Malware Analysis Report

2024-11-13 14:03

Sample ID 240603-3zyndsdh3t
Target 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118
SHA256 f4725b05284b9ad3b6e6be5007795dce59b504d4c6c962cfef2955fac97f952b
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4725b05284b9ad3b6e6be5007795dce59b504d4c6c962cfef2955fac97f952b

Threat Level: Known bad

The file 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Windows security modification

Reads user/profile data of web browsers

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 23:57

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 23:57

Reported

2024-06-04 00:00

Platform

win7-20240508-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\tzygrsftxh.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\tzygrsftxh.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\tzygrsftxh.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\tzygrsftxh.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\tzygrsftxh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fcnvuaze = "tzygrsftxh.exe" C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ykoluwja = "kcuugqdtriifhcv.exe" C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rhkvnumskbnam.exe" C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\tjuqwohf.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\tzygrsftxh.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\tzygrsftxh.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\tzygrsftxh.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kcuugqdtriifhcv.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\tzygrsftxh.exe N/A
File opened for modification C:\Windows\SysWOW64\kcuugqdtriifhcv.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\tjuqwohf.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\tjuqwohf.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rhkvnumskbnam.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rhkvnumskbnam.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files\ExitRequest.doc.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification \??\c:\Program Files\CompareHide.doc.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files\CompareHide.nal C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files\ExitRequest.nal C:\Windows\SysWOW64\tjuqwohf.exe N/A
File created \??\c:\Program Files\CompareHide.doc.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files\CompareHide.doc.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification \??\c:\Program Files\CompareHide.doc.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification \??\c:\Program Files\ExitRequest.doc.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files\ExitRequest.nal C:\Windows\SysWOW64\tjuqwohf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification \??\c:\Program Files\ExitRequest.doc.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files\CompareHide.doc.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files\CompareHide.nal C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification C:\Program Files\ExitRequest.doc.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File created \??\c:\Program Files\ExitRequest.doc.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tjuqwohf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B120449238E352C9BADD329DD7B9" C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D0D9D2083586D3E77D370202DDA7C8664A8" C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\tzygrsftxh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\tzygrsftxh.exe N/A
N/A N/A C:\Windows\SysWOW64\tzygrsftxh.exe N/A
N/A N/A C:\Windows\SysWOW64\tzygrsftxh.exe N/A
N/A N/A C:\Windows\SysWOW64\tzygrsftxh.exe N/A
N/A N/A C:\Windows\SysWOW64\tzygrsftxh.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\tjuqwohf.exe N/A
N/A N/A C:\Windows\SysWOW64\tjuqwohf.exe N/A
N/A N/A C:\Windows\SysWOW64\tjuqwohf.exe N/A
N/A N/A C:\Windows\SysWOW64\tjuqwohf.exe N/A
N/A N/A C:\Windows\SysWOW64\tjuqwohf.exe N/A
N/A N/A C:\Windows\SysWOW64\tjuqwohf.exe N/A
N/A N/A C:\Windows\SysWOW64\tjuqwohf.exe N/A
N/A N/A C:\Windows\SysWOW64\tjuqwohf.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\rhkvnumskbnam.exe N/A
N/A N/A C:\Windows\SysWOW64\kcuugqdtriifhcv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\tzygrsftxh.exe
PID 1960 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\tzygrsftxh.exe
PID 1960 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\tzygrsftxh.exe
PID 1960 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\tzygrsftxh.exe
PID 1960 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\kcuugqdtriifhcv.exe
PID 1960 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\kcuugqdtriifhcv.exe
PID 1960 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\kcuugqdtriifhcv.exe
PID 1960 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\kcuugqdtriifhcv.exe
PID 1960 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\tjuqwohf.exe
PID 1960 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\tjuqwohf.exe
PID 1960 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\tjuqwohf.exe
PID 1960 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\tjuqwohf.exe
PID 1960 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\rhkvnumskbnam.exe
PID 1960 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\rhkvnumskbnam.exe
PID 1960 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\rhkvnumskbnam.exe
PID 1960 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\rhkvnumskbnam.exe
PID 2644 wrote to memory of 2664 N/A C:\Windows\SysWOW64\tzygrsftxh.exe C:\Windows\SysWOW64\tjuqwohf.exe
PID 2644 wrote to memory of 2664 N/A C:\Windows\SysWOW64\tzygrsftxh.exe C:\Windows\SysWOW64\tjuqwohf.exe
PID 2644 wrote to memory of 2664 N/A C:\Windows\SysWOW64\tzygrsftxh.exe C:\Windows\SysWOW64\tjuqwohf.exe
PID 2644 wrote to memory of 2664 N/A C:\Windows\SysWOW64\tzygrsftxh.exe C:\Windows\SysWOW64\tjuqwohf.exe
PID 1960 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1960 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1960 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1960 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2232 wrote to memory of 1012 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2232 wrote to memory of 1012 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2232 wrote to memory of 1012 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2232 wrote to memory of 1012 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe"

C:\Windows\SysWOW64\tzygrsftxh.exe

tzygrsftxh.exe

C:\Windows\SysWOW64\kcuugqdtriifhcv.exe

kcuugqdtriifhcv.exe

C:\Windows\SysWOW64\tjuqwohf.exe

tjuqwohf.exe

C:\Windows\SysWOW64\rhkvnumskbnam.exe

rhkvnumskbnam.exe

C:\Windows\SysWOW64\tjuqwohf.exe

C:\Windows\system32\tjuqwohf.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1960-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\kcuugqdtriifhcv.exe

MD5 fdf9776a7c61a3e087abf2ca1a87c4de
SHA1 81a8f2d1bd4014b0873363842284fc8d91d72c59
SHA256 f30d5e01870f4dacbd16154ba3fc065357aa73569d080e0d371a5324252212c7
SHA512 7c2fa4820bd904c064d2d1fafc6c57e9602afa5dba5c46a7ce9f761554298f30a96aa6e17c2663e73d8e4ead5037efc86f75d4fb517434dba3cac76bfe458f22

\Windows\SysWOW64\tzygrsftxh.exe

MD5 5c06c8dfa0e1c4574fe33ff0bfc91480
SHA1 28ea4cf5295044abdc6f9d30330db256dc9d8453
SHA256 2253b1331a065f39f786768c3a9e15059b6fd8ed45fa001d1fa0f4cc46570054
SHA512 29bafeaa2c9757dca57e826db5d357c0998d71c81a81deb421d73205adfe8261ac65885a509a7edab0022076855953e9b1982a70ad005125babc72a9d11fac6c

C:\Windows\SysWOW64\rhkvnumskbnam.exe

MD5 f7a29dfbb1d21e83318ca691097bba38
SHA1 6a56a1047ccc467a1e725c269be9be688069af1e
SHA256 7d39486b59139ed74a551f604bf95d8a7aaf4e6a5dfc03c7860330b0c9d97028
SHA512 a09c839a216f9f91b9834d810f6f096bdcb8649866409b2be44a10fc41ac29d470e800c828690878add5f948d912409fcfc463108f8615a41830b24b809f35ce

C:\Windows\SysWOW64\tjuqwohf.exe

MD5 f797d3e0335f7c3210186782d5973d28
SHA1 95f2d516b159dd484bab53c2be6a48c7a7b09dcc
SHA256 e9e40fcbbf91f0cb927cba4bc62ea62cd6e3309da1ec261536559149fdc5a490
SHA512 937ebd0d13a317b45b51d634f284cc12e4cb24b8d1bb78929233fc730b53347f472cd6208789ab9cc5e465cc560e361621854b22432a8c88df31db5fc6dc0684

C:\Program Files\CompareHide.doc.exe

MD5 033c5d256fbb7bde92c94fd089c37234
SHA1 8104fa27387bd678a57d018e9ddcabcdfbee8d21
SHA256 ab464f90c9bcafb17ba2fe72888adeefd606f49fca5d0ce7d4a5dad8863728c7
SHA512 16052838c63834597292c4850eddc3944a9b1fdee3a92c92717e609d7f764d5bef0212fdca191fcbc14de75485a383d63c193acbd94574b35c24d17fda82105d

memory/2232-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Program Files\ExitRequest.doc.exe

MD5 33fda74bcbb62bea26ba189f3c841383
SHA1 82725ad8b1bb25df37f5e5c691f72ccd19ff9de1
SHA256 a89440f99278d743b2b298219fe04cc66377966ea35b20104aa76110741bb37e
SHA512 5f3cf042d27e2c4a59b826b082a27b676a6323c745cb1922aff78371c55515d65def72dae54170c0ddd61d238d826c1c21c9810c53a3a90e7582f3382e93e8b4

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 1ad61dab747e7777ca7a6e4d865d92a7
SHA1 809709c52a6c7933b4c9556fc25a33c0a1d9c4bb
SHA256 72d0eff297e3a36e0c5f96de94edc745c75e5d1af2b819217aac32700f5545f9
SHA512 2cfa2a243a3ea3bf8d2bafbb14d1b3f69a42d6067d40e28eee6be19fed0c74e6e56fd948c3b962a5ad6594a3b068d01bafcf054925370d355ac24484bc8f0c58

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 5d271298edf9a23a6fb9e0771ecc59e5
SHA1 ae5d0e1636e8424533fec8d68148e0de6de55172
SHA256 46d01815bb94c3795ef043cdcaeb55e583cc70b09290234865633a2b1a0f24d2
SHA512 157d546e61f0316d4ed57814a28f2264ea92c082b5ddd4fecaa2d6089ab3369f21c19a7f130b59329ca234424067927cc09f92d17d794b70ca521a6e869c3afe

memory/2232-106-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 23:57

Reported

2024-06-04 00:00

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\wqimvavhcg.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\wqimvavhcg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wqimvavhcg.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\wqimvavhcg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wqimvavhcg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hlzabffo = "wqimvavhcg.exe" C:\Windows\SysWOW64\bihncvjnahjzbnv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndhgmley = "bihncvjnahjzbnv.exe" C:\Windows\SysWOW64\bihncvjnahjzbnv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "erffyikmsdtfb.exe" C:\Windows\SysWOW64\bihncvjnahjzbnv.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\z: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ahfklvua.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\wqimvavhcg.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\erffyikmsdtfb.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\wqimvavhcg.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File created C:\Windows\SysWOW64\wqimvavhcg.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bihncvjnahjzbnv.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bihncvjnahjzbnv.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ahfklvua.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\erffyikmsdtfb.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wqimvavhcg.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ahfklvua.exe C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ahfklvua.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ahfklvua.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FCFC482685689031D72E7DE5BDE0E631594366436341D7ED" C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC6751593DAC7B8C97CE8EDE237B9" C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BB9FF6E21D9D272D0A88A7F9165" C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFABDF965F19783083A4786EA39E6B08E02FC43620233E1CC42EE09D3" C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\wqimvavhcg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442D799C2083526D4376D177202CD67DF664DE" C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB15B479339E953B9B9D433E9D7BC" C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wqimvavhcg.exe N/A
N/A N/A C:\Windows\SysWOW64\wqimvavhcg.exe N/A
N/A N/A C:\Windows\SysWOW64\wqimvavhcg.exe N/A
N/A N/A C:\Windows\SysWOW64\wqimvavhcg.exe N/A
N/A N/A C:\Windows\SysWOW64\wqimvavhcg.exe N/A
N/A N/A C:\Windows\SysWOW64\wqimvavhcg.exe N/A
N/A N/A C:\Windows\SysWOW64\wqimvavhcg.exe N/A
N/A N/A C:\Windows\SysWOW64\wqimvavhcg.exe N/A
N/A N/A C:\Windows\SysWOW64\wqimvavhcg.exe N/A
N/A N/A C:\Windows\SysWOW64\wqimvavhcg.exe N/A
N/A N/A C:\Windows\SysWOW64\bihncvjnahjzbnv.exe N/A
N/A N/A C:\Windows\SysWOW64\bihncvjnahjzbnv.exe N/A
N/A N/A C:\Windows\SysWOW64\bihncvjnahjzbnv.exe N/A
N/A N/A C:\Windows\SysWOW64\bihncvjnahjzbnv.exe N/A
N/A N/A C:\Windows\SysWOW64\bihncvjnahjzbnv.exe N/A
N/A N/A C:\Windows\SysWOW64\bihncvjnahjzbnv.exe N/A
N/A N/A C:\Windows\SysWOW64\bihncvjnahjzbnv.exe N/A
N/A N/A C:\Windows\SysWOW64\bihncvjnahjzbnv.exe N/A
N/A N/A C:\Windows\SysWOW64\bihncvjnahjzbnv.exe N/A
N/A N/A C:\Windows\SysWOW64\bihncvjnahjzbnv.exe N/A
N/A N/A C:\Windows\SysWOW64\erffyikmsdtfb.exe N/A
N/A N/A C:\Windows\SysWOW64\erffyikmsdtfb.exe N/A
N/A N/A C:\Windows\SysWOW64\erffyikmsdtfb.exe N/A
N/A N/A C:\Windows\SysWOW64\erffyikmsdtfb.exe N/A
N/A N/A C:\Windows\SysWOW64\erffyikmsdtfb.exe N/A
N/A N/A C:\Windows\SysWOW64\erffyikmsdtfb.exe N/A
N/A N/A C:\Windows\SysWOW64\erffyikmsdtfb.exe N/A
N/A N/A C:\Windows\SysWOW64\erffyikmsdtfb.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\erffyikmsdtfb.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\erffyikmsdtfb.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\erffyikmsdtfb.exe N/A
N/A N/A C:\Windows\SysWOW64\erffyikmsdtfb.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A
N/A N/A C:\Windows\SysWOW64\ahfklvua.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 536 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\wqimvavhcg.exe
PID 536 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\wqimvavhcg.exe
PID 536 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\wqimvavhcg.exe
PID 536 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\bihncvjnahjzbnv.exe
PID 536 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\bihncvjnahjzbnv.exe
PID 536 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\bihncvjnahjzbnv.exe
PID 536 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\ahfklvua.exe
PID 536 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\ahfklvua.exe
PID 536 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\ahfklvua.exe
PID 536 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\erffyikmsdtfb.exe
PID 536 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\erffyikmsdtfb.exe
PID 536 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Windows\SysWOW64\erffyikmsdtfb.exe
PID 4544 wrote to memory of 2732 N/A C:\Windows\SysWOW64\wqimvavhcg.exe C:\Windows\SysWOW64\ahfklvua.exe
PID 4544 wrote to memory of 2732 N/A C:\Windows\SysWOW64\wqimvavhcg.exe C:\Windows\SysWOW64\ahfklvua.exe
PID 4544 wrote to memory of 2732 N/A C:\Windows\SysWOW64\wqimvavhcg.exe C:\Windows\SysWOW64\ahfklvua.exe
PID 536 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 536 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe"

C:\Windows\SysWOW64\wqimvavhcg.exe

wqimvavhcg.exe

C:\Windows\SysWOW64\bihncvjnahjzbnv.exe

bihncvjnahjzbnv.exe

C:\Windows\SysWOW64\ahfklvua.exe

ahfklvua.exe

C:\Windows\SysWOW64\erffyikmsdtfb.exe

erffyikmsdtfb.exe

C:\Windows\SysWOW64\ahfklvua.exe

C:\Windows\system32\ahfklvua.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/536-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\bihncvjnahjzbnv.exe

MD5 1e3ae845563779a9f92adf2259f3175b
SHA1 c13928d7a3a6ff1d136084b5d4d4df81cf9ce83b
SHA256 c434f757c6abf53b1b751b80082d58a8a19841c9c76170a25ee8b070636cc8b5
SHA512 f33a0b90b31697cb9b84e19fd2af6718feba0a391a4a9c6bc70610c78787db480e80a6181dfd4db015bec9d8d1be44ffd90f2d1effd76ca64a92c52df3a65e9f

C:\Windows\SysWOW64\wqimvavhcg.exe

MD5 1e7054d898f195cc849573a3a301e0d3
SHA1 9a34d07f7743a2162c947da631bc6a94553c689e
SHA256 a46f76a5e12457e17c1bf1bbfaa35e166c672b8efccc51ba0a5062c4c2bdc337
SHA512 8588f7b4d81103307d5080528ebe8c414e3d556c18f902ec6c417b8c86adcd40e653cd5fd1f282c1c220de68b212e52d39f0f5597afdb9cb36a0a80a1a3a9d49

C:\Windows\SysWOW64\ahfklvua.exe

MD5 be02c5accc70e153cd596ca144bceed0
SHA1 e39335736b28312e5631afb04a21d3059348f674
SHA256 7552b428f53095ca87ffa569602e706798ebe8c921d2287f7d43bf86d20d7ce9
SHA512 e6816b59daed1af0e7a769873b787e251c0b1d5b01f6e72f838c8eae2527e2688c5a241048ffe6f94e1e8364c20029dfc7ca1faf93ba8581c12ed24c5dcb9205

C:\Windows\SysWOW64\erffyikmsdtfb.exe

MD5 54be701f5de97508d8e5a68a296f5ad1
SHA1 22b3eae4e9260a4ebe4e611a595c9097c873491f
SHA256 fc9186f2da2b447afe40360c01baf5981a409794269355113266cbd6b1d4fba0
SHA512 fc83c11dcebf4d6afb6a22a3f80b418d5f448f81562ef93872214b16b59da7b77df340b225bcff6ab5b0290a2e7c336c528c15b991c284eee5ba7db1571d915f

memory/5088-41-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

memory/5088-40-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

memory/5088-39-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

memory/5088-42-0x00007FFD0C810000-0x00007FFD0C820000-memory.dmp

memory/5088-38-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

memory/5088-37-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

memory/5088-43-0x00007FFD0C810000-0x00007FFD0C820000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 361ba5cdfe246f4303b0a1638e0daf43
SHA1 eced7199b1af3c8e92209a68cb9a925ff3f369a3
SHA256 507143acb38e64408d03a0dd98e16bd34ca557294c466ae8ec9c7c763eb3a2a5
SHA512 81b9d124396d138717aea4dc71cec59426a3b65b47eaa0d13523adf030c5e3df9fa670ed48f7634d0301812d4b546dd43bc5bf863b58112570a2ab049bc7ab54

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 b34f59b18b5afb684b5c06e605dee700
SHA1 e3ed31d11ed85e07edfd5908b0df5f318a3bdd22
SHA256 dbb04c5e69792322c08dce865fb851153e249bdf4ad2e2b2f771ad469eca5860
SHA512 c150b7334453532273fbb21f128c7afc49f41e6166910326fae56ac72c0d8502d1f1895ad855fa66a7650b8bf83540a03a8696d0f976c5e6ea39bb401eb0b0d5

C:\Users\Admin\Documents\JoinMerge.doc.exe

MD5 c6d5169d73678b0c1b047bd149202154
SHA1 7ecf8922a634005dd6142e18c1748790bf35e8ca
SHA256 885bbb7d337db632e2360043f29def73a4d48be3f6f5e55f2a5cc21196ec325d
SHA512 1eac0dfb534622ba3a8ffb7ef1976a2a9481ef591fd913a838d49db6ecb2c3205839742610a6915438c170a34576b4fa0e9d482460c3efb3dc3fcd81ca4a3d82

C:\Users\Admin\Documents\RequestConfirm.doc.exe

MD5 10a27820e2d4f3e056b474100d0c7c52
SHA1 4b01991780d4282ad40ee3241c30c115b7589cfc
SHA256 a936f68534ff021dd3edec275e1e0b6075d5d91a36fa94ab753416d520d3aa1d
SHA512 97fdd0c3dd20feb59ce1514bfa209de192b17bf2883996e0cbcbda9437b5dcac3c09333cac14e9e65c80dfa388555524a5abdd70c56b3081303562e463f3a9d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 7e1d9ecea49df89930f47693484d3db6
SHA1 f91de86d39e949a5a4ce13a33571a5773dd44e1e
SHA256 13fa82fb2f37961421c59b8f810d40949cb0b4384ad049a8d47c7d4d05ae7b6b
SHA512 bc5b321d5783a5ae632f08de853ce8e177cfa6c2eee48053b7eed7060fd73966b5111eab71356c9ed2cd19ae4cf3081ef44b431ae73a8c965b1224f60d909b0b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 00d8b3cd5fce651eb3126ddf38bfc927
SHA1 0ae4eba1180c06d439e4614c57126a77b98a096c
SHA256 dd6a12371c623dfa374a0373eb72512d52d828021be53e13f735d4c8c6c2bc42
SHA512 5379dbcf105aead9b780b84d76fd154f06d864bcd830ef50f267173814eef7e429a0d6383e49af21aa70a46aee61d9bcb28ea94cc93279a2b86b8ad6d3d4c260

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 e325ff41d7b676a975f65f5db492271d
SHA1 c39b13f4db08fd08c93ef19ecd29258e9a77b81b
SHA256 874c72474e30727d513829b8f53754a06f82ba310b0015ca25afeec2f3e89956
SHA512 bbb4674e37539e8a8cf5fe5ee5db446658f12e3f4a19b88a95a8deea5c3bdd66c74f328f85ff03f10e42caf24cecdf76780456b21262f750dec66888db68dff9

C:\Users\Admin\AppData\Local\Temp\TCD7C70.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 20ec81b3b35cc983a61148dac19b3b24
SHA1 1c94bd0708553e0bf81aee8327b5ef71cc8ad19e
SHA256 6a7f2f82e438391af54e14336ca3622b79f0442655948e3fd80a4968b94f5c60
SHA512 70e1b419f98eccb9b0278f31797208380ffeca00ff92a1ff243bde9d59d4c630776d1ac659e84053ae833ed50127c94cbabae2d0cc9bdb9f9ae2dfa9f47d15bc

memory/5088-603-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

memory/5088-604-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

memory/5088-605-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

memory/5088-602-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp