Malware Analysis Report

2024-11-30 04:18

Sample ID 240613-a8nwbsxhjg
Target a33e0db80f88649db04da2f68919a621_JaffaCakes118
SHA256 6886e124509ad7939dd85e2a98c70db37d980df97963bc32ed41bda6534d4a02
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6886e124509ad7939dd85e2a98c70db37d980df97963bc32ed41bda6534d4a02

Threat Level: Known bad

The file a33e0db80f88649db04da2f68919a621_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:53

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:53

Reported

2024-06-13 00:55

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\fuvpexiccq.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\fuvpexiccq.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\fuvpexiccq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\fuvpexiccq.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\fuvpexiccq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\licddnds = "fuvpexiccq.exe" C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqbmjwwq = "fdgbwcxbiivrapj.exe" C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wpxrroimwijbp.exe" C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\frefnczq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\frefnczq.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\fuvpexiccq.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\fuvpexiccq.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\frefnczq.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wpxrroimwijbp.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\fuvpexiccq.exe N/A
File created C:\Windows\SysWOW64\fuvpexiccq.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\frefnczq.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wpxrroimwijbp.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\frefnczq.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\frefnczq.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\frefnczq.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\frefnczq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\frefnczq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\frefnczq.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\frefnczq.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\frefnczq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\frefnczq.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\frefnczq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\frefnczq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\frefnczq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\frefnczq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\frefnczq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFCFE4F2882139041D7287D9CBDE0E635593767366345D6EB" C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\fuvpexiccq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAFAB0F96AF1E0840C3B4281EC3993B0FD02FD4215023BE1CF459908A0" C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D7D9D5682246A4277A7702F2CDD7DF665D8" C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\fuvpexiccq.exe N/A
N/A N/A C:\Windows\SysWOW64\fuvpexiccq.exe N/A
N/A N/A C:\Windows\SysWOW64\fuvpexiccq.exe N/A
N/A N/A C:\Windows\SysWOW64\fuvpexiccq.exe N/A
N/A N/A C:\Windows\SysWOW64\fuvpexiccq.exe N/A
N/A N/A C:\Windows\SysWOW64\frefnczq.exe N/A
N/A N/A C:\Windows\SysWOW64\frefnczq.exe N/A
N/A N/A C:\Windows\SysWOW64\frefnczq.exe N/A
N/A N/A C:\Windows\SysWOW64\frefnczq.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\frefnczq.exe N/A
N/A N/A C:\Windows\SysWOW64\frefnczq.exe N/A
N/A N/A C:\Windows\SysWOW64\frefnczq.exe N/A
N/A N/A C:\Windows\SysWOW64\frefnczq.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\wpxrroimwijbp.exe N/A
N/A N/A C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\fuvpexiccq.exe
PID 2032 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\fuvpexiccq.exe
PID 2032 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\fuvpexiccq.exe
PID 2032 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\fuvpexiccq.exe
PID 2032 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe
PID 2032 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe
PID 2032 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe
PID 2032 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe
PID 2032 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\frefnczq.exe
PID 2032 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\frefnczq.exe
PID 2032 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\frefnczq.exe
PID 2032 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\frefnczq.exe
PID 2032 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\wpxrroimwijbp.exe
PID 2032 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\wpxrroimwijbp.exe
PID 2032 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\wpxrroimwijbp.exe
PID 2032 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\wpxrroimwijbp.exe
PID 2292 wrote to memory of 2500 N/A C:\Windows\SysWOW64\fuvpexiccq.exe C:\Windows\SysWOW64\frefnczq.exe
PID 2292 wrote to memory of 2500 N/A C:\Windows\SysWOW64\fuvpexiccq.exe C:\Windows\SysWOW64\frefnczq.exe
PID 2292 wrote to memory of 2500 N/A C:\Windows\SysWOW64\fuvpexiccq.exe C:\Windows\SysWOW64\frefnczq.exe
PID 2292 wrote to memory of 2500 N/A C:\Windows\SysWOW64\fuvpexiccq.exe C:\Windows\SysWOW64\frefnczq.exe
PID 2032 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2032 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2032 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2032 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2516 wrote to memory of 1456 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2516 wrote to memory of 1456 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2516 wrote to memory of 1456 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2516 wrote to memory of 1456 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe"

C:\Windows\SysWOW64\fuvpexiccq.exe

fuvpexiccq.exe

C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe

fdgbwcxbiivrapj.exe

C:\Windows\SysWOW64\frefnczq.exe

frefnczq.exe

C:\Windows\SysWOW64\wpxrroimwijbp.exe

wpxrroimwijbp.exe

C:\Windows\SysWOW64\frefnczq.exe

C:\Windows\system32\frefnczq.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2032-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\fdgbwcxbiivrapj.exe

MD5 c06e08cee5f54f7e64e0c53e01ac6287
SHA1 5cc7ac675c11c80c6ae3354c9e8cef30d321f6bc
SHA256 3969c537d7bde79039c95d428dc0e76d3e66b22494dc7bb16b5c4f146f562412
SHA512 48de35d95127b1069dedbbf1c2b1155c4a4068ff7b7817fd3db4c2cac5f8cb23b93438fe5f66bebde96be51e8084e17a370aa017754ada12349bbef5fb4c646a

\Windows\SysWOW64\fuvpexiccq.exe

MD5 03305cad2939880090f2206514fdc761
SHA1 07f82aebf68582307e2314ce8477e84f1d7e1a46
SHA256 379025278c161004f19f562673c1641eac86c15dfa116c37d9c0e14aed1c8538
SHA512 693fd63fff55ccadd3f3e4338a0eb12388e24e607c207a7a4b32e0c2b6cedea54e55361ff5b8a909f18d9326b62fb0454fbef143d3aa33de0debf5030707062c

\Windows\SysWOW64\frefnczq.exe

MD5 47f29efca7a101a3824ab6b8433cbda4
SHA1 74676ddf6250a20fb7d19ab4199815bdfa062478
SHA256 c2631a6cd6f18712b110307fc3b4fdf67021a379fc4e37d24290b93b0b6577f2
SHA512 68dc3b9612fe31e67256389d3522c61fbac9eb6c58433632d2b135149a3b9e553bc6052e755ab3509901c18b5ed3f73a0b465ead469a27f9a1bf8f5b5ff4b7eb

\Windows\SysWOW64\wpxrroimwijbp.exe

MD5 b291b62cdc3106ad3669bfa3f69deca1
SHA1 5ce31c45c558a72f4f544282d06d3b0d0d78a89d
SHA256 dff984fab47e834112ac551550238d69f0a4a64ef48238568fb73cb9ab6e6a3d
SHA512 8cde70662bfbf8ca7db8241f15cf9972ae3186723a6eb5b8b444d78414ac8d60ca57e023a5aa5e140457868142969439f6ecf26853ff9a410a2e68f9f9c71111

memory/2516-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\Documents\DenyRename.doc.exe

MD5 0a7a4c68a555859d7dee5ecd082dc775
SHA1 d212a98b46ee5846b2e13b45396ec43a2b904a27
SHA256 29008e22235559722dafb5307b0305f29f4b988bbb71e79521a1c6b87f213af6
SHA512 10cd4236d9f4bc580cd58012b9b7a96d68be8463a5df697a2d77293c85ef6d8c97c61aad3326b7a590197cbdbecda3167e3e4143623e67e6fdf00187a0d79004

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 9430eddd17ae50b322c43ed80ed2ba49
SHA1 1bf25cb5d4d845693726293c9c1b794aba3c4059
SHA256 ab2d8948a4b7ad28a0e2db91d5985736a15a7c82056fca8f78a88611e7b77efd
SHA512 d193be1c565ffe1696de216756bb83a5678a51ab3ad393d73b147bd92e5eaf88a75b3b9c6c36506a831a5cb6942911a647db67994cb481612aad185c5984baa4

memory/2516-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:53

Reported

2024-06-13 00:55

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\uecrahkvme.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\uecrahkvme.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\uecrahkvme.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\uecrahkvme.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\uecrahkvme.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgyclhiv = "uecrahkvme.exe" C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nmdbtbgb = "szucnckzmjtzblv.exe" C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tmfnsmtraonbu.exe" C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\uecrahkvme.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bwfouvzl.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\uecrahkvme.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\bwfouvzl.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\tmfnsmtraonbu.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\uecrahkvme.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification C:\Windows\SysWOW64\uecrahkvme.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\szucnckzmjtzblv.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\szucnckzmjtzblv.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bwfouvzl.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\uecrahkvme.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\tmfnsmtraonbu.exe C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\bwfouvzl.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\bwfouvzl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bwfouvzl.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BB2FF6D21DBD27CD0A68A099017" C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC67C15E6DAC0B9C07CE6EDE034CB" C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\uecrahkvme.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\uecrahkvme.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B02D479339ED52CBB9D4339FD7CA" C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FF8A4826851F9042D72A7E91BCEFE133593167326345D691" C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\uecrahkvme.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462C7D9C5182226A4676A770562DD87D8364DC" C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9BEFE13F1E3837E3B4286E93EE2B0F902FE42130233E1CC42EC09D3" C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\uecrahkvme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\uecrahkvme.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\uecrahkvme.exe N/A
N/A N/A C:\Windows\SysWOW64\uecrahkvme.exe N/A
N/A N/A C:\Windows\SysWOW64\uecrahkvme.exe N/A
N/A N/A C:\Windows\SysWOW64\uecrahkvme.exe N/A
N/A N/A C:\Windows\SysWOW64\uecrahkvme.exe N/A
N/A N/A C:\Windows\SysWOW64\uecrahkvme.exe N/A
N/A N/A C:\Windows\SysWOW64\uecrahkvme.exe N/A
N/A N/A C:\Windows\SysWOW64\uecrahkvme.exe N/A
N/A N/A C:\Windows\SysWOW64\uecrahkvme.exe N/A
N/A N/A C:\Windows\SysWOW64\uecrahkvme.exe N/A
N/A N/A C:\Windows\SysWOW64\bwfouvzl.exe N/A
N/A N/A C:\Windows\SysWOW64\bwfouvzl.exe N/A
N/A N/A C:\Windows\SysWOW64\bwfouvzl.exe N/A
N/A N/A C:\Windows\SysWOW64\bwfouvzl.exe N/A
N/A N/A C:\Windows\SysWOW64\bwfouvzl.exe N/A
N/A N/A C:\Windows\SysWOW64\bwfouvzl.exe N/A
N/A N/A C:\Windows\SysWOW64\bwfouvzl.exe N/A
N/A N/A C:\Windows\SysWOW64\bwfouvzl.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
N/A N/A C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
N/A N/A C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
N/A N/A C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
N/A N/A C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
N/A N/A C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
N/A N/A C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
N/A N/A C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
N/A N/A C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
N/A N/A C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
N/A N/A C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
N/A N/A C:\Windows\SysWOW64\szucnckzmjtzblv.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\tmfnsmtraonbu.exe N/A
N/A N/A C:\Windows\SysWOW64\bwfouvzl.exe N/A
N/A N/A C:\Windows\SysWOW64\bwfouvzl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\uecrahkvme.exe
PID 2368 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\uecrahkvme.exe
PID 2368 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\uecrahkvme.exe
PID 2368 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\szucnckzmjtzblv.exe
PID 2368 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\szucnckzmjtzblv.exe
PID 2368 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\szucnckzmjtzblv.exe
PID 2368 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\bwfouvzl.exe
PID 2368 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\bwfouvzl.exe
PID 2368 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\bwfouvzl.exe
PID 2368 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\tmfnsmtraonbu.exe
PID 2368 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\tmfnsmtraonbu.exe
PID 2368 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Windows\SysWOW64\tmfnsmtraonbu.exe
PID 2368 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2368 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3704 wrote to memory of 3688 N/A C:\Windows\SysWOW64\uecrahkvme.exe C:\Windows\SysWOW64\bwfouvzl.exe
PID 3704 wrote to memory of 3688 N/A C:\Windows\SysWOW64\uecrahkvme.exe C:\Windows\SysWOW64\bwfouvzl.exe
PID 3704 wrote to memory of 3688 N/A C:\Windows\SysWOW64\uecrahkvme.exe C:\Windows\SysWOW64\bwfouvzl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a33e0db80f88649db04da2f68919a621_JaffaCakes118.exe"

C:\Windows\SysWOW64\uecrahkvme.exe

uecrahkvme.exe

C:\Windows\SysWOW64\szucnckzmjtzblv.exe

szucnckzmjtzblv.exe

C:\Windows\SysWOW64\bwfouvzl.exe

bwfouvzl.exe

C:\Windows\SysWOW64\tmfnsmtraonbu.exe

tmfnsmtraonbu.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\bwfouvzl.exe

C:\Windows\system32\bwfouvzl.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
BE 88.221.83.210:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 210.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 235.137.73.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/2368-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\szucnckzmjtzblv.exe

MD5 8acdeb641a6143afe9f3dd4b59bcc1e8
SHA1 27ef5f78833c68b7ae94c2597c6f33b5eb3aff8e
SHA256 848e1c651813ac38826404e67a27292b0faf0f59c7bfb44862c1f52b78834c8b
SHA512 4432c2dc243d626192b13b08af147c2ec7ffefd1d156f250cca81eb53fea95a91c2342f052de8e197e4f3394f608a0831819a31254750c054adec1ab1cf65019

C:\Windows\SysWOW64\bwfouvzl.exe

MD5 fb0a097679190f76a6e4baf8fc9f3042
SHA1 67673ac04c11ce6a0aa83d621803dbaaa0ce75b0
SHA256 81c16c2c2446d57af9d8ac73624fa95f790787cdd4167bf7ab33982246175693
SHA512 62c674ff93bc1e0ce6b0e1af6f8182b58c21bf15d6e42b336f1af449592ec36c2d7c36aee68bb6be751a791a2d314256449a766e6197676cbf5bb29b0e30457c

C:\Windows\SysWOW64\tmfnsmtraonbu.exe

MD5 05335bdcf2eb8180f068e3402110f938
SHA1 4bae5bc2ff6da98b336af6a1ec6c50ac699b63e2
SHA256 61e20ce23b920eb43fb89422693703c81840bf5b6e8fa8b1f78e604e20a79abc
SHA512 af6f558b2cadac3a7f83295c9697004efea71372239a8197ce9f195d1aa6763a568138b90ee1a172d009e48717dccba48de644578fee348a450c42d7ff4b92c5

C:\Windows\SysWOW64\uecrahkvme.exe

MD5 e41ec6719cf2e8a8ea19b53bf74d424b
SHA1 79eb0ab2f515c34fa621bee4a1d5606bc1d47d45
SHA256 c2eb1597d7b950d15e1aec70407295b43b6eedfd6c62d753080cd927e713d8d9
SHA512 1dae5602455b4a8f8e551bba0291b2c04a3b70d9ab859e9e5aa2b5104a99e6ea7030811050729b03453891c6f233376ebfa80248f03c7d5ce7171b228b98486a

memory/3580-37-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp

memory/3580-36-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp

memory/3580-35-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp

memory/3580-38-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp

memory/3580-39-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp

memory/3580-40-0x00007FFAF7FD0000-0x00007FFAF7FE0000-memory.dmp

memory/3580-43-0x00007FFAF7FD0000-0x00007FFAF7FE0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 456c77913112dc4a95894e3897dff709
SHA1 a5c547c2efd65fbb0d35ca40d79120d8d2019754
SHA256 22c227d1adef00627390239f8a1667049c85a8814da77a29a828288d7f7cee36
SHA512 cb54e157f45180da2dab3609b7b5c9dbb26fadce33efafbaa574587e391752dac7031ca99010469dcbb7dd05c7cafa14e7a05e4a51a048ad2c0ffac1c17bf77b

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 0cae75e48c8fff5752c06face00a7f72
SHA1 95f356dc134629817c1fb8165b14326a5046e944
SHA256 0c89af96bcf77e8cd76e30a68907d85666cb5e8354298d7b031416640f960fc5
SHA512 ff7f52d052ad7ffb53180b4ac5a12ce5d0f138026eaf3ca376a25f0e3bb711c08a44a1f0ccc6fa4daeb613fb568f66a35131c1d89ff60b51df9a37d858ff2fa7

C:\Users\Admin\Downloads\SelectMove.doc.exe

MD5 26a44e9bdefeb44f37dee73bdcee16f8
SHA1 dd04e8ab89d8234db518f280b4f6be53e8243e9b
SHA256 7719f5302bccfe1733a70583b5ccdf2599cfc8c36bbaccb895dc6a78974d4d0f
SHA512 22af14add4ef760207a78d560d5205e3318530d6236d16c94b3f5be867eda3308673c90c8d01e7d3512251b160bf5db21ada703e0c10f3499e227f4f5144dade

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 5faded0dad7c6dc8418d96f5d6adbbf4
SHA1 82e78f9740531fb3a7df990e6731a65daed82030
SHA256 8f751e99808c5b1d740827f3ccc5b9e1b9236ffc1ae4e537fd524d3019c06bb8
SHA512 082e647b81cccd0d5e80e5bbe80e95cce4f2efe0bc57101151f6ed3ab79d234059bf2becd62ff9399b618b0d044f00b49a9f1658666a0e85f7f36870a4e44439

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 3f811471c382e1624c5254907540d0fd
SHA1 006cc89449e75b09dead9f5d8b12b74580463439
SHA256 ba46a63cadbf72ccb1db975a480227bd99eda0bc0860d72aee76ac5be851ef00
SHA512 cdd87592712126dd30f343bbf9b24406f6e6a713545c8f92aca7ebf7e2db01c0b6c00f71c93e1cc0ac480a25cf36b24aad57de9f0b4e6497e259c7e35af040a6

C:\Users\Admin\AppData\Local\Temp\TCD7FD0.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 c0e856afd5ce32ff42113bb4e0761d7d
SHA1 ecf9a5fe51b99e43d6b32134c5f32d854ea92ff6
SHA256 79cf062c6075b4d3c50a60749bde58921b06e2f8c657b744c145e168cadaf9b9
SHA512 636309857795370d181a0613ac8b12f373204148ae4f54151c7e01c8c1878a2aefc46dee2a0a69fbd3e41eefdb105a36c4d9cc0498d05ca5f19d905523a5c271

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 892383df2a51bd772c8f783953c191f9
SHA1 da6fdb9e9646afca17c5aaeb2ad42c02f55922e4
SHA256 ca7a4381dd5a855661e5e962b1d40958339e1b71f8ae20e6a0ee7d22be7d4119
SHA512 be8004b7bf2699245bd799fcd26013ced5590c6f71a6da9aa7e02a397bbb6bdff9b115c6338d2fa72780d166f95d09924c6aaa2c8aa59cc9b43ac0b65f3d53fc

memory/3580-596-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp

memory/3580-595-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp

memory/3580-597-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp

memory/3580-598-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp