f7b4802dc640a0029885fbdd1f441663ec2c594607c

C:\Users\Admin\Desktop\MountRestart.doc.exe

MD5 9d0009ba5f39e51f02ca5a4ad2ce8fa7
SHA1 59382f466177dedac3a72ba8334ec751609f801a
SHA256 8288bae9193e36cdeac475b0bd0d7e3c9878a068c8708f43051c55653e140f90
SHA512 91aadbf814eb5d4afdfe2963ec54d0452d55d9c00e97ab9e659e0c33a5f7c2fa6a41deb38bd25f753a2f9ff1e1229a96d52d8d789c43f3727493c6f8b08b2b8b

C:\Users\Admin\Downloads\SelectConvertFrom.doc.exe

MD5 ec4daa4943ec204addf121eb524f3b1d
SHA1 b8b450c43c1d8abedac42ca0f83686f53020f5c5
SHA256 def455048277b055c599d7d34628373de1a1f0ef4a89ac3bfd948e733d74b2df
SHA512 85f991dc0f04cf24665841f63bcb11d9383b7034d42799574ff6d31267e0b8696d7a0bf27905be9ab92eb0829d3af97dd3dcabfb4ca1a5db53578191844ce354

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 020662c1d55f9c7180936b820160376e
SHA1 63106ca0f9dceb1f25d76d8b2bdd54b2b1ddc227
SHA256 8b40eaecbfe7998ab99111b56d0bf4c21c66453707d4a567baa99c3ba5cdd5fa
SHA512 1b6615b5457d63ff51062922473f016cd3fc95eb9f50f3d7f557a779fe4a1c2672c49d71bfc7d28717fa29db16ec17f729e0d2cfb750915b67fb65e152e7b320

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 2220ed0713866c031d0310e43ce93aa5
SHA1 70d255f05152b96099d19dd89698d2551464e535
SHA256 ef226820b36bd81701c09d9e18085309a98a00f77e4e34b0276c5fdf20e25c0c
SHA512 f232a601c7e0d120b6f5b12ad62f9face55c949fdd555231c1caadaaaa099e284262d05b34f2b323f49643f316560643689e1aa6c0737b37c2978847ee87d133

C:\Users\Admin\AppData\Local\Temp\TCD7DBE.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 c0fc71978e69bf1dff770255f1f80b76
SHA1 52e6ede2f0246eec634705aa6de8f8563bdf5a19
SHA256 00105dfff3bf39abdd7a714aad32bbcd5cacdea33e2418003417e73c43b14009
SHA512 8d6e97ceede30de86777be19777cb4ed91f1e065abdd0a65d45d03533289cb707401393175018d63795e600eae3d6738986679b0825c499eee26dbb4010214d7

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 4710b693bcc1ba768744b36d83c04cc0
SHA1 d602aa2463c47049ac771fc9b1141982a0e5e1be
SHA256 69809ac311207d1bc4b6b2b8e46cb237cede68a5d8b66ac90439688ed263c07a
SHA512 ddc12d1fea0359fae9783d31b8bb986c16d18084ad21865fee6508570bc5002b03218b27983d0c075e530366357caf32bff684a8b85389b639b744f851fee4b1

memory/1992-609-0x00007FFE17C30000-0x00007FFE17C40000-memory.dmp

memory/1992-610-0x00007FFE17C30000-0x00007FFE17C40000-memory.dmp

memory/1992-612-0x00007FFE17C30000-0x00007FFE17C40000-memory.dmp

memory/1992-611-0x00007FFE17C30000-0x00007FFE17C40000-memory.dmp