Malware Analysis Report

2024-11-30 04:14

Sample ID 240612-3wm3gszbqj
Target a30314302457d8c62b1a1e3bb102d350_JaffaCakes118
SHA256 6a3b945c8915c0db9b3aaefab1e5315c3541fa14f14c9f8efcb357bcd656265b
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a3b945c8915c0db9b3aaefab1e5315c3541fa14f14c9f8efcb357bcd656265b

Threat Level: Known bad

The file a30314302457d8c62b1a1e3bb102d350_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Reads user/profile data of web browsers

Windows security modification

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Modifies WinLogon

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 23:51

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 23:51

Reported

2024-06-12 23:54

Platform

win7-20240611-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\egbunkzryg.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\egbunkzryg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\egbunkzryg.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\egbunkzryg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\egbunkzryg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jsyovwmh = "egbunkzryg.exe" C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wutunudl = "owwmpzlcqodzdgw.exe" C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vsuvetzczfeie.exe" C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\egbunkzryg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\tmscbkzm.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\egbunkzryg.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\tmscbkzm.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vsuvetzczfeie.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\egbunkzryg.exe N/A
File created C:\Windows\SysWOW64\egbunkzryg.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\egbunkzryg.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\tmscbkzm.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vsuvetzczfeie.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tmscbkzm.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tmscbkzm.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\tmscbkzm.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\tmscbkzm.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tmscbkzm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\egbunkzryg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\egbunkzryg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462C7F9C5282236A3276A277552DDC7C8764DE" C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAF9CAFE6AF19484093A4B86973992B38E02FB43130233E1CA42E709D4" C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\egbunkzryg.exe N/A
N/A N/A C:\Windows\SysWOW64\egbunkzryg.exe N/A
N/A N/A C:\Windows\SysWOW64\egbunkzryg.exe N/A
N/A N/A C:\Windows\SysWOW64\egbunkzryg.exe N/A
N/A N/A C:\Windows\SysWOW64\egbunkzryg.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\tmscbkzm.exe N/A
N/A N/A C:\Windows\SysWOW64\tmscbkzm.exe N/A
N/A N/A C:\Windows\SysWOW64\tmscbkzm.exe N/A
N/A N/A C:\Windows\SysWOW64\tmscbkzm.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\tmscbkzm.exe N/A
N/A N/A C:\Windows\SysWOW64\tmscbkzm.exe N/A
N/A N/A C:\Windows\SysWOW64\tmscbkzm.exe N/A
N/A N/A C:\Windows\SysWOW64\tmscbkzm.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\vsuvetzczfeie.exe N/A
N/A N/A C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\egbunkzryg.exe
PID 2016 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\egbunkzryg.exe
PID 2016 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\egbunkzryg.exe
PID 2016 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\egbunkzryg.exe
PID 2016 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe
PID 2016 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe
PID 2016 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe
PID 2016 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe
PID 2016 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\tmscbkzm.exe
PID 2016 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\tmscbkzm.exe
PID 2016 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\tmscbkzm.exe
PID 2016 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\tmscbkzm.exe
PID 2016 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\vsuvetzczfeie.exe
PID 2016 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\vsuvetzczfeie.exe
PID 2016 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\vsuvetzczfeie.exe
PID 2016 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\vsuvetzczfeie.exe
PID 2092 wrote to memory of 2880 N/A C:\Windows\SysWOW64\egbunkzryg.exe C:\Windows\SysWOW64\tmscbkzm.exe
PID 2092 wrote to memory of 2880 N/A C:\Windows\SysWOW64\egbunkzryg.exe C:\Windows\SysWOW64\tmscbkzm.exe
PID 2092 wrote to memory of 2880 N/A C:\Windows\SysWOW64\egbunkzryg.exe C:\Windows\SysWOW64\tmscbkzm.exe
PID 2092 wrote to memory of 2880 N/A C:\Windows\SysWOW64\egbunkzryg.exe C:\Windows\SysWOW64\tmscbkzm.exe
PID 2016 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2016 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2016 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2016 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2616 wrote to memory of 2156 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2616 wrote to memory of 2156 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2616 wrote to memory of 2156 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2616 wrote to memory of 2156 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe"

C:\Windows\SysWOW64\egbunkzryg.exe

egbunkzryg.exe

C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe

owwmpzlcqodzdgw.exe

C:\Windows\SysWOW64\tmscbkzm.exe

tmscbkzm.exe

C:\Windows\SysWOW64\vsuvetzczfeie.exe

vsuvetzczfeie.exe

C:\Windows\SysWOW64\tmscbkzm.exe

C:\Windows\system32\tmscbkzm.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2016-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe

MD5 2be9dee5bcc3d5fc31657edfd1ac470f
SHA1 f79a34a1595e3ef9df4d8f2bcf3d2295d15e24b5
SHA256 888341fc8a0ad5b1c38be7ddf57e99adc1a0d0f647bd15fef121facca6ca8e30
SHA512 e4d1a472f5522f0cd62c4817833640a3723c531f040184f9b9835763f8710831d5a6ce39b167c90b45fbaeda399aaeafb2a8a27b0827d8f2d48d0790f229d0c3

\Windows\SysWOW64\egbunkzryg.exe

MD5 323c39b80a991c62bd03e2f0a82b1f0e
SHA1 128ff89bce1c27636c79ddb2239798713c5954b7
SHA256 adb7586678ef5e60aa2b2a34158fd4338670cea144c62b175dabf6b997ebb46c
SHA512 f572ce2629689e1b87dd129457390373b1c4a96046d5a286f3fbefcefb6ed9b3b56437a195cf8b2eb9b7f2441b1adc031d63772dd9a2623872ca0d0e7008a748

\Windows\SysWOW64\vsuvetzczfeie.exe

MD5 a1c5876088ff7961b4f706e61074f8df
SHA1 948cec4dda7ad1d4a00ed02d5061e2c11a8e5792
SHA256 055a573f54094a5f6ffb310d99769db7d2f247d3ecd913a93e13b7fe638a642c
SHA512 c41b487d5f5c6d1fb0bbee2ba1e0cf637f2ad8570e0b850b8921149f78eb938014589f285591fed6b492dbe8440a2adfbe1422a9ca93bb3bdd7702a47aa189bd

\Windows\SysWOW64\tmscbkzm.exe

MD5 5c7edf84416946ac3f93f34ecd0bbb5c
SHA1 cf3d7093ad829cfe48999a22e27a8dc0d31a5557
SHA256 3937e58106f3920c503274c108d60f4c9ea4e24b3c3ce10e68aff67cfbdd71df
SHA512 1af1f9c6065b5095c80bdd6dbd9ba483779733d21615309c825c8561f9d6ced110a0d6e5fea063765dd72997733662ec715adcf166b8f77b32594d8ee148207a

memory/2616-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 471bbedfc346f3dae42c4abb4bb2861b
SHA1 b2203bbb9fe7b4b8894b26fb7aa340073ee76b33
SHA256 79172e846d6ef958aa0af9d5f32ebf46bf35b089e63eedb9ae809ca743239518
SHA512 02bac8b1353233749fd94b9bdbc070a64ce24b2ed13a7588c6945c35b578e297ea5f4f8eb58925c28b054f98450e39c492c765ddc7a3f9b203e83f9076a94009

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 45e80dbd6bab1596bd0ff3730b929871
SHA1 c60567f8dacb04bd188ae18b2fecaa67dee86df2
SHA256 26cc4510600e67da37427dfda2196f3a4a54cb6d578d25fdb0de9bf450a014b1
SHA512 bb61f656d0b3643241bcbd4f9a036a03eec99722781074d17cbaed409361062e57512c6021049391406eb9479f1ba755f063c2798dcc7b06ff8e7e0d43a2cc00

C:\Users\Admin\AppData\Roaming\EnterWatch.doc.exe

MD5 dc86af49c0d20a47031260fa49bd163a
SHA1 07b9e3d2e92c33c3a92145d679f45da41cf077de
SHA256 ae86f68adb4bf7c4237934a4cb3ca10104302a71a5762d64a2b2c3f70d1092c2
SHA512 aac3a32e6e16d21dc4336d667749b797f57fe3601dc9eaa26dab9d2f50a40f2a1db66ea153ad77b063d3136d6c817cce9eef4da7647661a38c02e70da348cbf3

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 0a9249f9f51b68c3f327793ab1f292dd
SHA1 ceef2fa0f632556db3b73f4dd626f3314e4eb7f0
SHA256 8b9eeeec37c7cc7dcad935873b7d3b78523007a4e98ee75ab095eaf2ed447db1
SHA512 d35645eb0dbfc73b972a78c263654840424e27850cdd205384da42dd06213b88e14ab06c0f27f4570a1f31e8a4c05db24e0a8716ab51eed53991f13c3ce07560

memory/2616-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 23:51

Reported

2024-06-12 23:54

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\tvgqidvgha.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\tvgqidvgha.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\tvgqidvgha.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\tvgqidvgha.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\tvgqidvgha.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozeqhmwc = "tvgqidvgha.exe" C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mrfafrja = "oirhpgpvfjrzhsz.exe" C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pxlvcuxiyewhd.exe" C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bkueggjw.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\tvgqidvgha.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File created C:\Windows\SysWOW64\tvgqidvgha.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bkueggjw.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bkueggjw.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pxlvcuxiyewhd.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification C:\Windows\SysWOW64\tvgqidvgha.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pxlvcuxiyewhd.exe C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\tvgqidvgha.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bkueggjw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bkueggjw.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D7E9C5582276A3576D477202CD97D8664D8" C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFC8F482C82689142D65B7E9DBDE4E640594266406336D790" C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFABDFE16F19184093B46819B3E97B08902FE42110233E1BD459C09A0" C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768C6FE1822D9D278D0A38B7E9110" C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC70815E4DAC5B8B97FE6ED9434C8" C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\tvgqidvgha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B1214492399853C9BAD5329FD4BE" C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
N/A N/A C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
N/A N/A C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
N/A N/A C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
N/A N/A C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
N/A N/A C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
N/A N/A C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
N/A N/A C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
N/A N/A C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
N/A N/A C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
N/A N/A C:\Windows\SysWOW64\tvgqidvgha.exe N/A
N/A N/A C:\Windows\SysWOW64\tvgqidvgha.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A
N/A N/A C:\Windows\SysWOW64\tvgqidvgha.exe N/A
N/A N/A C:\Windows\SysWOW64\tvgqidvgha.exe N/A
N/A N/A C:\Windows\SysWOW64\tvgqidvgha.exe N/A
N/A N/A C:\Windows\SysWOW64\tvgqidvgha.exe N/A
N/A N/A C:\Windows\SysWOW64\tvgqidvgha.exe N/A
N/A N/A C:\Windows\SysWOW64\tvgqidvgha.exe N/A
N/A N/A C:\Windows\SysWOW64\tvgqidvgha.exe N/A
N/A N/A C:\Windows\SysWOW64\tvgqidvgha.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A
N/A N/A C:\Windows\SysWOW64\pxlvcuxiyewhd.exe N/A
N/A N/A C:\Windows\SysWOW64\pxlvcuxiyewhd.exe N/A
N/A N/A C:\Windows\SysWOW64\pxlvcuxiyewhd.exe N/A
N/A N/A C:\Windows\SysWOW64\pxlvcuxiyewhd.exe N/A
N/A N/A C:\Windows\SysWOW64\pxlvcuxiyewhd.exe N/A
N/A N/A C:\Windows\SysWOW64\pxlvcuxiyewhd.exe N/A
N/A N/A C:\Windows\SysWOW64\pxlvcuxiyewhd.exe N/A
N/A N/A C:\Windows\SysWOW64\pxlvcuxiyewhd.exe N/A
N/A N/A C:\Windows\SysWOW64\pxlvcuxiyewhd.exe N/A
N/A N/A C:\Windows\SysWOW64\pxlvcuxiyewhd.exe N/A
N/A N/A C:\Windows\SysWOW64\pxlvcuxiyewhd.exe N/A
N/A N/A C:\Windows\SysWOW64\pxlvcuxiyewhd.exe N/A
N/A N/A C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
N/A N/A C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A
N/A N/A C:\Windows\SysWOW64\bkueggjw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3996 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\tvgqidvgha.exe
PID 3996 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\tvgqidvgha.exe
PID 3996 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\tvgqidvgha.exe
PID 3996 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe
PID 3996 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe
PID 3996 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe
PID 3996 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\bkueggjw.exe
PID 3996 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\bkueggjw.exe
PID 3996 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\bkueggjw.exe
PID 3996 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\pxlvcuxiyewhd.exe
PID 3996 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\pxlvcuxiyewhd.exe
PID 3996 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Windows\SysWOW64\pxlvcuxiyewhd.exe
PID 3996 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3996 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2900 wrote to memory of 3076 N/A C:\Windows\SysWOW64\tvgqidvgha.exe C:\Windows\SysWOW64\bkueggjw.exe
PID 2900 wrote to memory of 3076 N/A C:\Windows\SysWOW64\tvgqidvgha.exe C:\Windows\SysWOW64\bkueggjw.exe
PID 2900 wrote to memory of 3076 N/A C:\Windows\SysWOW64\tvgqidvgha.exe C:\Windows\SysWOW64\bkueggjw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe"

C:\Windows\SysWOW64\tvgqidvgha.exe

tvgqidvgha.exe

C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe

oirhpgpvfjrzhsz.exe

C:\Windows\SysWOW64\bkueggjw.exe

bkueggjw.exe

C:\Windows\SysWOW64\pxlvcuxiyewhd.exe

pxlvcuxiyewhd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\bkueggjw.exe

C:\Windows\system32\bkueggjw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 120.150.79.40.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
BE 88.221.83.210:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 2.22.144.14:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 210.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

memory/3996-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe

MD5 ad7d150adeac7feca9e1eba563266a1b
SHA1 f5c779c34c0abb8ad97b07c501af33e3e5ebd66d
SHA256 c8bf72fb5f687fa7ccd1caab1d686ed00dd07d49516f9597ab717399e34f5c6d
SHA512 c0e98fab17deee8984f62e592cdf4974ccdb138211ab25cec1c149b2e050fd07c4b9f52c1722ff25c3c7edc734d1bb42d5ce7acd6ce84ceaef00111d6f554413

C:\Windows\SysWOW64\tvgqidvgha.exe

MD5 e0c6eda7448c915adea60cb294d69c5c
SHA1 d1198e5543d18c2be168306f6f1e94c1d048d381
SHA256 b7d48ea5e83d587f35b96e23f0801620e7f8b5f76740836018e31464804eb7f0
SHA512 9d1a534e21eb467b1e4a21d2bcc7380a4c4accf1aea9112a7783aa01f118ba1915fba3551a2a6a83c76d1955b4d8fbae37a0501185d06d347c3de2bfebbde400

C:\Windows\SysWOW64\bkueggjw.exe

MD5 a635b0094f9760a49c0ab26686bf6aa8
SHA1 61b846e504741e2efc60c90783bc6c8e1363580a
SHA256 676f504d41c26957bd6166ca346f74aab2ac94285e24d8e6361bf14aa34d8a9a
SHA512 8deb9f3d0d1b83ebd69f153c0528fc474ab5494ab622d617048c0532fd3c37a352695d73ee4bb80b195f74cbc53ade7d660a0ce1bbb445a725d003dff7c562cb

C:\Windows\SysWOW64\pxlvcuxiyewhd.exe

MD5 7398bf3079170683873421ee9e425c5a
SHA1 6e76d8744f8ddf3ab6dea9457676142909e07714
SHA256 8295ab54495611a3c6c06e52161f61d01a648850aa2e2d4d3ccf70ba886fc237
SHA512 b703fa84181763b293ffb04c7378b0d9031b227a1eef617d1d715a75546fa77732af8891a9f6b016976ed520c3be6e36e808b08722e3b8e7d0b6da031c05bdc1

memory/3192-35-0x00007FFB1BB30000-0x00007FFB1BB40000-memory.dmp

memory/3192-37-0x00007FFB1BB30000-0x00007FFB1BB40000-memory.dmp

memory/3192-36-0x00007FFB1BB30000-0x00007FFB1BB40000-memory.dmp

memory/3192-38-0x00007FFB1BB30000-0x00007FFB1BB40000-memory.dmp

memory/3192-39-0x00007FFB1BB30000-0x00007FFB1BB40000-memory.dmp

memory/3192-40-0x00007FFB197D0000-0x00007FFB197E0000-memory.dmp

memory/3192-41-0x00007FFB197D0000-0x00007FFB197E0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 1b529425a37b1334b8b33ebd890269a4
SHA1 84768e6475b45e3431d5dd62968dde9b92bcb799
SHA256 774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440
SHA512 8d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 608a860f3516817774bb1cca9546c5a0
SHA1 a60e97d237e2944cf476cbaff585ac06a2f8a5a6
SHA256 21fa3fd3fa83ebacdfaec741e3ff2cae1fce1bc71128fa3ab03faef2c4a7a0f6
SHA512 f1d47e54585823a425327e3c637eefb724224817c45dff65c4c93441c32c8e0b6af3db350b4f432cbc1721fc230d9184a99305c3483d0652c365fce3a58dc6e9

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 341c0888f9f8c73ea176273320721b3d
SHA1 1f5bffa32ea268dcf1f0d436c43d661974f1ae0f
SHA256 6857807703999e1960990248be1dbf9925b06b75955b95d81d1740da13219a20
SHA512 bece41bcf94421fe40e604aaef123898a3a21f8ee3aabc775ad80a09fc95831206e1c3a17b4b5af1ac75ad425dd5417a0511c559ee9dab3271d044e17d34aef1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 5bdcc53f85a8777aa054b2f9159035ae
SHA1 ea8f454bce486d7189b7304306d63a07fad58f6b
SHA256 23df8e3803e4f0b52ab520b83943fb94c13fa6f2d7790b7631f795a56735bd2b
SHA512 0e286479b2a12ee2681588483fe5cd1090013a6c7711c0faff127102e73faf3275ecfcbe8c06ffe35b7d5411165fbb2b6fe3b4cc426d906d7c7cb82249e545ae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 be3260ef8b35b4d3f3a824bfcd84411b
SHA1 870b64870812295ae2cc15288c25cdea4f2b91f9
SHA256 f3a1411d2cc0bc61209b7ffb82005d21e6cff39142c1f5287497f88cf1d6c4b2
SHA512 83eba4907371cf1f68417d5335efa9577c556aa1aad33bcb68e01f419a37ed599b9cce60ecf7970ef2803cc5a663b8782b2e48c539659b9a17cb89bcaad6970e

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 d5cfcb719d66e0f607a13dc6f5e23787
SHA1 2bd2c88273c8a9381987b41fe44ff4aa51dc6ff2
SHA256 140a3215532ddabd3bb9e051a9febfc6be34bcf0f939607e5fc091fb9747813f
SHA512 f0a7d99044f1d69f4b8c15211080a16c11dff069ecb2b1891c2e3726b7ff484c45c192502f7c84f0842a267607bb77a87dc79b5ebc139588b64138cb820e79e0

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 a97422f97994dc29e406bc7d35396f38
SHA1 e43a5920751453dc214c35e66f17dcca9952acb1
SHA256 14ea66e0281acc2136d924fa0cccb523bcb1bcac31487e015f3115fd06c14b0c
SHA512 a8f073e3fc6cb9ae2132868027fcb56796570334a2699d998d4aeb6c5f4b82da4450539d173e08e6c21bc57b8d0ce07fdaf1272466abe2d6563967a9ae734425

memory/3192-591-0x00007FFB1BB30000-0x00007FFB1BB40000-memory.dmp

memory/3192-592-0x00007FFB1BB30000-0x00007FFB1BB40000-memory.dmp

memory/3192-590-0x00007FFB1BB30000-0x00007FFB1BB40000-memory.dmp

memory/3192-593-0x00007FFB1BB30000-0x00007FFB1BB40000-memory.dmp