Malware Analysis Report

2024-11-30 04:14

Sample ID 240612-3yh7bazcnk
Target a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118
SHA256 3b6df89f59c1adcef354652073d26161b41c47df8af04d3e71a82e7c2dd35253
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b6df89f59c1adcef354652073d26161b41c47df8af04d3e71a82e7c2dd35253

Threat Level: Known bad

The file a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Modifies Installed Components in the registry

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Windows security modification

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 23:55

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 23:55

Reported

2024-06-12 23:57

Platform

win7-20240220-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\qliwrpoecp.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\qliwrpoecp.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\qliwrpoecp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\qliwrpoecp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\qliwrpoecp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\qliwrpoecp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\qliwrpoecp.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\qliwrpoecp.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\qliwrpoecp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\qliwrpoecp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\qliwrpoecp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\qliwrpoecp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\qliwrpoecp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\qliwrpoecp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\trijqivo = "qliwrpoecp.exe" C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yodgagir = "orbcxhpbyouhoad.exe" C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vxphzpqdinbuw.exe" C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gjilibco.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gjilibco.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\qliwrpoecp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\qliwrpoecp.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\gjilibco.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vxphzpqdinbuw.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vxphzpqdinbuw.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gjilibco.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qliwrpoecp.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\orbcxhpbyouhoad.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\orbcxhpbyouhoad.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\qliwrpoecp.exe N/A
File created C:\Windows\SysWOW64\qliwrpoecp.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gjilibco.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\gjilibco.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\gjilibco.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gjilibco.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\gjilibco.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gjilibco.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gjilibco.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gjilibco.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\gjilibco.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gjilibco.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gjilibco.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gjilibco.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gjilibco.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gjilibco.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gjilibco.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAF9CDF916F1E384783B32819B3993B3FD02FB42140348E1B8429A08D5" C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C0F9C2082586D3E77D070522CDB7DF665D9" C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\qliwrpoecp.exe N/A
N/A N/A C:\Windows\SysWOW64\qliwrpoecp.exe N/A
N/A N/A C:\Windows\SysWOW64\qliwrpoecp.exe N/A
N/A N/A C:\Windows\SysWOW64\qliwrpoecp.exe N/A
N/A N/A C:\Windows\SysWOW64\qliwrpoecp.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\qliwrpoecp.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\qliwrpoecp.exe N/A
N/A N/A C:\Windows\SysWOW64\qliwrpoecp.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\qliwrpoecp.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\orbcxhpbyouhoad.exe N/A
N/A N/A C:\Windows\SysWOW64\qliwrpoecp.exe N/A
N/A N/A C:\Windows\SysWOW64\qliwrpoecp.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\gjilibco.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\SysWOW64\vxphzpqdinbuw.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\qliwrpoecp.exe
PID 1740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\qliwrpoecp.exe
PID 1740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\qliwrpoecp.exe
PID 1740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\qliwrpoecp.exe
PID 1740 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\orbcxhpbyouhoad.exe
PID 1740 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\orbcxhpbyouhoad.exe
PID 1740 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\orbcxhpbyouhoad.exe
PID 1740 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\orbcxhpbyouhoad.exe
PID 1740 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\gjilibco.exe
PID 1740 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\gjilibco.exe
PID 1740 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\gjilibco.exe
PID 1740 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\gjilibco.exe
PID 1740 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\vxphzpqdinbuw.exe
PID 1740 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\vxphzpqdinbuw.exe
PID 1740 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\vxphzpqdinbuw.exe
PID 1740 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\vxphzpqdinbuw.exe
PID 2792 wrote to memory of 2308 N/A C:\Windows\SysWOW64\qliwrpoecp.exe C:\Windows\SysWOW64\gjilibco.exe
PID 2792 wrote to memory of 2308 N/A C:\Windows\SysWOW64\qliwrpoecp.exe C:\Windows\SysWOW64\gjilibco.exe
PID 2792 wrote to memory of 2308 N/A C:\Windows\SysWOW64\qliwrpoecp.exe C:\Windows\SysWOW64\gjilibco.exe
PID 2792 wrote to memory of 2308 N/A C:\Windows\SysWOW64\qliwrpoecp.exe C:\Windows\SysWOW64\gjilibco.exe
PID 1740 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1740 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1740 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1740 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe"

C:\Windows\SysWOW64\qliwrpoecp.exe

qliwrpoecp.exe

C:\Windows\SysWOW64\orbcxhpbyouhoad.exe

orbcxhpbyouhoad.exe

C:\Windows\SysWOW64\gjilibco.exe

gjilibco.exe

C:\Windows\SysWOW64\vxphzpqdinbuw.exe

vxphzpqdinbuw.exe

C:\Windows\SysWOW64\gjilibco.exe

C:\Windows\system32\gjilibco.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

Network

N/A

Files

memory/1740-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\gjilibco.exe

MD5 8cab2f1ac60751326e12eb889129314d
SHA1 991e101af8631877bbda436fa3d2be8de387ecc3
SHA256 4af63f61f5a266f01345af3dc3c2775f42520777b6f5fdd1fa64094a5e7567cb
SHA512 329c973e42eb0a466d70a5acd361db3b33b0d7612aad9f9a82d99d0e7947cea6f4bba4a7386dd72d5386d43903b82a2b1a9746e23679f239a582985d8770ea8d

\Windows\SysWOW64\qliwrpoecp.exe

MD5 c6ae9bc26df7be6677a2487f05ac82da
SHA1 1efb84ec9f5f2f21719dedf2fe34f1f409f47f81
SHA256 a26dda0aa5b89c284cb3a77c13dbeabc575cf3cb757ac4cdc19abca68284f663
SHA512 1fe88d838a6c20369fdc7edf03833ab19ee00a2974368ddd54085d579cea236a57dac687839665cb84dff4ea84c60e47111cb1fd1d07a3965726766f8574a975

\Windows\SysWOW64\orbcxhpbyouhoad.exe

MD5 a618aaf807e0f7c1982cfbd155569364
SHA1 a9ac50082b317f6235b9970c961a00abaca1bf2a
SHA256 d50ee648deb948d2c97a3c99015360e26e6346ba7ae6c3e1cb8202b3265ac9b3
SHA512 71e8d09ae3f8f1e9a958a6ee48f614461d1e2dc00f43693fcc53557760e0d37d7a97773b6e14765ec1b8384330ba0f2af4ef92b5a92fcb16bda6cb0a0a0473f2

C:\Windows\SysWOW64\vxphzpqdinbuw.exe

MD5 69c6df8eba2332d4456d1d8419f1462c
SHA1 ef85bbe572f3c514700b038e00bb2d15a2f4f91a
SHA256 adb2e45e5a7680bf364bb2531b2b21b1273ae5e243bc2047f3ad6637eb90325b
SHA512 3c87493f10d090dadc614ee76e9448434cc8d93e9c3d7b95f37e5d449f1bcb135637b9481692602d7e668c5f9de5b71f82141e0be8bc77c10cdf4f544d5bce57

memory/2204-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 0ebb74bd4ebf733b73cff874902178dd
SHA1 dc68ea16178edf26c5854099b6372747cabb866b
SHA256 8300da4bedd3e013eec89468c1dc638c8e4a91d05341aa235b33a21140216287
SHA512 cac4381686c0d55a2d1e4d20375199b2e0e95da4b2142764f88defe119721887fd3a052bf118305bb592e2d1b93ff2b166bd528546d026bc7272b462dcf5dcbf

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 7e7f1ab14cb4005e843b9b4c3afad805
SHA1 1c555b7b82fa08b66ec1f1772041a531850274ee
SHA256 c114ab80e738c6b96e390834986389dc86a6eea567c35899434fef8c21b51e6c
SHA512 0c38ee473c64201dbf749082040961d776349ae502604ffc857a964e7b78789f025082a0e8c2646d1f9ee02d21f0a4688ebaec124c84b928d10ca1b0f47eba50

memory/684-81-0x0000000002A40000-0x0000000002A50000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 23:55

Reported

2024-06-12 23:57

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\hvayyrehdq.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\hvayyrehdq.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hvayyrehdq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\hvayyrehdq.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hvayyrehdq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vibspexo = "hvayyrehdq.exe" C:\Windows\SysWOW64\yravpdglyvuyyni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mndaethr = "yravpdglyvuyyni.exe" C:\Windows\SysWOW64\yravpdglyvuyyni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wanzzvdiprxwc.exe" C:\Windows\SysWOW64\yravpdglyvuyyni.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hvayyrehdq.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\hvayyrehdq.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File created C:\Windows\SysWOW64\hvayyrehdq.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\yravpdglyvuyyni.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wanzzvdiprxwc.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification C:\Windows\SysWOW64\buwcqimh.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\hvayyrehdq.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification C:\Windows\SysWOW64\hvayyrehdq.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\yravpdglyvuyyni.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\buwcqimh.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wanzzvdiprxwc.exe C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\buwcqimh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\buwcqimh.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC67F15E6DAC5B8C17FE0ED9637CB" C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322D7E9C5782566D3577D270232CD67DF365D8" C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFFF9482E821B9032D6217D91BDE4E6325845664F6242D7EE" C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F76BC3FE6622DBD10BD0D28B0E9165" C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9CDF917F2E484093B45869C39E4B3FD038B4214024BE2BE42EE08A3" C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B02F4490399A52CFBAA23298D7CE" C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\hvayyrehdq.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\hvayyrehdq.exe N/A
N/A N/A C:\Windows\SysWOW64\hvayyrehdq.exe N/A
N/A N/A C:\Windows\SysWOW64\hvayyrehdq.exe N/A
N/A N/A C:\Windows\SysWOW64\hvayyrehdq.exe N/A
N/A N/A C:\Windows\SysWOW64\hvayyrehdq.exe N/A
N/A N/A C:\Windows\SysWOW64\hvayyrehdq.exe N/A
N/A N/A C:\Windows\SysWOW64\hvayyrehdq.exe N/A
N/A N/A C:\Windows\SysWOW64\hvayyrehdq.exe N/A
N/A N/A C:\Windows\SysWOW64\hvayyrehdq.exe N/A
N/A N/A C:\Windows\SysWOW64\hvayyrehdq.exe N/A
N/A N/A C:\Windows\SysWOW64\yravpdglyvuyyni.exe N/A
N/A N/A C:\Windows\SysWOW64\yravpdglyvuyyni.exe N/A
N/A N/A C:\Windows\SysWOW64\yravpdglyvuyyni.exe N/A
N/A N/A C:\Windows\SysWOW64\yravpdglyvuyyni.exe N/A
N/A N/A C:\Windows\SysWOW64\yravpdglyvuyyni.exe N/A
N/A N/A C:\Windows\SysWOW64\yravpdglyvuyyni.exe N/A
N/A N/A C:\Windows\SysWOW64\yravpdglyvuyyni.exe N/A
N/A N/A C:\Windows\SysWOW64\yravpdglyvuyyni.exe N/A
N/A N/A C:\Windows\SysWOW64\yravpdglyvuyyni.exe N/A
N/A N/A C:\Windows\SysWOW64\yravpdglyvuyyni.exe N/A
N/A N/A C:\Windows\SysWOW64\wanzzvdiprxwc.exe N/A
N/A N/A C:\Windows\SysWOW64\wanzzvdiprxwc.exe N/A
N/A N/A C:\Windows\SysWOW64\wanzzvdiprxwc.exe N/A
N/A N/A C:\Windows\SysWOW64\wanzzvdiprxwc.exe N/A
N/A N/A C:\Windows\SysWOW64\wanzzvdiprxwc.exe N/A
N/A N/A C:\Windows\SysWOW64\wanzzvdiprxwc.exe N/A
N/A N/A C:\Windows\SysWOW64\wanzzvdiprxwc.exe N/A
N/A N/A C:\Windows\SysWOW64\wanzzvdiprxwc.exe N/A
N/A N/A C:\Windows\SysWOW64\wanzzvdiprxwc.exe N/A
N/A N/A C:\Windows\SysWOW64\wanzzvdiprxwc.exe N/A
N/A N/A C:\Windows\SysWOW64\wanzzvdiprxwc.exe N/A
N/A N/A C:\Windows\SysWOW64\wanzzvdiprxwc.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A
N/A N/A C:\Windows\SysWOW64\buwcqimh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3940 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\hvayyrehdq.exe
PID 3940 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\hvayyrehdq.exe
PID 3940 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\hvayyrehdq.exe
PID 3940 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\yravpdglyvuyyni.exe
PID 3940 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\yravpdglyvuyyni.exe
PID 3940 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\yravpdglyvuyyni.exe
PID 3940 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\buwcqimh.exe
PID 3940 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\buwcqimh.exe
PID 3940 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\buwcqimh.exe
PID 3940 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\wanzzvdiprxwc.exe
PID 3940 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\wanzzvdiprxwc.exe
PID 3940 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Windows\SysWOW64\wanzzvdiprxwc.exe
PID 3940 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3940 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3092 wrote to memory of 3472 N/A C:\Windows\SysWOW64\hvayyrehdq.exe C:\Windows\SysWOW64\buwcqimh.exe
PID 3092 wrote to memory of 3472 N/A C:\Windows\SysWOW64\hvayyrehdq.exe C:\Windows\SysWOW64\buwcqimh.exe
PID 3092 wrote to memory of 3472 N/A C:\Windows\SysWOW64\hvayyrehdq.exe C:\Windows\SysWOW64\buwcqimh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe"

C:\Windows\SysWOW64\hvayyrehdq.exe

hvayyrehdq.exe

C:\Windows\SysWOW64\yravpdglyvuyyni.exe

yravpdglyvuyyni.exe

C:\Windows\SysWOW64\buwcqimh.exe

buwcqimh.exe

C:\Windows\SysWOW64\wanzzvdiprxwc.exe

wanzzvdiprxwc.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\buwcqimh.exe

C:\Windows\system32\buwcqimh.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1300,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4348 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/3940-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\yravpdglyvuyyni.exe

MD5 c2d03b55063863c279d3e815c7abfe53
SHA1 47eb2b1e892a9c10b15b986a618978d6f8e9ee6e
SHA256 cc8748f8abd57c7f8431dc5fcf2c4f55db7cbcde04d1fad2713b0d990847e7d1
SHA512 5b340c18bc9c2465c2fef764e11ab34d7e12ef182dab430a3c8507cb9f8da861b3dcb675a258a2b5cd66182aae220336722eb9a9b50d7ef15471600064c70c6d

C:\Windows\SysWOW64\hvayyrehdq.exe

MD5 315ca7914fa805fefee13a55bfece64b
SHA1 44e9fc347faf9f14d228d6cd9aa6018033e98099
SHA256 e7f6f6e7af2734802fe291cad61127690360d8340c046a6b394c6a2037425a6d
SHA512 4e328b00d65265ba1bb2d02766061fc751f6871d773b1dd9759f35b4e644cc4d07dc2e581a2c77d86ac7b4e110ab23fd5a1e3ed35dab08e7af52624edd748ace

C:\Windows\SysWOW64\buwcqimh.exe

MD5 2a45bff7184990db944f63e021ec828b
SHA1 41312deaddc2e9d1d812c969f2c3b89d682dab0e
SHA256 a42aba81585bfffa3b5e56fc402a4223548f7b218b2c363e763a2db7154c7ef8
SHA512 c2189b2aa5eab99760389bed872e85ce904dec0cce5b71fa23476f6de72c11a73ac8eea7d117b818a961fbb50502106ce0fdc08ba74c2ac1f1220b0f1b9c8d1c

C:\Windows\SysWOW64\wanzzvdiprxwc.exe

MD5 9cce5fe68f25d810de1fead1f15796d5
SHA1 1b823d172df8aae5242abef8bffd72169cd83c42
SHA256 bf7b21a12f44dc630f789e4ea3c4f18a8c061526be569bb0b0239a5e5702f554
SHA512 336677eeb3c967e667be9a59de4adb7cad0bda90782a201a2ca60e85f6cb7d41b2333cd2e7e418e0a01c29c962902bc9716d965b61f94670561bb9148c27479f

memory/4272-37-0x00007FF96EDB0000-0x00007FF96EDC0000-memory.dmp

memory/4272-40-0x00007FF96EDB0000-0x00007FF96EDC0000-memory.dmp

memory/4272-41-0x00007FF96EDB0000-0x00007FF96EDC0000-memory.dmp

memory/4272-39-0x00007FF96EDB0000-0x00007FF96EDC0000-memory.dmp

memory/4272-38-0x00007FF96EDB0000-0x00007FF96EDC0000-memory.dmp

memory/4272-42-0x00007FF96C450000-0x00007FF96C460000-memory.dmp

memory/4272-43-0x00007FF96C450000-0x00007FF96C460000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 602dad6ee0e60cde6698692534ef100b
SHA1 c3e20be4cf62746964ff865964f4f354d412bfac
SHA256 596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598
SHA512 bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 a134bb0bcbc3d8bae3d898a5a823db03
SHA1 c17601d4f51c5d8df4a32cfd1693f72d7bbedd93
SHA256 b7f4c383291751e93a025cd54665d7a000345a596ed606a667f9cb05b5fd9c76
SHA512 fb3996c70e0ceea04be86f65a835a42546720678f7caa05f614d6ea82816f1b0adc5a6da6748d91c07f7ffc88ebcb08c423df8bf52eb1a916052626f27c757ec

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 465c08f3d5b5b98fcf1f1cd1afd6287d
SHA1 190bce071d1b55a22388bcb35a456b25942b2b02
SHA256 2ccb999df71d583bb2793f0f5e7f18d415882e82f99dc5f8336c91ebf0c87d39
SHA512 4b934f23021f47e0fd2245f3fe549aa94e3f3c4bfb4400398f3daf7bbcbfae4b81d274a545e6686fb40e5d0e40653d70383e93874d332655a4ee83b2645cea76

C:\Users\Admin\Downloads\CompressRemove.doc.exe

MD5 add2e4b3810bc4dfaf3d761985249257
SHA1 cee6e733af866be4adf2cb1a9fbe275313130577
SHA256 ed9f8606bd7f76f6ad76295aa04bf42149e1b887547fb38e1127f97a69de6370
SHA512 005d9dc0bcb2e59b76f88b3b21cb0120418721e2f1fd71459760942d4a4a9c160d93357c6eb1e6d42a7a9f9ecbd138fc378fd3be8a92ca91ba8f2c8b43d8ef88

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 78403f8a3a3a94ccfe98a25bd6019910
SHA1 e041153b97d11546f525e07153e58ac948c8adac
SHA256 6683f7d4ff68c3f492e4f9d75932485969342d0abec3a7f87300424a2d8751cf
SHA512 9a0dae40dfc220dcbe5b9b52ac0edbc6dc03d81ab3d13f715b62526c3d3650f201bbc49a3573216749f4252b6cf8ff11c17b60046bc1400769e6093c8be42bee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 e957a4fa795eaa6989e728e0ab090052
SHA1 b7b85a7bd5edb5d3387d45425b577b2aec5f5fc8
SHA256 9df45dd8118b41e1f1f01e6a907313f8a3c4986840adf7c28c953f9c6c29032f
SHA512 d8591d077932ebc158de9895e08ac5a4356aa2813563b4e6e316ba91e0c4bb90e523ea985976be5ae7ad96db6715ffea758290dd22238c16de277341637cdbb4

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 ef26846fb04a813b4343718faba55c67
SHA1 2aed1dcbd95b0c84a27b8d90088c606cb2fea678
SHA256 43154c60e44b64cbb2f19e2874a702c19f1e090c1c91e9bb251bce594c24c2e7
SHA512 8b8c517175afca7e3b5b720f0a8caf86a178db4440c3cac72cbd07c03b5577e8592a341581e1c5d87a187030432a5e8d7e45ac94fb88d28ffaf8820e78ede6f2

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 25f5fd9a41d53bd315c7ca41a38bf86a
SHA1 6d4dbeeaad53e1d2570a633188e1cf8db700f45c
SHA256 61593bd9f380358458eb8fc383b82582f61b2149d7ea377ba02380c0732c550a
SHA512 6f40c534c74d90607405cc3060bca15e2a7502b0b5154c77b79b63e6ef6c9716f0fcb7dd535ac683bf1401231399ae3b860fc0b9602bf439998cddb2c90394dd

memory/4272-122-0x00007FF96EDB0000-0x00007FF96EDC0000-memory.dmp

memory/4272-123-0x00007FF96EDB0000-0x00007FF96EDC0000-memory.dmp

memory/4272-121-0x00007FF96EDB0000-0x00007FF96EDC0000-memory.dmp

memory/4272-124-0x00007FF96EDB0000-0x00007FF96EDC0000-memory.dmp