Malware Analysis Report

2025-01-06 09:05

Sample ID 240601-fmwlyabd25
Target 896cf938a352b45196b4e69fdf831972_JaffaCakes118
SHA256 4662c7f69769f0a4633b9cc30a22ee86802f6730050c83d1c0738d82496f3384
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4662c7f69769f0a4633b9cc30a22ee86802f6730050c83d1c0738d82496f3384

Threat Level: Known bad

The file 896cf938a352b45196b4e69fdf831972_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Windows security modification

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:59

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:59

Reported

2024-06-01 05:02

Platform

win7-20240508-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "alhcwakokuvnh.exe" C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\shuhracu = "sfjwqdimbi.exe" C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xzcuiriq = "trbzzrxshbwplsg.exe" C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\yrienqpc.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\sfjwqdimbi.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\yrienqpc.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\alhcwakokuvnh.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\alhcwakokuvnh.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sfjwqdimbi.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\trbzzrxshbwplsg.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\trbzzrxshbwplsg.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\yrienqpc.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
File opened for modification C:\Windows\SysWOW64\sfjwqdimbi.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\yrienqpc.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\yrienqpc.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\yrienqpc.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\yrienqpc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FF8B482885129046D75F7DE5BDE2E146584266416330D79C" C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BC4FF1821D0D172D0D68A7A9016" C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9CDF916F293847A3A4381EC3E92B0FE028F42160239E1B9459C08D4" C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C77B15E1DBBEB8CD7FE6ED9737C8" C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
N/A N/A C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
N/A N/A C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
N/A N/A C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
N/A N/A C:\Windows\SysWOW64\sfjwqdimbi.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\yrienqpc.exe N/A
N/A N/A C:\Windows\SysWOW64\yrienqpc.exe N/A
N/A N/A C:\Windows\SysWOW64\yrienqpc.exe N/A
N/A N/A C:\Windows\SysWOW64\yrienqpc.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\yrienqpc.exe N/A
N/A N/A C:\Windows\SysWOW64\yrienqpc.exe N/A
N/A N/A C:\Windows\SysWOW64\yrienqpc.exe N/A
N/A N/A C:\Windows\SysWOW64\yrienqpc.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\alhcwakokuvnh.exe N/A
N/A N/A C:\Windows\SysWOW64\trbzzrxshbwplsg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\sfjwqdimbi.exe
PID 1904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\sfjwqdimbi.exe
PID 1904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\sfjwqdimbi.exe
PID 1904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\sfjwqdimbi.exe
PID 1904 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\trbzzrxshbwplsg.exe
PID 1904 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\trbzzrxshbwplsg.exe
PID 1904 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\trbzzrxshbwplsg.exe
PID 1904 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\trbzzrxshbwplsg.exe
PID 1904 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\yrienqpc.exe
PID 1904 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\yrienqpc.exe
PID 1904 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\yrienqpc.exe
PID 1904 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\yrienqpc.exe
PID 1904 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\alhcwakokuvnh.exe
PID 1904 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\alhcwakokuvnh.exe
PID 1904 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\alhcwakokuvnh.exe
PID 1904 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\alhcwakokuvnh.exe
PID 1576 wrote to memory of 2592 N/A C:\Windows\SysWOW64\sfjwqdimbi.exe C:\Windows\SysWOW64\yrienqpc.exe
PID 1576 wrote to memory of 2592 N/A C:\Windows\SysWOW64\sfjwqdimbi.exe C:\Windows\SysWOW64\yrienqpc.exe
PID 1576 wrote to memory of 2592 N/A C:\Windows\SysWOW64\sfjwqdimbi.exe C:\Windows\SysWOW64\yrienqpc.exe
PID 1576 wrote to memory of 2592 N/A C:\Windows\SysWOW64\sfjwqdimbi.exe C:\Windows\SysWOW64\yrienqpc.exe
PID 1904 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1904 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1904 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1904 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2628 wrote to memory of 1280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2628 wrote to memory of 1280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2628 wrote to memory of 1280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2628 wrote to memory of 1280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe"

C:\Windows\SysWOW64\sfjwqdimbi.exe

sfjwqdimbi.exe

C:\Windows\SysWOW64\trbzzrxshbwplsg.exe

trbzzrxshbwplsg.exe

C:\Windows\SysWOW64\yrienqpc.exe

yrienqpc.exe

C:\Windows\SysWOW64\alhcwakokuvnh.exe

alhcwakokuvnh.exe

C:\Windows\SysWOW64\yrienqpc.exe

C:\Windows\system32\yrienqpc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1904-0-0x0000000000400000-0x0000000000496000-memory.dmp

\Windows\SysWOW64\sfjwqdimbi.exe

MD5 e7dc805f433d8f838ced186fb33b159c
SHA1 a346a867b8e9f2a9a4caddb468cf67cf5cdc5db3
SHA256 fbc3bc204c81c0b2ef835ed7189350ca0eec70bc24500e1a10c27a33ee90b85a
SHA512 d52a994ff8dd3289abf283152af17e6bbfc5ba26ef494de0e778bc3ffc458a4795622433a44985ec1dc0ba4390094556a955f56c6fdc8a02c2a8e15d9f119bed

C:\Windows\SysWOW64\trbzzrxshbwplsg.exe

MD5 53a1911f7e6d191ab583e9a4e583e716
SHA1 a40327c317192bf1a7de4012af3420e77f3bf122
SHA256 6091ae07ce35f4eb30bc473c777eb6969f84ad981f48c3e59f51e6838f3fb651
SHA512 ea96d273639d4fe3b97d204cf950bc7250a2ef53c1cb17ad1d0cb0069b935b3731f37926f572f6bae5e83e43e62a59cd990eda40486f56bf4f2c1a0d7eef27df

\Windows\SysWOW64\yrienqpc.exe

MD5 632d3f1edda073cef0981781c71edf86
SHA1 117e59146411ff9d9759b1e26c6bebf4d3879b9a
SHA256 50d3826b99ab89084a1b4bd72cb87a8f700725653ab109cd06b974ef054102b8
SHA512 244ed6c0bd828e11c919bbff04b77c949ce57e87be5cb8a28bf43c81cd9fd1608a8412023478d582ba716894f95788ff09d5f19795ee695313c34c17a62fdb28

\Windows\SysWOW64\alhcwakokuvnh.exe

MD5 8bd2d055063812d73e089513313392dc
SHA1 aa33f3a64bfccba70aee64fcfd0af976132369de
SHA256 2fdb2e28cc986ee4264b15ca5d7d08e88c1a91a2172a33d956f24fd2aef897e1
SHA512 84f57a832d42c23b3dfe0409fd0cbba409bf14966c606c325e747a9b957b79be0d805d66fdc778f15947717b6978e5ac33b1a11697272c5ba084cb3fc273bd9b

memory/2628-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\Documents\SwitchUndo.doc.exe

MD5 14073541659b03aa4e1794c8459f7138
SHA1 e496d71585624ed51f9e72b085c21af39c00bec2
SHA256 e5dc8ebedd4b9a4c4a39cc12e176942245951eef47e60327317c93135e3ee796
SHA512 3b41990d540f3ccd258c35fa3cc68cf7c370fca3fa0ffb5015e38ac8ae57333fe54b231adbc3f1f29971dd2050f5efdc5eb8429d664b0c7adcfd0ab8e3bf45cf

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 36fea58e3a13ed247dfb3c652b2a9f54
SHA1 2d45d400910fc2d16b4cb182c1b79a3b3322a76e
SHA256 05dbb1174830455445400e75e962fdf838e154056f36edead7125ab16afef189
SHA512 fa094e6fb057631707ed2dc846d30fb90febfb2268cb7a99e67a9fa4e4503ec539b6a010e332bfa369777e64b729219ab43ceb4ed04f0a54565f2e67dee2704e

memory/2628-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:59

Reported

2024-06-01 05:02

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\kljfvddowo.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\kljfvddowo.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\kljfvddowo.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\kljfvddowo.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\kljfvddowo.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rgiqquyt = "kljfvddowo.exe" C:\Windows\SysWOW64\umhcgfkvkuusgce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dmgapzvv = "umhcgfkvkuusgce.exe" C:\Windows\SysWOW64\umhcgfkvkuusgce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gfwjitnzvwqjl.exe" C:\Windows\SysWOW64\umhcgfkvkuusgce.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\kljfvddowo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\lcutvglh.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\kljfvddowo.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\kljfvddowo.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\lcutvglh.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\umhcgfkvkuusgce.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\umhcgfkvkuusgce.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\lcutvglh.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification C:\Windows\SysWOW64\kljfvddowo.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gfwjitnzvwqjl.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File created C:\Windows\SysWOW64\gfwjitnzvwqjl.exe C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\kljfvddowo.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\lcutvglh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\lcutvglh.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C0F9C2383596D4376D470222CAA7CF264D6" C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C67C15E5DAC5B9BB7F97ECE337CF" C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFFAB9F965F1E3830C3B4786E93E97B0FB03F14214023AE1C9429C08D6" C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\kljfvddowo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\kljfvddowo.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFFF84F27851B9131D6587DE2BCE7E634584066466334D798" C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B1294492389F52C8BAD53299D7CE" C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BB2FE6D22D9D108D1D28B099011" C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\kljfvddowo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\kljfvddowo.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\kljfvddowo.exe N/A
N/A N/A C:\Windows\SysWOW64\kljfvddowo.exe N/A
N/A N/A C:\Windows\SysWOW64\kljfvddowo.exe N/A
N/A N/A C:\Windows\SysWOW64\kljfvddowo.exe N/A
N/A N/A C:\Windows\SysWOW64\kljfvddowo.exe N/A
N/A N/A C:\Windows\SysWOW64\kljfvddowo.exe N/A
N/A N/A C:\Windows\SysWOW64\kljfvddowo.exe N/A
N/A N/A C:\Windows\SysWOW64\kljfvddowo.exe N/A
N/A N/A C:\Windows\SysWOW64\kljfvddowo.exe N/A
N/A N/A C:\Windows\SysWOW64\kljfvddowo.exe N/A
N/A N/A C:\Windows\SysWOW64\umhcgfkvkuusgce.exe N/A
N/A N/A C:\Windows\SysWOW64\umhcgfkvkuusgce.exe N/A
N/A N/A C:\Windows\SysWOW64\umhcgfkvkuusgce.exe N/A
N/A N/A C:\Windows\SysWOW64\umhcgfkvkuusgce.exe N/A
N/A N/A C:\Windows\SysWOW64\umhcgfkvkuusgce.exe N/A
N/A N/A C:\Windows\SysWOW64\umhcgfkvkuusgce.exe N/A
N/A N/A C:\Windows\SysWOW64\umhcgfkvkuusgce.exe N/A
N/A N/A C:\Windows\SysWOW64\umhcgfkvkuusgce.exe N/A
N/A N/A C:\Windows\SysWOW64\umhcgfkvkuusgce.exe N/A
N/A N/A C:\Windows\SysWOW64\umhcgfkvkuusgce.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\gfwjitnzvwqjl.exe N/A
N/A N/A C:\Windows\SysWOW64\gfwjitnzvwqjl.exe N/A
N/A N/A C:\Windows\SysWOW64\gfwjitnzvwqjl.exe N/A
N/A N/A C:\Windows\SysWOW64\gfwjitnzvwqjl.exe N/A
N/A N/A C:\Windows\SysWOW64\gfwjitnzvwqjl.exe N/A
N/A N/A C:\Windows\SysWOW64\gfwjitnzvwqjl.exe N/A
N/A N/A C:\Windows\SysWOW64\gfwjitnzvwqjl.exe N/A
N/A N/A C:\Windows\SysWOW64\gfwjitnzvwqjl.exe N/A
N/A N/A C:\Windows\SysWOW64\gfwjitnzvwqjl.exe N/A
N/A N/A C:\Windows\SysWOW64\gfwjitnzvwqjl.exe N/A
N/A N/A C:\Windows\SysWOW64\gfwjitnzvwqjl.exe N/A
N/A N/A C:\Windows\SysWOW64\gfwjitnzvwqjl.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A
N/A N/A C:\Windows\SysWOW64\lcutvglh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\kljfvddowo.exe
PID 1612 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\kljfvddowo.exe
PID 1612 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\kljfvddowo.exe
PID 1612 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\umhcgfkvkuusgce.exe
PID 1612 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\umhcgfkvkuusgce.exe
PID 1612 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\umhcgfkvkuusgce.exe
PID 1612 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\lcutvglh.exe
PID 1612 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\lcutvglh.exe
PID 1612 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\lcutvglh.exe
PID 1612 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\gfwjitnzvwqjl.exe
PID 1612 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\gfwjitnzvwqjl.exe
PID 1612 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Windows\SysWOW64\gfwjitnzvwqjl.exe
PID 956 wrote to memory of 3288 N/A C:\Windows\SysWOW64\kljfvddowo.exe C:\Windows\SysWOW64\lcutvglh.exe
PID 956 wrote to memory of 3288 N/A C:\Windows\SysWOW64\kljfvddowo.exe C:\Windows\SysWOW64\lcutvglh.exe
PID 956 wrote to memory of 3288 N/A C:\Windows\SysWOW64\kljfvddowo.exe C:\Windows\SysWOW64\lcutvglh.exe
PID 1612 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1612 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\896cf938a352b45196b4e69fdf831972_JaffaCakes118.exe"

C:\Windows\SysWOW64\kljfvddowo.exe

kljfvddowo.exe

C:\Windows\SysWOW64\umhcgfkvkuusgce.exe

umhcgfkvkuusgce.exe

C:\Windows\SysWOW64\lcutvglh.exe

lcutvglh.exe

C:\Windows\SysWOW64\gfwjitnzvwqjl.exe

gfwjitnzvwqjl.exe

C:\Windows\SysWOW64\lcutvglh.exe

C:\Windows\system32\lcutvglh.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 103.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp

Files

memory/1612-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\umhcgfkvkuusgce.exe

MD5 a1ce81fb6e4bcf0db101f58afd66dfd8
SHA1 4af05659aafd31541e0cc1eb01907b49efdc4f6e
SHA256 fe066c6428caebfa2f24b2a4556ee5e02f06b7c68bf75e4acf1a1d8c6bd02aa3
SHA512 5e93170bd8c3fe38d49e662ddcd4d6d598f47639c409e84e518ac162a1e15ccd8ae89d495f3b12591b6dce2907a22cb11413edddc4eed40b7f11ce6187aaf0c9

C:\Windows\SysWOW64\kljfvddowo.exe

MD5 89ce3450c0dad772bc2b5ad5f3ee9e5b
SHA1 4f5204dfc69f0d1039ac983a069ab5266a79047e
SHA256 a766c458d261a3da9ff88b95543d5b4daffb5d6493cd2db7f30fb54630f4b59f
SHA512 9d6f2cf265fbb1be72ac9a4711b74a570511738558f9674623aff1ff220ec46071be5e314ca7c5d6be48c91993feafbbb95864925185d0a2b925d7f87944bf4b

C:\Windows\SysWOW64\lcutvglh.exe

MD5 c4f7f935c1f0edf6f14038578018ad87
SHA1 0de8e211ddd9fab35135287641452f3045e9571e
SHA256 8eb2812e0c21292e88cbe9e90753574a871f97ad82a1a4625f1186a2fbe90b18
SHA512 5ad1c9f0eac2df9daedb91244b985f9b97defa88f737da298fc842b5f22ea1b5ac1683a496d34387d99b62e4c03f87fa7752bd2e598caebe927951dc44cafd77

C:\Windows\SysWOW64\gfwjitnzvwqjl.exe

MD5 4a219330b8e1d1501e244857faf03c66
SHA1 bb9ec103728ddca7c9f5b926f6485bcdcca6c66b
SHA256 d7b8ac6e35f0ce06ce895fcc4ba92acdf656e9b890b3c2040b0eddf71c11edd2
SHA512 3510cf7db9df82b863ee4fd89f91158bc80855650458d7ac4a722b4c9784d1f9869f5fdcab15312aa198a2b1950c4cae36e7fd3d15de8097ea5e6d26ea53236d

memory/4752-40-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

memory/4752-39-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

memory/4752-38-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

memory/4752-37-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

memory/4752-41-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

memory/4752-42-0x00007FFDC1E80000-0x00007FFDC1E90000-memory.dmp

memory/4752-43-0x00007FFDC1E80000-0x00007FFDC1E90000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 fd4a3442bfa9f74dbbc467f5473c11f2
SHA1 31e1360976f4bfee2d81a2c176bcb5cad29dd4e8
SHA256 b04025abc5505e1704b8cf6074fa5d73adf11159e724faa8b062a6056b5a086a
SHA512 4a9064560c18c3e7e6f4217adb9d97bd63b489c22ef21f8aa7250737cb201ad5a65be9ad489dad89291202dc95e847255d10d08b97185df6b0d1bfb1914633da

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 ce620fdbde8dea30ec53b317f23c32ce
SHA1 dfbdbbd39026c5f4b585e19108a8e66d1fdc7f7d
SHA256 4a63478df1ad26583bcdee285c76e0cf51972cff0b04aa560625bdf4ceebcc05
SHA512 dc32e53eab59ed80c81f0b583cc1ca5b46e965f29335019ec4bc3d16ea0ef2ef4f345da5d11f259ceb629d46a88e5b41932a6074821be3311a52eb67b1dbdbc8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 8a3b14815f18ab50878bb4f7dc860911
SHA1 ba5ad942faa57138184b659fce62225ef70cdd01
SHA256 5dbd07599ea68a9578d8f2c2f27868a264fb21e928294072c6c929ed63200057
SHA512 91754dfc92d5b2d4d89dcc433f08c54c69558d9406f0296175779b2015989daa45cfe20e49aa3f6d0d279925eb8e49c718ef236b7c1cb21e2aeb9b7ba967d718

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 0520322933afa0ab23a2a88b2d9ed7bf
SHA1 03497d8c694c327c2edf5937555f98a6ea745cca
SHA256 dcafa4f38835cfc44cf3ce06b6898dad802be520a5f3b41468e8a2d361ec6abc
SHA512 cc185ade1948b64a67d1d0ed1d7c1ab09867d1efe76d9adbc1c4448a2883ba1d0501607051f0ee0f6f319b0953f7848df8e31a3a62c745fec9a5c21b8126c7ae

C:\Users\Admin\AppData\Local\Temp\TCD8D05.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 46d7dfa5cdd3a24da1bb4ec43cac685c
SHA1 2d232d385f957b5e524f9aa95286a0f170eb7a8c
SHA256 17e5555419b7950061880ba9febb7a21839bc12ee77387c1fc0265c354506113
SHA512 837597e86209722e9a74012f3328dad32e79fa164f4a6f361ed2df5956ab163395930b1fe8b6d4784f121c1aa9f9c7d144bc3fba82aad568eea4f9c9bf75c0fa

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 a02f05131224ed499643f6c9bf3c6589
SHA1 c640fe0c05685835558d11b9e5be5ff4e55c32bc
SHA256 3cbb511cc8018b75c86e8b4536183dcf140fcc2cb77c963a28cad1a06a6ee146
SHA512 1894d7a485e080044cc7043623be931c6b472896b48d33e245594ba78f2c2c7f3e3d8819d5e02500059c98f64ca537a06216d25018cb32303980c8f2b7ce1ba2

memory/4752-596-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

memory/4752-597-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

memory/4752-598-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

memory/4752-595-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp