Malware Analysis Report

2024-11-30 06:12

Sample ID 240612-qtshzazgll
Target a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118
SHA256 2d3d7773775404e6b644e50be9dbc8fd33f373a6f1430f0fd8956f4c32548ed6
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d3d7773775404e6b644e50be9dbc8fd33f373a6f1430f0fd8956f4c32548ed6

Threat Level: Known bad

The file a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Windows security modification

Loads dropped DLL

Enumerates connected drives

Modifies WinLogon

Adds Run key to start application

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 13:33

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 13:33

Reported

2024-06-12 13:36

Platform

win7-20240508-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\exrlbswqpw.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\exrlbswqpw.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\exrlbswqpw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\exrlbswqpw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\exrlbswqpw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\exrlbswqpw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\exrlbswqpw.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\exrlbswqpw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\exrlbswqpw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\exrlbswqpw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\exrlbswqpw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\exrlbswqpw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\exrlbswqpw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\exrlbswqpw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xidlfyug = "exrlbswqpw.exe" C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wvygijgv = "mszerdyxozbfttm.exe" C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ntzstjbhzziyw.exe" C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\exrlbswqpw.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\exrlbswqpw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\exrlbswqpw.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\mszerdyxozbfttm.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fybmtxcn.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ntzstjbhzziyw.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\exrlbswqpw.exe N/A
File created C:\Windows\SysWOW64\exrlbswqpw.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mszerdyxozbfttm.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ntzstjbhzziyw.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\exrlbswqpw.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fybmtxcn.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fybmtxcn.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fybmtxcn.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fybmtxcn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fybmtxcn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B058479739EF52CAB9A132EFD7C8" C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462D0B9D5283536A3E77D377212DDF7C8E65DE" C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFC834F2A8212903CD72D7D97BDE5E6415836674E6237D6EA" C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BC3FE1B21ABD209D1A78B7C9114" C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\exrlbswqpw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\exrlbswqpw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\exrlbswqpw.exe N/A
N/A N/A C:\Windows\SysWOW64\exrlbswqpw.exe N/A
N/A N/A C:\Windows\SysWOW64\exrlbswqpw.exe N/A
N/A N/A C:\Windows\SysWOW64\exrlbswqpw.exe N/A
N/A N/A C:\Windows\SysWOW64\exrlbswqpw.exe N/A
N/A N/A C:\Windows\SysWOW64\fybmtxcn.exe N/A
N/A N/A C:\Windows\SysWOW64\fybmtxcn.exe N/A
N/A N/A C:\Windows\SysWOW64\fybmtxcn.exe N/A
N/A N/A C:\Windows\SysWOW64\fybmtxcn.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\fybmtxcn.exe N/A
N/A N/A C:\Windows\SysWOW64\fybmtxcn.exe N/A
N/A N/A C:\Windows\SysWOW64\fybmtxcn.exe N/A
N/A N/A C:\Windows\SysWOW64\fybmtxcn.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\ntzstjbhzziyw.exe N/A
N/A N/A C:\Windows\SysWOW64\mszerdyxozbfttm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\exrlbswqpw.exe
PID 2088 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\exrlbswqpw.exe
PID 2088 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\exrlbswqpw.exe
PID 2088 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\exrlbswqpw.exe
PID 2088 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\mszerdyxozbfttm.exe
PID 2088 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\mszerdyxozbfttm.exe
PID 2088 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\mszerdyxozbfttm.exe
PID 2088 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\mszerdyxozbfttm.exe
PID 2088 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\fybmtxcn.exe
PID 2088 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\fybmtxcn.exe
PID 2088 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\fybmtxcn.exe
PID 2088 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\fybmtxcn.exe
PID 2088 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\ntzstjbhzziyw.exe
PID 2088 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\ntzstjbhzziyw.exe
PID 2088 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\ntzstjbhzziyw.exe
PID 2088 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\ntzstjbhzziyw.exe
PID 2980 wrote to memory of 2708 N/A C:\Windows\SysWOW64\exrlbswqpw.exe C:\Windows\SysWOW64\fybmtxcn.exe
PID 2980 wrote to memory of 2708 N/A C:\Windows\SysWOW64\exrlbswqpw.exe C:\Windows\SysWOW64\fybmtxcn.exe
PID 2980 wrote to memory of 2708 N/A C:\Windows\SysWOW64\exrlbswqpw.exe C:\Windows\SysWOW64\fybmtxcn.exe
PID 2980 wrote to memory of 2708 N/A C:\Windows\SysWOW64\exrlbswqpw.exe C:\Windows\SysWOW64\fybmtxcn.exe
PID 2088 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2088 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2088 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2088 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2740 wrote to memory of 1712 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2740 wrote to memory of 1712 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2740 wrote to memory of 1712 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2740 wrote to memory of 1712 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe"

C:\Windows\SysWOW64\exrlbswqpw.exe

exrlbswqpw.exe

C:\Windows\SysWOW64\mszerdyxozbfttm.exe

mszerdyxozbfttm.exe

C:\Windows\SysWOW64\fybmtxcn.exe

fybmtxcn.exe

C:\Windows\SysWOW64\ntzstjbhzziyw.exe

ntzstjbhzziyw.exe

C:\Windows\SysWOW64\fybmtxcn.exe

C:\Windows\system32\fybmtxcn.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2088-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\mszerdyxozbfttm.exe

MD5 58483c2e619fb7cca8c29ba05d3cfe58
SHA1 0e4b009979f67f2666fce5414a6917284d1b2b49
SHA256 c5e60bd47dfe96684b1ac56db6251fabc6ba1643414537c4ceab608fd0a891a3
SHA512 60b9d2aae5ad4b2a3299d480301a030b3a373d2976b0e5e1670a5a3bb1ef7dd481588baa8e1faaa2bf8be90de87817946e958fddf5c91616383921eaf75f974b

\Windows\SysWOW64\exrlbswqpw.exe

MD5 29054890892f116b435ba59bb6532702
SHA1 00a247dfb5cb70b3e7b0b1228fbb4eac693f634e
SHA256 3400e3f9bda129ebc14d8accdb135b50b4c33dc71b320f754cab5e7099b200ff
SHA512 853f929613d51db914278701ac3d551a5a00d23f29e8a065754e97b6d53fc557442978dbfcf7151b180cb32d1a445c13fc5448be37eaaf39c4320e903c429275

\Windows\SysWOW64\fybmtxcn.exe

MD5 6ef28f438669c39e58b8f3b8ac8e9d7e
SHA1 d1e49e96fd1577ab8270d877d532e5b872539d45
SHA256 1c3dfaeaef16ada00d5a9718bacb196f4efd5bffa738e53ba64f42f7b40e8ffe
SHA512 0cb0269df97c1fa5d898d5a8276aa479030fac7672e5c33d6250064c02c97379c809d6901250cdb2cc314b7a9b085c04d3802d2fb81502bc6fa54033ab9c38c5

C:\Windows\SysWOW64\ntzstjbhzziyw.exe

MD5 adb5fa4595121b91a0bab6e56bb823e6
SHA1 f0e0bc90fa38880da96c18e9be80957f3ccc930c
SHA256 24266b73d09a1133a8897806cdf830a2a8f117a682f9693e0ea7ff35cc8c0a35
SHA512 dd0d673d9fd37a7528e20f7e5077959bfaed4210d73954dccb6112829b68098a63ec4b7edca25e8afb143480d1226a5b48c5c09acc5b7db87fe5ef67e499f0a7

memory/2740-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 d73ea28c12e4f39770bbe4bc2dc276a0
SHA1 e1fed7cdd21ba6f7e825ecd7374c7158cfd155f3
SHA256 9d6b27b5a950cc3345c50964ffef4039c7172801965b85c9a8df86de29b13f75
SHA512 bc834d4c25d4843a26fb19bd2a677574bb48578196a21e1378e5708e3b10635992e1cd54ba2a8daadf11eabd1f094b99a4e8b09f801171671e41eb0b7bab8bad

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 a5f4c044a8ffd99699b8d9693deee338
SHA1 d2b82edeb8207043b1714dbfd329420f216f7276
SHA256 7ac6f10ac3f3a951966ce90b9529e2b5e275c67b2f03077556819676e78ab992
SHA512 1a06514a4b07e6442901741343f43cd4891420981a939d75767c96ad8016b55e8c995643bfe58472a035493aae78a8c11fa2a91cc881ef4715d0b2d22f6783ba

memory/2740-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 13:33

Reported

2024-06-12 13:36

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\hvurrujxvg.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\hvurrujxvg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hvurrujxvg.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\hvurrujxvg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hvurrujxvg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ezhzueko = "hvurrujxvg.exe" C:\Windows\SysWOW64\antmaonoyqbmjzx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fpybexbd = "antmaonoyqbmjzx.exe" C:\Windows\SysWOW64\antmaonoyqbmjzx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zezlshojmodsa.exe" C:\Windows\SysWOW64\antmaonoyqbmjzx.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zwakkcns.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\hvurrujxvg.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\antmaonoyqbmjzx.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\antmaonoyqbmjzx.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zwakkcns.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zwakkcns.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zezlshojmodsa.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zezlshojmodsa.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\hvurrujxvg.exe N/A
File opened for modification C:\Windows\SysWOW64\hvurrujxvg.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File created C:\Windows\SysWOW64\hvurrujxvg.exe C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File created \??\c:\Program Files\TestDebug.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\TestDebug.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\TestDebug.nal C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File created \??\c:\Program Files\MountUnpublish.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Program Files\MountUnpublish.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\MountUnpublish.nal C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\MountUnpublish.nal C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\TestDebug.nal C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Program Files\TestDebug.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Program Files\TestDebug.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Program Files\MountUnpublish.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\MountUnpublish.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\TestDebug.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Program Files\MountUnpublish.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zwakkcns.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322D7E9D2C82226D3E77D570552DD67CF164DE" C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B02D47EF39E953C5BAD1329BD4C5" C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFF824F2A851D9042D72F7DE1BDE7E144593167436246D7EC" C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\hvurrujxvg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4FABAFE10F194830E3B3786EE39E5B3FD038A4311034FE1C445EA09A2" C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F468C6FE6C22A9D10CD0D28A0B9165" C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC70E1490DAC0B8C17F95EDE734CD" C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\hvurrujxvg.exe N/A
N/A N/A C:\Windows\SysWOW64\hvurrujxvg.exe N/A
N/A N/A C:\Windows\SysWOW64\hvurrujxvg.exe N/A
N/A N/A C:\Windows\SysWOW64\hvurrujxvg.exe N/A
N/A N/A C:\Windows\SysWOW64\hvurrujxvg.exe N/A
N/A N/A C:\Windows\SysWOW64\hvurrujxvg.exe N/A
N/A N/A C:\Windows\SysWOW64\hvurrujxvg.exe N/A
N/A N/A C:\Windows\SysWOW64\hvurrujxvg.exe N/A
N/A N/A C:\Windows\SysWOW64\hvurrujxvg.exe N/A
N/A N/A C:\Windows\SysWOW64\hvurrujxvg.exe N/A
N/A N/A C:\Windows\SysWOW64\antmaonoyqbmjzx.exe N/A
N/A N/A C:\Windows\SysWOW64\antmaonoyqbmjzx.exe N/A
N/A N/A C:\Windows\SysWOW64\antmaonoyqbmjzx.exe N/A
N/A N/A C:\Windows\SysWOW64\antmaonoyqbmjzx.exe N/A
N/A N/A C:\Windows\SysWOW64\antmaonoyqbmjzx.exe N/A
N/A N/A C:\Windows\SysWOW64\antmaonoyqbmjzx.exe N/A
N/A N/A C:\Windows\SysWOW64\antmaonoyqbmjzx.exe N/A
N/A N/A C:\Windows\SysWOW64\antmaonoyqbmjzx.exe N/A
N/A N/A C:\Windows\SysWOW64\antmaonoyqbmjzx.exe N/A
N/A N/A C:\Windows\SysWOW64\antmaonoyqbmjzx.exe N/A
N/A N/A C:\Windows\SysWOW64\zezlshojmodsa.exe N/A
N/A N/A C:\Windows\SysWOW64\zezlshojmodsa.exe N/A
N/A N/A C:\Windows\SysWOW64\zezlshojmodsa.exe N/A
N/A N/A C:\Windows\SysWOW64\zezlshojmodsa.exe N/A
N/A N/A C:\Windows\SysWOW64\zezlshojmodsa.exe N/A
N/A N/A C:\Windows\SysWOW64\zezlshojmodsa.exe N/A
N/A N/A C:\Windows\SysWOW64\zezlshojmodsa.exe N/A
N/A N/A C:\Windows\SysWOW64\zezlshojmodsa.exe N/A
N/A N/A C:\Windows\SysWOW64\zezlshojmodsa.exe N/A
N/A N/A C:\Windows\SysWOW64\zezlshojmodsa.exe N/A
N/A N/A C:\Windows\SysWOW64\zezlshojmodsa.exe N/A
N/A N/A C:\Windows\SysWOW64\zezlshojmodsa.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A
N/A N/A C:\Windows\SysWOW64\zwakkcns.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\hvurrujxvg.exe
PID 3040 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\hvurrujxvg.exe
PID 3040 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\hvurrujxvg.exe
PID 3040 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\antmaonoyqbmjzx.exe
PID 3040 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\antmaonoyqbmjzx.exe
PID 3040 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\antmaonoyqbmjzx.exe
PID 3040 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\zwakkcns.exe
PID 3040 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\zwakkcns.exe
PID 3040 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\zwakkcns.exe
PID 3040 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\zezlshojmodsa.exe
PID 3040 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\zezlshojmodsa.exe
PID 3040 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Windows\SysWOW64\zezlshojmodsa.exe
PID 3040 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3040 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3760 wrote to memory of 3432 N/A C:\Windows\SysWOW64\hvurrujxvg.exe C:\Windows\SysWOW64\zwakkcns.exe
PID 3760 wrote to memory of 3432 N/A C:\Windows\SysWOW64\hvurrujxvg.exe C:\Windows\SysWOW64\zwakkcns.exe
PID 3760 wrote to memory of 3432 N/A C:\Windows\SysWOW64\hvurrujxvg.exe C:\Windows\SysWOW64\zwakkcns.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe"

C:\Windows\SysWOW64\hvurrujxvg.exe

hvurrujxvg.exe

C:\Windows\SysWOW64\antmaonoyqbmjzx.exe

antmaonoyqbmjzx.exe

C:\Windows\SysWOW64\zwakkcns.exe

zwakkcns.exe

C:\Windows\SysWOW64\zezlshojmodsa.exe

zezlshojmodsa.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\zwakkcns.exe

C:\Windows\system32\zwakkcns.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
US 52.111.229.43:443 tcp

Files

memory/3040-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\antmaonoyqbmjzx.exe

MD5 ec37a39e502529074b9c69753da53ef6
SHA1 2977264dc29ea91ecbd1baa1879eae8ff2f25d39
SHA256 8a3dd868d1a25303ecddea09822a40a9509776c56ea8d8e1b559d553741bd56c
SHA512 d21ce43939786a9970c4d8bb94dc62bdfa4d2cb402d8c57b2acf79b3a51f99dd6a29f72992ed066cd13a7697a9b522a534f29ffaf954f38a60e8489faeaaa7a8

C:\Windows\SysWOW64\hvurrujxvg.exe

MD5 4b90858b5bcbcfb87ad05873cae063d7
SHA1 09d35bec066f34be14704e8e2168db8e8ec285d6
SHA256 fb5f49c3aa173bca89e2e68dce5c0d223bd7fdee92e18f67d79f0c95fa16d4ed
SHA512 e48ffe989dfcd7ec34275f64b745d98a7e2306814ad9300e19a7ecc95d5e555c6b58c2f558a806e91cf3e366831238191530a20e5956c6c229ea1a95c630be2c

C:\Windows\SysWOW64\zwakkcns.exe

MD5 cb9d49a312f051f81a8a546989beaadf
SHA1 1f60413e3220439e78071fe5699aa61c4a1e8e12
SHA256 28884f9944d13e08e0259563a175a937d7986509acc1dcf7b00a75b24c898490
SHA512 760d19d11fc1c6590bc4d07b2199f1492aa77f6f33e934ce60d52a6f7dc9d1e3392bac74c6d4badf08878a258a6787f0b955bbdb2f5e5a48a31f6d74735bce2e

C:\Windows\SysWOW64\zezlshojmodsa.exe

MD5 f1c5a24077932fea415489f7cf267765
SHA1 2da06da8372786d803b51a645126a9aed451263e
SHA256 5a89c0bc96a273c9b095bf823132376b42e1768d98037c7dd17b9dbca89c237c
SHA512 88cbe97835ccacc553cbbebab76dc3343290c8e8dee2bc122d77e732be89ee65b3e6d571c6413e4b932716367f0718852e7591143e539036b88b4b85f7eb2806

memory/3920-35-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/3920-36-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/3920-37-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/3920-38-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/3920-39-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/3920-40-0x00007FF95C9A0000-0x00007FF95C9B0000-memory.dmp

memory/3920-43-0x00007FF95C9A0000-0x00007FF95C9B0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 ed98ee1fab61a68d4385068c94748d5c
SHA1 c02d0f25e493df1b2627c65c8e41a7f0c1f34f2f
SHA256 0559589e01a7afeade6678adcfbd77bf62ce32af62f6ca7f9f009b6a1987a300
SHA512 402f229a914fa6f330d3faf6a0f9bcacd86f74047c2967c89bd7bb4b73b46514407ee5ae3eb2ba7020439f51217d8c72e889d996b19a17592d659fc58dcc456d

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 279e0ef3b94c8f9ae239082a68b2acf1
SHA1 70d62b5bb14094b96575866fec8f5b0868505fdb
SHA256 6a6193861a5dd370c7e20f099a899d114474992dfaa11ed1572fa1f97371cbd6
SHA512 f6d0dcf736f2ec2b121b17c688c79c4d93467a70c64350e451cd67ff9d38adc300a07dca72bea2645d918507faca6c078f18d93017a6a1779aeca470aa575999

C:\Program Files\MountUnpublish.doc.exe

MD5 4a582e2d2da15e1dd7e7993b189acf04
SHA1 894f70d53c8cdd0aca64fbedd4dda06a8a348f98
SHA256 25bb775974d6f316880242d5ac48384c92733fd4aa216ca10d28766b56cba29f
SHA512 c536ebf51cccc916c716ec96c68eb9436030e7974a267f6d4cd0922e55aab036518e5c2c2ffef050ebbd31caf2df7aaf7933fd37db10709cfb52a9a7d3fee6a2

C:\Program Files\TestDebug.doc.exe

MD5 c37728c3fd74937eb62a00ffc8749789
SHA1 bf959f43c766adcaa6a150e2860c2810a27bf2bf
SHA256 6d151a2039de96ee7b1309807fd2d4576d31a7e4066bb845ee00a36527288058
SHA512 d0277eba5b7d83f1f24cfdbae785ccdf8f7b49b2016649e88142ed406035b4f7be48cea926f2e57fe81fb48c89e17e218a2186708f97fa34ca18c31f414a4a09

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 6c472de24a316fb7331f7c0fa09d4dff
SHA1 0abcd6907a3c4f8639ecd9b96c96d7e3de5957e8
SHA256 de1d69c93e5d93b9912f24e87897a38d0f4ccb72f5318d154489620777689598
SHA512 24df39a06e6ce0ddd4aa9964c0fdc6920690d48cdc9628af90407ebda9cab4e7d4b285d0633c95202881916587fc3dfefb3dad7cf6bf6fc2cbefe39822c74a26

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 88b3f7686c8a659e26ae84ffc66130e5
SHA1 014314e28b29ce61899d5e8e811637d48a9d2709
SHA256 0715a0be7696dd394eb7525e3cbb8ae272e0287a3e7470b68830a99c3953550b
SHA512 286e312e0e62b7c5379cdaef0dfe4b2c3a82692f7afca54d3d707796e5b1a99f0ec3b683ad621e04aa8eddaa10028feed81233042691b27fb54769968c7a6296

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 07d1ec0994b651227df3c57ba1263fa7
SHA1 d1714d74985a68e9d8cb7f04a4da63aff5586aa6
SHA256 d6bf959615404ed53e8f92989b96d3f3995bc4dc75feb539324078d18081cd4f
SHA512 443a43730fa8a6df7eb6fd03565d02b2e456c4682dd63d81836499aac19bf11d3e4ca442e950d6e13e906100c5b1bcc76577010dd061a4da37cdbdaf382b0c16

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 d4d04f92a0a7f6bca3de655e3e903546
SHA1 f56b631b446d290e1db01ad6a42443a5ba44597d
SHA256 609f191923f3fea9b91131b641571bdb7bd4d79566364b90d545a56eba348820
SHA512 d0e6d9af73e77bef721c4f142d1473bccc96f0401373d412659537c328e493ff98808e38bbe4a5f382b8fd93981397f1db4627001f95489b5e42724b423792e1

memory/3920-119-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/3920-120-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/3920-122-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/3920-121-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp