Malware Analysis Report

2024-11-30 07:05

Sample ID 240601-hvgtvsdd8v
Target 89b0694e89982148fb33ce9cc419001b_JaffaCakes118
SHA256 38ae795cc25d24b2ec10f7bef5f44bec744511e20cbda8b081d9bf36c25a2b60
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38ae795cc25d24b2ec10f7bef5f44bec744511e20cbda8b081d9bf36c25a2b60

Threat Level: Known bad

The file 89b0694e89982148fb33ce9cc419001b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Disables RegEdit via registry modification

Windows security modification

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:03

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:03

Reported

2024-06-01 07:05

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xgvdxvto = "inmbkrxrpq.exe" C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\paelscwy = "zewyqxhvqcjitpc.exe" C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "twpetvtdolyiw.exe" C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\lmfnwxng.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\inmbkrxrpq.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\lmfnwxng.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\lmfnwxng.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\twpetvtdolyiw.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\inmbkrxrpq.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\twpetvtdolyiw.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\inmbkrxrpq.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lmfnwxng.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\lmfnwxng.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\lmfnwxng.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFAB1FE6AF290840E3A3286EC3E97B38E028C4362034BE2CA459908A9" C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC60915E7DAB7B9BE7CE7ECE037B9" C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352C769C2483226A3777D2772E2DDC7C8E65D8" C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BB2FF1D21DCD178D1A88B7D9165" C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\inmbkrxrpq.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
N/A N/A C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
N/A N/A C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
N/A N/A C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
N/A N/A C:\Windows\SysWOW64\inmbkrxrpq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\lmfnwxng.exe N/A
N/A N/A C:\Windows\SysWOW64\lmfnwxng.exe N/A
N/A N/A C:\Windows\SysWOW64\lmfnwxng.exe N/A
N/A N/A C:\Windows\SysWOW64\lmfnwxng.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\lmfnwxng.exe N/A
N/A N/A C:\Windows\SysWOW64\lmfnwxng.exe N/A
N/A N/A C:\Windows\SysWOW64\lmfnwxng.exe N/A
N/A N/A C:\Windows\SysWOW64\lmfnwxng.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\twpetvtdolyiw.exe N/A
N/A N/A C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\inmbkrxrpq.exe
PID 1664 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\inmbkrxrpq.exe
PID 1664 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\inmbkrxrpq.exe
PID 1664 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\inmbkrxrpq.exe
PID 1664 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe
PID 1664 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe
PID 1664 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe
PID 1664 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe
PID 1664 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\lmfnwxng.exe
PID 1664 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\lmfnwxng.exe
PID 1664 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\lmfnwxng.exe
PID 1664 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\lmfnwxng.exe
PID 1664 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\twpetvtdolyiw.exe
PID 1664 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\twpetvtdolyiw.exe
PID 1664 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\twpetvtdolyiw.exe
PID 1664 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\twpetvtdolyiw.exe
PID 2852 wrote to memory of 2396 N/A C:\Windows\SysWOW64\inmbkrxrpq.exe C:\Windows\SysWOW64\lmfnwxng.exe
PID 2852 wrote to memory of 2396 N/A C:\Windows\SysWOW64\inmbkrxrpq.exe C:\Windows\SysWOW64\lmfnwxng.exe
PID 2852 wrote to memory of 2396 N/A C:\Windows\SysWOW64\inmbkrxrpq.exe C:\Windows\SysWOW64\lmfnwxng.exe
PID 2852 wrote to memory of 2396 N/A C:\Windows\SysWOW64\inmbkrxrpq.exe C:\Windows\SysWOW64\lmfnwxng.exe
PID 1664 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1664 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1664 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1664 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2412 wrote to memory of 1808 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2412 wrote to memory of 1808 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2412 wrote to memory of 1808 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2412 wrote to memory of 1808 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe"

C:\Windows\SysWOW64\inmbkrxrpq.exe

inmbkrxrpq.exe

C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe

zewyqxhvqcjitpc.exe

C:\Windows\SysWOW64\lmfnwxng.exe

lmfnwxng.exe

C:\Windows\SysWOW64\twpetvtdolyiw.exe

twpetvtdolyiw.exe

C:\Windows\SysWOW64\lmfnwxng.exe

C:\Windows\system32\lmfnwxng.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1664-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe

MD5 8b6abf4bbd68669c3c3c4455cd239883
SHA1 1ac32d3bda8a6abb836359efd2e7c559945288af
SHA256 826750fa931e20c3541a945202db73d6850447bc8690eb151248a6229a9cf5ca
SHA512 4d34d21111311dda3b163db9685feba3b5a895ba5b7f05f636495d55745dd318499cda27d39bd8c7014ba1722f2ec6b0706034e918a2aa2c9d1c3a6f9070923d

\Windows\SysWOW64\inmbkrxrpq.exe

MD5 0247c253536f60c6244f9cd16277b324
SHA1 f14629c11f20e8f020e37f3c1f319ee7a535d0e7
SHA256 67c7b5b3e361128e8990aaff834ae1ad1e5ed230e05c485847bec1678a886d16
SHA512 95669713af49f4e983e1f16ae6adb1c0f5c1c854223a2e06196b1bebd75f724fc926c8f564a0d89418be7f5e7fd563b705f92e0370b1abc7fcd9e0e6d4fe92ec

\Windows\SysWOW64\lmfnwxng.exe

MD5 ce052398459a98657fbfde69702507a0
SHA1 4d206a696fd010b7534e5b7392e3d1b8944216cb
SHA256 025380828dd0b4979f874dff303fe4d00d58859363fdfa5859bbcc54ea86105c
SHA512 861163ae5de05f8fb87d4f4b73d7f7774d80d8384a7df6adae3cfab078248688a87ee6981c7900a4a4e9db360c6b7dd25892e39575d779c26bf625556aabda29

\Windows\SysWOW64\twpetvtdolyiw.exe

MD5 ddf5c264fbdaf8ee9f8361f0ea68ab1b
SHA1 8b1d80f7b346504ce5bb4792bf3a73ecb2bf1009
SHA256 4e950ef55cd87bbfd771ba05c44f3e627d84cee261f4e590e18281053157944e
SHA512 420d07d71cbbe93dc845000d729152146b1b8c6f44cedf0ff66824b67a84d9f5534d0ad115e723eef8d201e06961a4172c25b793acd50e32750638f8ddbbb7fc

memory/2412-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 b912bce5c12bee38699646bedfedc191
SHA1 994a377d892f24f551d507382ad2e8102d1858ad
SHA256 e1f261a8da96f0db3ed0648ce451b8c09849eb4a09e1ff7795685bf67b8c0224
SHA512 2e64589d2fb4d3b93bcc3516cd7a55794ed2c563aa4f714293b6be2752ea9f5565721585881a619273478b45a2a3a215cd8efc79fdad3fd2e4741f9bc1941236

memory/2412-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:03

Reported

2024-06-01 07:05

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\bsasbbinzb.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\bsasbbinzb.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bsasbbinzb.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\bsasbbinzb.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bsasbbinzb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dalcueqa = "bsasbbinzb.exe" C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\maunkrob = "hqeztvcrvvpqmom.exe" C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fggimspiafatk.exe" C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\u: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\djiezbpf.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\bsasbbinzb.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\bsasbbinzb.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bsasbbinzb.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fggimspiafatk.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File created C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\djiezbpf.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\djiezbpf.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fggimspiafatk.exe C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\bsasbbinzb.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\djiezbpf.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\djiezbpf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\djiezbpf.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC60914E7DAB5B8CF7FE6ED9134CB" C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFFFB482785189135D65D7E95BDE4E133594167466243D79F" C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BB4FE6821DBD10CD0D28B78916B" C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D7B9C5782256A3E76D2702F2CA97C8464DB" C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDF9CCF913F29384743A4786983E93B389038B42680238E1BA42EF08A7" C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B12047E7399852C4BAD033EED7B9" C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\bsasbbinzb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\bsasbbinzb.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
N/A N/A C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
N/A N/A C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
N/A N/A C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A
N/A N/A C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A
N/A N/A C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
N/A N/A C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
N/A N/A C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A
N/A N/A C:\Windows\SysWOW64\bsasbbinzb.exe N/A
N/A N/A C:\Windows\SysWOW64\bsasbbinzb.exe N/A
N/A N/A C:\Windows\SysWOW64\bsasbbinzb.exe N/A
N/A N/A C:\Windows\SysWOW64\bsasbbinzb.exe N/A
N/A N/A C:\Windows\SysWOW64\bsasbbinzb.exe N/A
N/A N/A C:\Windows\SysWOW64\bsasbbinzb.exe N/A
N/A N/A C:\Windows\SysWOW64\bsasbbinzb.exe N/A
N/A N/A C:\Windows\SysWOW64\bsasbbinzb.exe N/A
N/A N/A C:\Windows\SysWOW64\bsasbbinzb.exe N/A
N/A N/A C:\Windows\SysWOW64\bsasbbinzb.exe N/A
N/A N/A C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
N/A N/A C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
N/A N/A C:\Windows\SysWOW64\fggimspiafatk.exe N/A
N/A N/A C:\Windows\SysWOW64\fggimspiafatk.exe N/A
N/A N/A C:\Windows\SysWOW64\fggimspiafatk.exe N/A
N/A N/A C:\Windows\SysWOW64\fggimspiafatk.exe N/A
N/A N/A C:\Windows\SysWOW64\fggimspiafatk.exe N/A
N/A N/A C:\Windows\SysWOW64\fggimspiafatk.exe N/A
N/A N/A C:\Windows\SysWOW64\fggimspiafatk.exe N/A
N/A N/A C:\Windows\SysWOW64\fggimspiafatk.exe N/A
N/A N/A C:\Windows\SysWOW64\fggimspiafatk.exe N/A
N/A N/A C:\Windows\SysWOW64\fggimspiafatk.exe N/A
N/A N/A C:\Windows\SysWOW64\fggimspiafatk.exe N/A
N/A N/A C:\Windows\SysWOW64\fggimspiafatk.exe N/A
N/A N/A C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
N/A N/A C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A
N/A N/A C:\Windows\SysWOW64\djiezbpf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 684 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\bsasbbinzb.exe
PID 684 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\bsasbbinzb.exe
PID 684 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\bsasbbinzb.exe
PID 684 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe
PID 684 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe
PID 684 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe
PID 684 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\djiezbpf.exe
PID 684 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\djiezbpf.exe
PID 684 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\djiezbpf.exe
PID 684 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\fggimspiafatk.exe
PID 684 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\fggimspiafatk.exe
PID 684 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Windows\SysWOW64\fggimspiafatk.exe
PID 684 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 684 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3200 wrote to memory of 1980 N/A C:\Windows\SysWOW64\bsasbbinzb.exe C:\Windows\SysWOW64\djiezbpf.exe
PID 3200 wrote to memory of 1980 N/A C:\Windows\SysWOW64\bsasbbinzb.exe C:\Windows\SysWOW64\djiezbpf.exe
PID 3200 wrote to memory of 1980 N/A C:\Windows\SysWOW64\bsasbbinzb.exe C:\Windows\SysWOW64\djiezbpf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe"

C:\Windows\SysWOW64\bsasbbinzb.exe

bsasbbinzb.exe

C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe

hqeztvcrvvpqmom.exe

C:\Windows\SysWOW64\djiezbpf.exe

djiezbpf.exe

C:\Windows\SysWOW64\fggimspiafatk.exe

fggimspiafatk.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\djiezbpf.exe

C:\Windows\system32\djiezbpf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/684-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe

MD5 5967099882bc66025d225ed10535c840
SHA1 239f637d1af9c33878ceb7fc2ae9dda1fdc2e729
SHA256 c7a9314959485e09ea9fb2258ab76fc8a3ca17bab105e88cda8861809db20a1e
SHA512 77fd583c1020e8774ce4c7d4fdd97edf543ed5103fe0a494817f3610b919015635e97ec65bedf9f40d724ab0443db286b15241818df81799b853f76fd8d4b42b

C:\Windows\SysWOW64\fggimspiafatk.exe

MD5 596cd9ac87826a855b9839e789b7980b
SHA1 3c1425945a4899ed2ec15bdb5fc0ca2de2a8d49c
SHA256 c8c6938058a09078a5d5e5fd77d38556108ee44536870f5ce7fcb9decda8cde5
SHA512 1d48211c2ffbb0138f82c6b72511fbdc000670f9e46ff724b7b47d8d3cddaced1635bc343ab207a4325e45a19fb7ff1546fdd288e788b06a7a3f0222574f0eb1

C:\Windows\SysWOW64\djiezbpf.exe

MD5 d72ba72f7e2865c55c061ad476b7c09b
SHA1 cef1958ca4e28894629e30afcc9a917e233c4d21
SHA256 b200941375039741486d1b8618043a17b09de7d27965744e396509a69ea4a59f
SHA512 5d104e727e451a4d05fb702e8780f4e9efa757df77f265e3cc09e52a5eed34eea55a7b285c1003f80afc1619d9b920955dacefbda9748b541470bbef630c1bda

C:\Windows\SysWOW64\bsasbbinzb.exe

MD5 6de3210a63d51ed66a532e459a7f38b7
SHA1 1e85e3fdd4190957920954afe33e8e3f8b2d5783
SHA256 6315d4313dec30894441f3ea1df5e8eaa8bd49919ff2d5e4a9a3d768ef292913
SHA512 380308a57a453e69f17b9bdcb832767e529360cd9d6f4e6275ac849f9a322ae5b767c266d9d0576d65bfc24830a30da1927f84e27be137013cf088415384a145

memory/2272-37-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

memory/2272-38-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

memory/2272-39-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

memory/2272-36-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

memory/2272-35-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

memory/2272-42-0x00007FFACA390000-0x00007FFACA3A0000-memory.dmp

memory/2272-43-0x00007FFACA390000-0x00007FFACA3A0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 21a601493a4c53e30182d3ff93d198ac
SHA1 08018a3011585d01f34f2b968ba98266a47ad978
SHA256 7d77c3cb9ccdfc50f76e0ed2438a65241b69aed65a2e4c05a5398e9512bb06fa
SHA512 c077f807e628ce77639da1927b5807dcb15f48a8432128d83537e5102645caf3f072cbf131e2638948782c6c2bd7acf9c6fde3458dfab6f278a91d1f0a3a0c70

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 211531205ea688b4e1081fdfd2f8db68
SHA1 b3ead4cd873066bf7d5202c3cc5e4a7d2dfd6ef5
SHA256 9fa9178a8f48a944bd9368e9790ce096736d091d50b9153458a57a7d2d2daba0
SHA512 465767f2421041b89032c9f82649a319c0fb2330aa5e4fc6656e27604453d742b9d903f04650b8b218161a586de2f6881759e86ffae64cdf416b1055a3fe3a43

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 cefc9cc071475f832b45ba2c343b2250
SHA1 09f5e6058c4c0b669efb724233af143a88121339
SHA256 f2ff4308823c151d55118894a3feff98ef532b8a7ae56f4d2adfdd23e6282ab8
SHA512 b2833612bdc310724a9bd240343ed251810cd8cbe49d82dff387eaecd0b670f403de55d2c043ebed26d94834f317eac309ea3b38dc42dd5adca316d6dd2b3663

C:\Users\Admin\Downloads\ProtectAdd.doc.exe

MD5 e363458352ddefdb2173b0c899571428
SHA1 2d2ea6215fe06c11c7113d8c73f5b0fa35c1d2ff
SHA256 6db6b9aebe7ea71e72ccebf2e648cb2cfa675caf92300ff99b3292db432edac6
SHA512 a2f9ad7a22dd3227184be4c14907c27760a7a467e4534f1ed24e487da73d611ede6369624448fcf718a10176885249e773a0cba0c0fdcf82934edf0eeb9bf47c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 243c47a9ce61b4c773956a364f182b43
SHA1 cdc799e890b6d2d26a37d2609a25709994f7080c
SHA256 9da27a6987f2d3be7b7323d5a98ce9769d7f1ec614bb988d166236ea95d6c9f1
SHA512 f1bc5e840b78fd8dde995ee18e6ab771904c1b365f41078acb8bbd6bef40b095012c00978b9d044f23a86654921f096880075b4061bdaf37a432b48375810a12

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 b463c9221bc751a1610ad7f23cbab1ce
SHA1 6c5749e02e11a31e02ee00e25060cb661c61de32
SHA256 b603fd0d878c4b00318b20d825715a953aa8c953b0663c34d57bd80107265409
SHA512 1a9642da462f7256788acfe5dd82ee2ebdc0d1cc7e09e5867890a3f532c6b7103201b5939c145337faa131a3c0baded52796b029655ee628862eff6e94836b20

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 eea2c99390e324618d092d500c25913b
SHA1 986ca4b0887084dc392cb379061fe6425da3287f
SHA256 6e336a29add21baaa0b9445dfaa0278f1d05041062d3e519e3c27887ebd1d694
SHA512 4248ea9cdd4e2d02fc2621c0af8e228b626aef557647458ecfa43f32b3e436382ffbd8e4b06cca35de1d1eec0c8305a34fce56458d5ddf5b32f061c699209f27

C:\Users\Admin\AppData\Local\Temp\TCD8BCE.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 20c9d05f808c1ce43f9f020777003f80
SHA1 d94c13439647ed94d5d4815263cca38dcdbf873d
SHA256 106245a45614809d531402ca03c0b123f64ccce2b3f52ac6f982e3269c72e60a
SHA512 3f62320df489042cbe3565bf121ce5c3e5d4641a81dcb02e5ce2eedfb2d896ca245b2014a1b649be377ff3396ecb2f1e83f06956361b9f41f3d46f49baf4933a

memory/2272-606-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

memory/2272-607-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

memory/2272-605-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

memory/2272-608-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp