Malware Analysis Report

2025-01-06 11:51

Sample ID 240603-eaexzsaa7y
Target 906ea6d73fd1bac2633dee29220394da_JaffaCakes118
SHA256 bf932df57b55140592c613e69e27217a80c604100a28f01cf088d43d02339930
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf932df57b55140592c613e69e27217a80c604100a28f01cf088d43d02339930

Threat Level: Known bad

The file 906ea6d73fd1bac2633dee29220394da_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Windows security bypass

Disables RegEdit via registry modification

Executes dropped EXE

Windows security modification

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 03:43

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 03:43

Reported

2024-06-03 03:46

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\frrvuxityv.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\frrvuxityv.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\frrvuxityv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\frrvuxityv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\frrvuxityv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\frrvuxityv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\frrvuxityv.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\frrvuxityv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\frrvuxityv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\frrvuxityv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\frrvuxityv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\frrvuxityv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\frrvuxityv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\frrvuxityv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udveofep = "frrvuxityv.exe" C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qejxbdgj = "ecoovxkfjfplopc.exe" C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tiydjfqfesvwu.exe" C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\frrvuxityv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\rvlgtrxk.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\frrvuxityv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\frrvuxityv.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ecoovxkfjfplopc.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\tiydjfqfesvwu.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\frrvuxityv.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ecoovxkfjfplopc.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rvlgtrxk.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\tiydjfqfesvwu.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\frrvuxityv.exe N/A
File created C:\Windows\SysWOW64\frrvuxityv.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rvlgtrxk.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rvlgtrxk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rvlgtrxk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB1FF1D21DDD27FD0A88A7C906A" C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFFACEF962F196840F3A3286E93997B0FC028B4268034CE1B8459908A9" C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\frrvuxityv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\frrvuxityv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\frrvuxityv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\frrvuxityv.exe N/A
N/A N/A C:\Windows\SysWOW64\frrvuxityv.exe N/A
N/A N/A C:\Windows\SysWOW64\frrvuxityv.exe N/A
N/A N/A C:\Windows\SysWOW64\frrvuxityv.exe N/A
N/A N/A C:\Windows\SysWOW64\frrvuxityv.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\rvlgtrxk.exe N/A
N/A N/A C:\Windows\SysWOW64\rvlgtrxk.exe N/A
N/A N/A C:\Windows\SysWOW64\rvlgtrxk.exe N/A
N/A N/A C:\Windows\SysWOW64\rvlgtrxk.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\rvlgtrxk.exe N/A
N/A N/A C:\Windows\SysWOW64\rvlgtrxk.exe N/A
N/A N/A C:\Windows\SysWOW64\rvlgtrxk.exe N/A
N/A N/A C:\Windows\SysWOW64\rvlgtrxk.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\tiydjfqfesvwu.exe N/A
N/A N/A C:\Windows\SysWOW64\ecoovxkfjfplopc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\frrvuxityv.exe
PID 1196 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\frrvuxityv.exe
PID 1196 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\frrvuxityv.exe
PID 1196 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\frrvuxityv.exe
PID 1196 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\ecoovxkfjfplopc.exe
PID 1196 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\ecoovxkfjfplopc.exe
PID 1196 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\ecoovxkfjfplopc.exe
PID 1196 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\ecoovxkfjfplopc.exe
PID 1196 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\rvlgtrxk.exe
PID 1196 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\rvlgtrxk.exe
PID 1196 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\rvlgtrxk.exe
PID 1196 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\rvlgtrxk.exe
PID 1196 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\tiydjfqfesvwu.exe
PID 1196 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\tiydjfqfesvwu.exe
PID 1196 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\tiydjfqfesvwu.exe
PID 1196 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\tiydjfqfesvwu.exe
PID 2944 wrote to memory of 2752 N/A C:\Windows\SysWOW64\frrvuxityv.exe C:\Windows\SysWOW64\rvlgtrxk.exe
PID 2944 wrote to memory of 2752 N/A C:\Windows\SysWOW64\frrvuxityv.exe C:\Windows\SysWOW64\rvlgtrxk.exe
PID 2944 wrote to memory of 2752 N/A C:\Windows\SysWOW64\frrvuxityv.exe C:\Windows\SysWOW64\rvlgtrxk.exe
PID 2944 wrote to memory of 2752 N/A C:\Windows\SysWOW64\frrvuxityv.exe C:\Windows\SysWOW64\rvlgtrxk.exe
PID 1196 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1196 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1196 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1196 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2472 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2472 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2472 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2472 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe"

C:\Windows\SysWOW64\frrvuxityv.exe

frrvuxityv.exe

C:\Windows\SysWOW64\ecoovxkfjfplopc.exe

ecoovxkfjfplopc.exe

C:\Windows\SysWOW64\rvlgtrxk.exe

rvlgtrxk.exe

C:\Windows\SysWOW64\tiydjfqfesvwu.exe

tiydjfqfesvwu.exe

C:\Windows\SysWOW64\rvlgtrxk.exe

C:\Windows\system32\rvlgtrxk.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1196-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ecoovxkfjfplopc.exe

MD5 d0d501c43973eb4384ba48c20994d12e
SHA1 715d54d56e0b42527e01e57f6a6155af198d62b5
SHA256 538fb500940f2493217afe55786c320e9c24150c378da24b69599abb46f4757c
SHA512 d24217f2115cdf867160e5a3fd102a082073b493e4132108c14f6f3c0575e014084ea76bad7976a706aa6444bac964dc76a62e89bd3222b5d95464d817b4d121

\Windows\SysWOW64\frrvuxityv.exe

MD5 27fc4abc1d836699d2ae648265eee3f9
SHA1 231ad86b06b8819f7f06f099e8a6f10bb97276fb
SHA256 6d4bb441d0bcfdfb9177cc47462e77ef01e94cbbda2923e30bb284062af11b02
SHA512 538fee9e1abbd7921ee5741cfe4aa9a3e86074e549e80340915b7b09bc4181a3a7295f850d2f1e8e948aad9c87610cdec85af12b26025d3041e7c984414bafa1

\Windows\SysWOW64\rvlgtrxk.exe

MD5 32c46c3fb393940e62ded8e72193417d
SHA1 1edf467747e106adeb8e09727550dd163f18fb69
SHA256 39779b228c3b84cde1ce83fab4da5b5b4706739da7f89adb22c33d2bf03b7d94
SHA512 0b921c431b1391a78f0390eb970b3bf4b4188489aac2f8f34122a9e641225a9ab03c141847a461cc576a76491654637f76afe105eac1da0ce472c354ba3d49a5

\Windows\SysWOW64\tiydjfqfesvwu.exe

MD5 21126303e237846a5855ae2765cb31b0
SHA1 ee02e9ac935ab7ee315792ba4467fc45c486bf85
SHA256 e3d7b399d89add7da1980a0205b7b9cef5eb9e55966548f2ee5055966b17121d
SHA512 206ff8ca3de26dddabf395defeeda653352c9a4ac6a673dd4afc260410c4c477e3ce4a7e66577c6fae200c13b3ea9bbe3793234ea3087bd6bd09f63bec59f972

memory/2472-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 9f8587c7ef089dce7c84018c0dab69d5
SHA1 41c92e112df09059266dc7d42e1018cef3d95471
SHA256 3f7b790ac12614d867bc912075120ac0daf3efb3deb863078cded60cc30d9d0e
SHA512 fd4efe75b5e4d0d69c7fcb4c4c9989eb4f50209d9670ee332f8e874988b5f0f31081ecef24f31907745c0777d3982e6dbb75e57fe009b62b615e9e30400bf4b6

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 ede6dba31e0f6a505702d93da316b232
SHA1 ecd071a2179894a8e05e915fb941b5aeb9215f9b
SHA256 38d04532db95e5eb44dcc97d200249df4f2a100a5f4f1fc409a6d3a762d3fa36
SHA512 fbe66d95c4ae45f6268feb6a50fb2d486906a094c9d93eed0f1688805b3521ebc3e9285f25bc530973db13037991e4ce162ed699ad692a4ab0d381a7d2c7ba64

memory/2472-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 03:43

Reported

2024-06-03 03:46

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hpwpfbzd = "oxjqcvcbrp.exe" C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gteypjqp = "kdzhrugxwgsmosq.exe" C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qnpyvoffmvdao.exe" C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bbhhwofs.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification C:\Windows\SysWOW64\oxjqcvcbrp.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bbhhwofs.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bbhhwofs.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
File opened for modification C:\Windows\SysWOW64\qnpyvoffmvdao.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File created C:\Windows\SysWOW64\oxjqcvcbrp.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\qnpyvoffmvdao.exe C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\bbhhwofs.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bbhhwofs.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33372D0B9C2382276A3F77D670252CDC7CF565D9" C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFAB0FE67F191840B3A44869C3E99B38802884212034FE1B8459C09D2" C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FF894F5B82189045D7287D93BD92E14458416743633FD79B" C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC77515E7DBB2B9BB7C97EC9F37C9" C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78668B5FF1A22D8D209D0D38B089111" C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B12847E639EA52C9BADD3293D4C5" C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe N/A
N/A N/A C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe N/A
N/A N/A C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe N/A
N/A N/A C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe N/A
N/A N/A C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe N/A
N/A N/A C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe N/A
N/A N/A C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe N/A
N/A N/A C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe N/A
N/A N/A C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe N/A
N/A N/A C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
N/A N/A C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
N/A N/A C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
N/A N/A C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
N/A N/A C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
N/A N/A C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
N/A N/A C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
N/A N/A C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
N/A N/A C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
N/A N/A C:\Windows\SysWOW64\oxjqcvcbrp.exe N/A
N/A N/A C:\Windows\SysWOW64\qnpyvoffmvdao.exe N/A
N/A N/A C:\Windows\SysWOW64\qnpyvoffmvdao.exe N/A
N/A N/A C:\Windows\SysWOW64\qnpyvoffmvdao.exe N/A
N/A N/A C:\Windows\SysWOW64\qnpyvoffmvdao.exe N/A
N/A N/A C:\Windows\SysWOW64\qnpyvoffmvdao.exe N/A
N/A N/A C:\Windows\SysWOW64\qnpyvoffmvdao.exe N/A
N/A N/A C:\Windows\SysWOW64\qnpyvoffmvdao.exe N/A
N/A N/A C:\Windows\SysWOW64\qnpyvoffmvdao.exe N/A
N/A N/A C:\Windows\SysWOW64\qnpyvoffmvdao.exe N/A
N/A N/A C:\Windows\SysWOW64\qnpyvoffmvdao.exe N/A
N/A N/A C:\Windows\SysWOW64\qnpyvoffmvdao.exe N/A
N/A N/A C:\Windows\SysWOW64\qnpyvoffmvdao.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A
N/A N/A C:\Windows\SysWOW64\bbhhwofs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 664 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\oxjqcvcbrp.exe
PID 664 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\oxjqcvcbrp.exe
PID 664 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\oxjqcvcbrp.exe
PID 664 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe
PID 664 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe
PID 664 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe
PID 664 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\bbhhwofs.exe
PID 664 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\bbhhwofs.exe
PID 664 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\bbhhwofs.exe
PID 664 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\qnpyvoffmvdao.exe
PID 664 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\qnpyvoffmvdao.exe
PID 664 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Windows\SysWOW64\qnpyvoffmvdao.exe
PID 664 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 664 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2400 wrote to memory of 2788 N/A C:\Windows\SysWOW64\oxjqcvcbrp.exe C:\Windows\SysWOW64\bbhhwofs.exe
PID 2400 wrote to memory of 2788 N/A C:\Windows\SysWOW64\oxjqcvcbrp.exe C:\Windows\SysWOW64\bbhhwofs.exe
PID 2400 wrote to memory of 2788 N/A C:\Windows\SysWOW64\oxjqcvcbrp.exe C:\Windows\SysWOW64\bbhhwofs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe"

C:\Windows\SysWOW64\oxjqcvcbrp.exe

oxjqcvcbrp.exe

C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe

kdzhrugxwgsmosq.exe

C:\Windows\SysWOW64\bbhhwofs.exe

bbhhwofs.exe

C:\Windows\SysWOW64\qnpyvoffmvdao.exe

qnpyvoffmvdao.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\bbhhwofs.exe

C:\Windows\system32\bbhhwofs.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/664-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe

MD5 a1398bdaa42d613d56d225fa4dee4497
SHA1 07953157b1a267b8f5809021a2b3998c820fcdaa
SHA256 c69a4e1f2f165c9dbdc08f1b8365af5ad8e3d89cb75f2497bc722882cea87bc9
SHA512 d1c75f844607d0ee09046dec5a6f4eb8a49e0a775e1f545f3c25524e0bf2995391b4d720ad9faae2ef3d38240128e99a337130b585cdf8c6225e28aa84c5c3d0

C:\Windows\SysWOW64\oxjqcvcbrp.exe

MD5 d6834389b66feafc9b5886f8e1e654c4
SHA1 05049e72eba176f4824218545508e1771d87adc4
SHA256 0189923802fb02cc63796aa185aee09a9a91417760f0e68c348d7e5bb5a0bdfe
SHA512 7a30bf0ea9768e837bfb000375c5fcfb05c6d19e5a4984327c6ac8b3a8de026ffe8dd9c7c6decc536c19e6f322bbdc0bd26eb2bd850fbdee5f36128fefc2e5f9

C:\Windows\SysWOW64\bbhhwofs.exe

MD5 780262bb760c6173829216141acc4a4e
SHA1 50b43ab6cf449c60f9cb3846e4116aa82f982cf7
SHA256 051fcc6c6dd7d1bb0b3e855d4db344b624873ccb8d4ecbee8f71e4319d86f63a
SHA512 4ce38ff6b357f001c93ebb5172ff85a2d4d750df51bb74554857551495f1f1d3f1bddcdfe929d496f8d2e3663d8e4bb1756bfc000b298bd6b9e79db8a1d86cc4

C:\Windows\SysWOW64\qnpyvoffmvdao.exe

MD5 6a5d7fdbc9533e7287cece6edec59bcb
SHA1 9dc87334d42b9b30bb035b10e0783a6f0436f059
SHA256 a4e1f06cb16ffa11dc3fa2f7386021823a250332d6c5535bc4037668b1118dc5
SHA512 60210309a7e50d790124bc93a0dd6f384f3e182a145babe67f2aae4e3695d62bf7a2ab4d437965ac44b96a0665eee827afa7ac399c0907449f394270a1ca2a79

memory/3672-35-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

memory/3672-37-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

memory/3672-36-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

memory/3672-38-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

memory/3672-39-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

memory/3672-40-0x00007FF7D9340000-0x00007FF7D9350000-memory.dmp

memory/3672-41-0x00007FF7D9340000-0x00007FF7D9350000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 602dad6ee0e60cde6698692534ef100b
SHA1 c3e20be4cf62746964ff865964f4f354d412bfac
SHA256 596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598
SHA512 bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 24946094646d3492abe4cc83d9e677cb
SHA1 dafc968f7f7aef1719ddf09bad11c3f7f2e62a6b
SHA256 2e9a7761924afbc7b6cdb68f44eed4fe7aa3df4f71098533bbedbc1c288cdd7d
SHA512 b5429d19ee9fdddd9da82a01aaeae80936530cba29d2b1136da473b7201ecdd31bedc4d06303ddcbe0142e9746fc38e0dbfecbc42e54f9713c40e20e4a08c426

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 83b83a32f84482bb14ca517afef7ceff
SHA1 10fc7a6f0df9dc15b858087455ab9c62fc19a82e
SHA256 ed3521f4f7f8a71d144387cc45d4481231717b88dc30573443a2743cd33c6361
SHA512 37baa795c948e4ea397f77a396d4c0844531dc0cb61d4cc652a039d669a496d1311c222a24a59628b5a6f222dd8d31f8c2049fcbcbea88e9dfa742981912019d

C:\Users\Admin\Desktop\RepairReceive.doc.exe

MD5 03c2d8c137313e05bc86bdf3123de41f
SHA1 8e1ec6bd1ffbba40a2f2bba199aeedb94b4486a1
SHA256 5195357b326b3d259b4f038a16ab1db4bb95f969f8037524c3798bd182c11b27
SHA512 378ca42a4ed4c55a7c85bc8ef2238f6902487538546a2c7a279ffbc7387fa772d8f7ae6847b86805daa95d03b7830637e30debd35ecca6a40f2295587fbb41cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 ebf523115d010091cf000962f60d1b10
SHA1 c17e3e505f6e4c202fa9861ec4192a04bfef81a8
SHA256 23c60f3c7d3760669fdc7a6a403978ba4f5785ee9893cfec3c2550129e62ee06
SHA512 711f191bb5a50011774403861ff3f7cc3b831fd7540c341a05569405bfd04fba2ead21873627a360cd6e30faf50a10d0fa2e3b0513f8a9b27ef58bd83339bb17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 44867d23fff38ed63b1ed9d00210b563
SHA1 9e567eef68b9719645d96a7b3e1881503044b504
SHA256 824616f45cfeb8712d593c0ed7a77884e7c8ff9d2886a5c3438ab3224da16cf6
SHA512 5e4ae9cb82825846ea775d5179c32b80778552222d9a468fd2c0201f06810601f4e8b9375fd32a041a0d3d43b2c20e35cbc6680df56cf654ad6fda35778628da

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 7b674dc9f5b6140d2976042f5ed991ab
SHA1 eb928caa02c9ca8736e7476ed095d56f2d0f5fb1
SHA256 a62c1c9b2daeb4a14ab116bc6446be8b409aca3c3160b52943584fc38a8d7063
SHA512 f07cc56c783e2db3b429736a795fbceea24a053437bd0c09063f42477c2c5acebcc8144f128d352fb5986f9709fbabbd06c6147260ebfa8b20aa36286962bfff

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 50ff6d9b1fc4a3d3abf2abbcc0d2f41e
SHA1 2a5ebaf75e9f0fb8729ac8d186e3311704319231
SHA256 8115f24131d7abd1ceedac6ffe2dd92b30ef7a5520e08814e89acecc5394f8d7
SHA512 3b6e78dac92bc39ead26ba10b9565fbab65afd36878f6c587d70cb5b2932b724c5ea2f56f36fe5e25bd5661aee8016a72aa267eaf492f398eb8c3d47fe3504fc

C:\Users\Admin\AppData\Local\Temp\TCD7CBF.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/3672-604-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

memory/3672-603-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

memory/3672-602-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

memory/3672-601-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp